Analysis Overview
SHA256
28e5ae202e258b19680786bfa282d772f5edd8c12c0a3f215d5773c7835f00f2
Threat Level: Known bad
The file SynapseFromWish.zip was found to be: Known bad.
Malicious Activity Summary
Vanillarat family
VanillaRat
Suspicious use of NtCreateUserProcessOtherParentProcess
Vanilla Rat payload
Vanilla Rat payload
Drops file in Drivers directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Uses Task Scheduler COM API
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-21 22:39
Signatures
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Vanillarat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-21 22:39
Reported
2023-07-21 22:41
Platform
win7-20230712-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
VanillaRat
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\injector.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\injector.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\injector = "C:\\Users\\Admin\\AppData\\Roaming\\injector.exe" | C:\Users\Admin\AppData\Roaming\injector.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\injector.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1376 wrote to memory of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\injector.exe | C:\Users\Admin\AppData\Roaming\injector.exe |
| PID 1376 wrote to memory of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\injector.exe | C:\Users\Admin\AppData\Roaming\injector.exe |
| PID 1376 wrote to memory of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\injector.exe | C:\Users\Admin\AppData\Roaming\injector.exe |
| PID 1376 wrote to memory of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\injector.exe | C:\Users\Admin\AppData\Roaming\injector.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\injector.exe
"C:\Users\Admin\AppData\Local\Temp\injector.exe"
C:\Users\Admin\AppData\Roaming\injector.exe
"C:\Users\Admin\AppData\Roaming\injector.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | silentminer.tplinkdns.com | udp |
| GB | 81.158.135.230:9545 | silentminer.tplinkdns.com | tcp |
Files
memory/1376-54-0x0000000001150000-0x0000000001172000-memory.dmp
memory/1376-55-0x00000000747F0000-0x0000000074EDE000-memory.dmp
memory/1376-56-0x0000000004970000-0x00000000049B0000-memory.dmp
\Users\Admin\AppData\Roaming\injector.exe
| MD5 | 311b5c55bcd7a7bf987d264a3904770e |
| SHA1 | 7df136430c19887e24cff480d6346dc9e75d2029 |
| SHA256 | 680d7600e0985ce1ec135784b11cf8eef62d4e6dcb540ccc082e339dffa89504 |
| SHA512 | 686a8041c9c1edb40e86439052813e78dab7b86e6d02b35268cf65780046ba164d3a26481c34247beac9c4518e4f69ceb5228e9f7af378ad83a5449e9573b271 |
C:\Users\Admin\AppData\Roaming\injector.exe
| MD5 | 311b5c55bcd7a7bf987d264a3904770e |
| SHA1 | 7df136430c19887e24cff480d6346dc9e75d2029 |
| SHA256 | 680d7600e0985ce1ec135784b11cf8eef62d4e6dcb540ccc082e339dffa89504 |
| SHA512 | 686a8041c9c1edb40e86439052813e78dab7b86e6d02b35268cf65780046ba164d3a26481c34247beac9c4518e4f69ceb5228e9f7af378ad83a5449e9573b271 |
memory/1376-64-0x00000000747F0000-0x0000000074EDE000-memory.dmp
memory/2476-65-0x00000000002B0000-0x00000000002D2000-memory.dmp
C:\Users\Admin\AppData\Roaming\injector.exe
| MD5 | 311b5c55bcd7a7bf987d264a3904770e |
| SHA1 | 7df136430c19887e24cff480d6346dc9e75d2029 |
| SHA256 | 680d7600e0985ce1ec135784b11cf8eef62d4e6dcb540ccc082e339dffa89504 |
| SHA512 | 686a8041c9c1edb40e86439052813e78dab7b86e6d02b35268cf65780046ba164d3a26481c34247beac9c4518e4f69ceb5228e9f7af378ad83a5449e9573b271 |
memory/2476-66-0x00000000747F0000-0x0000000074EDE000-memory.dmp
memory/2476-67-0x0000000004BA0000-0x0000000004BE0000-memory.dmp
memory/2476-68-0x00000000747F0000-0x0000000074EDE000-memory.dmp
memory/2476-69-0x0000000004BA0000-0x0000000004BE0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-21 22:39
Reported
2023-07-21 22:41
Platform
win10v2004-20230703-en
Max time kernel
84s
Max time network
126s
Command Line
Signatures
VanillaRat
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\injector.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\injector.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\injector = "C:\\Users\\Admin\\AppData\\Roaming\\injector.exe" | C:\Users\Admin\AppData\Roaming\injector.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\injector.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3408 wrote to memory of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\injector.exe | C:\Users\Admin\AppData\Roaming\injector.exe |
| PID 3408 wrote to memory of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\injector.exe | C:\Users\Admin\AppData\Roaming\injector.exe |
| PID 3408 wrote to memory of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\injector.exe | C:\Users\Admin\AppData\Roaming\injector.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\injector.exe
"C:\Users\Admin\AppData\Local\Temp\injector.exe"
C:\Users\Admin\AppData\Roaming\injector.exe
"C:\Users\Admin\AppData\Roaming\injector.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.3.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | silentminer.tplinkdns.com | udp |
| GB | 81.158.135.230:9545 | silentminer.tplinkdns.com | tcp |
| US | 8.8.8.8:53 | 230.135.158.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.240.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
Files
memory/3408-133-0x0000000000D40000-0x0000000000D62000-memory.dmp
memory/3408-134-0x0000000074E80000-0x0000000075630000-memory.dmp
memory/3408-135-0x0000000005DE0000-0x0000000006384000-memory.dmp
memory/3408-136-0x0000000005750000-0x00000000057E2000-memory.dmp
memory/3408-137-0x00000000059C0000-0x00000000059D0000-memory.dmp
memory/3408-138-0x0000000005810000-0x000000000581A000-memory.dmp
C:\Users\Admin\AppData\Roaming\injector.exe
| MD5 | 311b5c55bcd7a7bf987d264a3904770e |
| SHA1 | 7df136430c19887e24cff480d6346dc9e75d2029 |
| SHA256 | 680d7600e0985ce1ec135784b11cf8eef62d4e6dcb540ccc082e339dffa89504 |
| SHA512 | 686a8041c9c1edb40e86439052813e78dab7b86e6d02b35268cf65780046ba164d3a26481c34247beac9c4518e4f69ceb5228e9f7af378ad83a5449e9573b271 |
C:\Users\Admin\AppData\Roaming\injector.exe
| MD5 | 311b5c55bcd7a7bf987d264a3904770e |
| SHA1 | 7df136430c19887e24cff480d6346dc9e75d2029 |
| SHA256 | 680d7600e0985ce1ec135784b11cf8eef62d4e6dcb540ccc082e339dffa89504 |
| SHA512 | 686a8041c9c1edb40e86439052813e78dab7b86e6d02b35268cf65780046ba164d3a26481c34247beac9c4518e4f69ceb5228e9f7af378ad83a5449e9573b271 |
C:\Users\Admin\AppData\Roaming\injector.exe
| MD5 | 311b5c55bcd7a7bf987d264a3904770e |
| SHA1 | 7df136430c19887e24cff480d6346dc9e75d2029 |
| SHA256 | 680d7600e0985ce1ec135784b11cf8eef62d4e6dcb540ccc082e339dffa89504 |
| SHA512 | 686a8041c9c1edb40e86439052813e78dab7b86e6d02b35268cf65780046ba164d3a26481c34247beac9c4518e4f69ceb5228e9f7af378ad83a5449e9573b271 |
memory/3408-150-0x0000000074E80000-0x0000000075630000-memory.dmp
memory/1136-151-0x0000000074E80000-0x0000000075630000-memory.dmp
memory/1136-152-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
memory/1136-153-0x0000000008A90000-0x0000000008AF6000-memory.dmp
memory/1136-154-0x0000000074E80000-0x0000000075630000-memory.dmp
memory/1136-155-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-07-21 22:39
Reported
2023-07-21 22:41
Platform
win7-20230712-en
Max time kernel
154s
Max time network
130s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2264 created 1252 | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | C:\Windows\Explorer.EXE |
| PID 2264 created 1252 | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | C:\Windows\Explorer.EXE |
| PID 2264 created 1252 | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | C:\Windows\Explorer.EXE |
| PID 2264 created 1252 | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | C:\Windows\Explorer.EXE |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2264 set thread context of 2752 | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | C:\Windows\System32\dialer.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 | C:\Windows\system32\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager | C:\Windows\system32\winlogon.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | N/A |
| N/A | N/A | C:\Windows\System32\dialer.exe | N/A |
| N/A | N/A | C:\Windows\System32\dialer.exe | N/A |
| N/A | N/A | C:\Windows\System32\dialer.exe | N/A |
| N/A | N/A | C:\Windows\System32\dialer.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dialer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\LogonUI.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Users\Admin\AppData\Local\Temp\release-v2.exe
"C:\Users\Admin\AppData\Local\Temp\release-v2.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#eszkltr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
Network
Files
memory/2264-54-0x000000013F650000-0x000000013FC67000-memory.dmp
memory/2564-59-0x000000001B2F0000-0x000000001B5D2000-memory.dmp
memory/2564-60-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp
memory/2564-61-0x00000000022F0000-0x0000000002370000-memory.dmp
memory/2564-62-0x00000000022F0000-0x0000000002370000-memory.dmp
memory/2564-63-0x00000000022D0000-0x00000000022D8000-memory.dmp
memory/2564-64-0x00000000022F0000-0x0000000002370000-memory.dmp
memory/2564-65-0x00000000022F0000-0x0000000002370000-memory.dmp
memory/2564-66-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp
memory/2752-69-0x0000000077AC0000-0x0000000077C69000-memory.dmp
memory/2752-71-0x00000000778A0000-0x00000000779BF000-memory.dmp
memory/424-72-0x0000000000720000-0x0000000000741000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | a21e8324e445b828c69c29c60d890376 |
| SHA1 | f5515ace26ed818ccaf2d1ed14cef9dc7afde2ba |
| SHA256 | 4393832f449297850d8c243f23912605ceaeab1250e608ceccea4239c4c2b422 |
| SHA512 | 1f7a825d8086f647ba99fa351a9d34150da6724305672f17d7a561efdc77c823f25a70aee4067e73c1cfb68652d57e05395c001d1c19703cadb43dfbd809920e |
memory/424-74-0x0000000000720000-0x0000000000741000-memory.dmp
memory/424-76-0x0000000000750000-0x0000000000777000-memory.dmp
memory/424-77-0x0000000000750000-0x0000000000777000-memory.dmp
memory/2264-80-0x000000013F650000-0x000000013FC67000-memory.dmp
memory/2768-85-0x000000001B160000-0x000000001B442000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1HH8E2YOGAM1AKLL57SR.temp
| MD5 | a21e8324e445b828c69c29c60d890376 |
| SHA1 | f5515ace26ed818ccaf2d1ed14cef9dc7afde2ba |
| SHA256 | 4393832f449297850d8c243f23912605ceaeab1250e608ceccea4239c4c2b422 |
| SHA512 | 1f7a825d8086f647ba99fa351a9d34150da6724305672f17d7a561efdc77c823f25a70aee4067e73c1cfb68652d57e05395c001d1c19703cadb43dfbd809920e |
memory/2768-87-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp
memory/2768-88-0x0000000001F80000-0x0000000001F88000-memory.dmp
memory/2768-90-0x0000000001EF0000-0x0000000001F70000-memory.dmp
memory/468-91-0x00000000002F0000-0x0000000000317000-memory.dmp
memory/484-98-0x0000000000250000-0x0000000000277000-memory.dmp
memory/468-96-0x0000000037B00000-0x0000000037B10000-memory.dmp
memory/2768-94-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp
memory/468-93-0x000007FEBDCD0000-0x000007FEBDCE0000-memory.dmp
memory/484-102-0x000007FEBDCD0000-0x000007FEBDCE0000-memory.dmp
memory/484-105-0x0000000037B00000-0x0000000037B10000-memory.dmp
memory/492-106-0x0000000000330000-0x0000000000357000-memory.dmp
memory/2752-108-0x0000000077AC0000-0x0000000077C69000-memory.dmp
memory/2752-104-0x0000000140000000-0x0000000140029000-memory.dmp
memory/492-110-0x000007FEBDCD0000-0x000007FEBDCE0000-memory.dmp
memory/492-112-0x0000000037B00000-0x0000000037B10000-memory.dmp
memory/2768-111-0x0000000001EF0000-0x0000000001F70000-memory.dmp
memory/468-114-0x00000000002F0000-0x0000000000317000-memory.dmp
memory/468-115-0x0000000077B11000-0x0000000077B12000-memory.dmp
memory/2768-117-0x0000000001EF4000-0x0000000001EF7000-memory.dmp
memory/484-116-0x0000000000250000-0x0000000000277000-memory.dmp
memory/2768-118-0x0000000001EF0000-0x0000000001F70000-memory.dmp
memory/492-120-0x0000000000330000-0x0000000000357000-memory.dmp
memory/2768-119-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp
memory/1344-121-0x00000000026E0000-0x00000000026E1000-memory.dmp
memory/1344-122-0x00000000026E0000-0x00000000026E1000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-07-21 22:39
Reported
2023-07-21 22:41
Platform
win10v2004-20230703-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3132 created 3180 | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | C:\Windows\Explorer.EXE |
| PID 3132 created 3180 | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | C:\Windows\Explorer.EXE |
| PID 3132 created 3180 | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | C:\Windows\Explorer.EXE |
| PID 3132 created 3180 | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | C:\Windows\Explorer.EXE |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3132 set thread context of 4480 | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | C:\Windows\System32\dialer.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\winlogon.exe |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\dwm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release-v2.exe | N/A |
| N/A | N/A | C:\Windows\System32\dialer.exe | N/A |
| N/A | N/A | C:\Windows\System32\dialer.exe | N/A |
| N/A | N/A | C:\Windows\System32\dialer.exe | N/A |
| N/A | N/A | C:\Windows\System32\dialer.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\smss.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\smss.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dialer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\smss.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\smss.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\smss.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\smss.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Users\Admin\AppData\Local\Temp\release-v2.exe
"C:\Users\Admin\AppData\Local\Temp\release-v2.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#eszkltr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 1016 -ip 1016
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 584 -ip 584
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 584 -s 764
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1016 -s 3832
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c0 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e0 00000084
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
memory/3132-133-0x00007FF6CC470000-0x00007FF6CCA87000-memory.dmp
memory/3940-134-0x0000017AB1F90000-0x0000017AB1FB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qrzytt2q.pxb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3940-144-0x00007FF8130A0000-0x00007FF813B61000-memory.dmp
memory/3940-145-0x0000017AB1FE0000-0x0000017AB1FF0000-memory.dmp
memory/3940-146-0x0000017AB1FE0000-0x0000017AB1FF0000-memory.dmp
memory/3940-147-0x0000017AB1FE0000-0x0000017AB1FF0000-memory.dmp
memory/3940-150-0x00007FF8130A0000-0x00007FF813B61000-memory.dmp
memory/4480-153-0x00007FF831950000-0x00007FF831B45000-memory.dmp
memory/4480-154-0x00007FF8315C0000-0x00007FF83167E000-memory.dmp
memory/584-155-0x0000025E83A80000-0x0000025E83AA1000-memory.dmp
memory/584-161-0x00007FF8319ED000-0x00007FF8319EE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/668-165-0x000001B412890000-0x000001B4128B7000-memory.dmp
memory/668-162-0x00007FF7F19D0000-0x00007FF7F19E0000-memory.dmp
memory/668-159-0x000001B412890000-0x000001B4128B7000-memory.dmp
memory/584-158-0x0000025E83AB0000-0x0000025E83AD7000-memory.dmp
memory/1016-168-0x00000231B3020000-0x00000231B3047000-memory.dmp
memory/944-171-0x00007FF7F19D0000-0x00007FF7F19E0000-memory.dmp
memory/3132-170-0x00007FF6CC470000-0x00007FF6CCA87000-memory.dmp
memory/944-167-0x0000024D8BDD0000-0x0000024D8BDF7000-memory.dmp
memory/528-174-0x000001CF4BD60000-0x000001CF4BD87000-memory.dmp
memory/668-175-0x00007FF8319EC000-0x00007FF8319ED000-memory.dmp
memory/528-176-0x00007FF7F19D0000-0x00007FF7F19E0000-memory.dmp
memory/668-172-0x00007FF8319ED000-0x00007FF8319EE000-memory.dmp
memory/616-178-0x00007FF8130A0000-0x00007FF813B61000-memory.dmp
memory/616-179-0x0000017FD7D40000-0x0000017FD7D50000-memory.dmp
memory/616-180-0x0000017FD7D40000-0x0000017FD7D50000-memory.dmp
memory/944-181-0x0000024D8BDD0000-0x0000024D8BDF7000-memory.dmp
memory/1016-183-0x00000231B3020000-0x00000231B3047000-memory.dmp
memory/528-193-0x000001CF4BD60000-0x000001CF4BD87000-memory.dmp
memory/628-197-0x00007FF7F19D0000-0x00007FF7F19E0000-memory.dmp
memory/616-198-0x0000017FD7D40000-0x0000017FD7D50000-memory.dmp
memory/628-196-0x00000289E6530000-0x00000289E6557000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
memory/440-206-0x00007FF7F19D0000-0x00007FF7F19E0000-memory.dmp
memory/1040-205-0x0000022FDED40000-0x0000022FDED67000-memory.dmp
memory/1040-207-0x00007FF7F19D0000-0x00007FF7F19E0000-memory.dmp
memory/440-204-0x0000029479390000-0x00000294793B7000-memory.dmp
memory/1080-210-0x0000013954540000-0x0000013954567000-memory.dmp
memory/1080-212-0x00007FF7F19D0000-0x00007FF7F19E0000-memory.dmp
memory/1192-220-0x00007FF7F19D0000-0x00007FF7F19E0000-memory.dmp
memory/1216-219-0x000002A4CDF90000-0x000002A4CDFB7000-memory.dmp
memory/1292-228-0x00007FF7F19D0000-0x00007FF7F19E0000-memory.dmp
memory/1216-226-0x000002A4CDF90000-0x000002A4CDFB7000-memory.dmp
memory/1292-229-0x0000021F2F930000-0x0000021F2F957000-memory.dmp
memory/1292-224-0x0000021F2F930000-0x0000021F2F957000-memory.dmp
memory/1216-223-0x00007FF7F19D0000-0x00007FF7F19E0000-memory.dmp
memory/4480-222-0x00007FF699130000-0x00007FF699159000-memory.dmp
memory/1192-218-0x0000023EEF380000-0x0000023EEF3A7000-memory.dmp
memory/1332-232-0x000001EFF25D0000-0x000001EFF25F7000-memory.dmp
memory/584-233-0x00007FF7F19D0000-0x00007FF7F19E0000-memory.dmp
memory/584-234-0x0000025E83AB0000-0x0000025E83AD7000-memory.dmp
memory/1332-235-0x00007FF7F19D0000-0x00007FF7F19E0000-memory.dmp
memory/1352-244-0x000001F56ED80000-0x000001F56EDA7000-memory.dmp
memory/616-262-0x00007FF8130A0000-0x00007FF813B61000-memory.dmp
memory/1400-265-0x0000014AC1160000-0x0000014AC1187000-memory.dmp
memory/1388-267-0x0000025D323B0000-0x0000025D323D7000-memory.dmp
memory/668-268-0x000001B412890000-0x000001B4128B7000-memory.dmp
memory/628-269-0x00000289E6530000-0x00000289E6557000-memory.dmp
memory/1528-264-0x00000156359A0000-0x00000156359C7000-memory.dmp
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 0b990e24f1e839462c0ac35fef1d119e |
| SHA1 | 9e17905f8f68f9ce0a2024d57b537aa8b39c6708 |
| SHA256 | a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a |
| SHA512 | c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | ceb7caa4e9c4b8d760dbf7e9e5ca44c5 |
| SHA1 | a3879621f9493414d497ea6d70fbf17e283d5c08 |
| SHA256 | 98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9 |
| SHA512 | 1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | 7d612892b20e70250dbd00d0cdd4f09b |
| SHA1 | 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5 |
| SHA256 | 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02 |
| SHA512 | f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | 8abf2d6067c6f3191a015f84aa9b6efe |
| SHA1 | 98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7 |
| SHA256 | ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea |
| SHA512 | c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | f313c5b4f95605026428425586317353 |
| SHA1 | 06be66fa06e1cffc54459c38d3d258f46669d01a |
| SHA256 | 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b |
| SHA512 | b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890 |
memory/440-306-0x0000029479390000-0x00000294793B7000-memory.dmp
memory/1040-307-0x0000022FDED40000-0x0000022FDED67000-memory.dmp
memory/1080-308-0x0000013954540000-0x0000013954567000-memory.dmp
memory/1192-309-0x0000023EEF380000-0x0000023EEF3A7000-memory.dmp
memory/1216-310-0x000002A4CDF90000-0x000002A4CDFB7000-memory.dmp
memory/1292-311-0x0000021F2F930000-0x0000021F2F957000-memory.dmp
memory/1332-312-0x000001EFF25D0000-0x000001EFF25F7000-memory.dmp
memory/1352-313-0x000001F56ED80000-0x000001F56EDA7000-memory.dmp
memory/1528-314-0x00000156359A0000-0x00000156359C7000-memory.dmp