Analysis
-
max time kernel
90s -
max time network
312s -
platform
windows10-1703_x64 -
resource
win10-20230831-en -
resource tags
arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system -
submitted
02-09-2023 04:51
Static task
static1
General
-
Target
673192e23603b5a23173abeb594103e7babf154eb3af5288ccfb0fa6db6eacf5.exe
-
Size
619KB
-
MD5
06add227c345dd1c1431948aa14daa60
-
SHA1
997d37b60d2760f9c7a39f69bdc682ced0f61453
-
SHA256
673192e23603b5a23173abeb594103e7babf154eb3af5288ccfb0fa6db6eacf5
-
SHA512
0070004fb3cceacb670bf9ee38159c52782e367357ddd360ee4685de1829a92083ea7d62a131778dd9c68b4f3f455b28b2ec63e5e3bb8a5b7979c45a7c1f67dd
-
SSDEEP
12288:/F+sUVFY9mukbdejkPjIQ65D5zgXQCR4MZ/R3rAKyX:/FsVi9mxbkjkPjIQLX9TVKKg
Malware Config
Extracted
amadey
3.83
5.42.65.80/8bmeVwqx/index.php
-
install_dir
207aa4515d
-
install_file
oneetx.exe
-
strings_key
3e634dd0840c68ae2ced83c2be7bf0d4
Extracted
redline
010923
happy1sept.tuktuk.ug:11290
-
auth_value
8338bf26f599326ee45afe9d54f7ef8e
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Signatures
-
Detect Fabookie payload 2 IoCs
resource yara_rule behavioral2/memory/4668-56-0x00000000035B0000-0x00000000036E1000-memory.dmp family_fabookie behavioral2/memory/4668-162-0x00000000035B0000-0x00000000036E1000-memory.dmp family_fabookie -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 15 IoCs
description pid Process procid_target PID 4948 created 3260 4948 msedge.exe 36 PID 1560 created 3260 1560 Process not Found 36 PID 4948 created 3260 4948 msedge.exe 36 PID 4948 created 3260 4948 msedge.exe 36 PID 4948 created 3260 4948 msedge.exe 36 PID 2968 created 3260 2968 msedge.exe 36 PID 4948 created 3260 4948 msedge.exe 36 PID 1560 created 3260 1560 Process not Found 36 PID 1560 created 3260 1560 Process not Found 36 PID 1560 created 3260 1560 Process not Found 36 PID 2968 created 3260 2968 msedge.exe 36 PID 2968 created 3260 2968 msedge.exe 36 PID 2968 created 3260 2968 msedge.exe 36 PID 1560 created 3260 1560 Process not Found 36 PID 2968 created 3260 2968 msedge.exe 36 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ winlog.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ winlog.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ winlog.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts msedge.exe File created C:\Windows\System32\drivers\etc\hosts Process not Found File created C:\Windows\System32\drivers\etc\hosts msedge.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1800 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion winlog.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion winlog.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion winlog.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion winlog.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion winlog.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion winlog.exe -
Executes dropped EXE 27 IoCs
pid Process 4668 ss41.exe 3932 oldplayer.exe 4972 oneetx.exe 4932 softtool.exe 364 taskhost.exe 596 winlog.exe 4948 msedge.exe 1704 alldata.exe 5080 taskhost.exe 4592 winlog.exe 1380 Process not Found 3024 taskhost.exe 3476 taskhost.exe 4968 taskhost.exe 1560 msedge.exe 2360 4t.exe 840 taskhost.exe 3644 winlog.exe 2968 msedge.exe 4212 taskhost.exe 420 taskhost.exe 3404 taskhost.exe 4596 taskhost.exe 3808 oneetx.exe 316 softtool.exe 3636 alldata.exe 4940 updater.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000700000001b02d-2724.dat upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlog.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlog.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlog.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 596 winlog.exe 4592 winlog.exe 3644 winlog.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 364 set thread context of 4968 364 taskhost.exe 93 PID 5080 set thread context of 3404 5080 taskhost.exe 101 PID 840 set thread context of 4596 840 taskhost.exe 104 PID 4932 set thread context of 316 4932 softtool.exe 105 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe msedge.exe File created C:\Program Files\Google\Chrome\updater.exe Process not Found File created C:\Program Files\Google\Chrome\updater.exe msedge.exe -
Launches sc.exe 21 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 764 sc.exe 4936 sc.exe 2216 sc.exe 4428 sc.exe 2196 sc.exe 4968 sc.exe 3956 sc.exe 4300 sc.exe 4456 sc.exe 4308 sc.exe 3812 sc.exe 4516 sc.exe 2484 sc.exe 2532 sc.exe 4476 sc.exe 3316 sc.exe 4288 sc.exe 4384 sc.exe 3764 sc.exe 880 sc.exe 4296 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI softtool.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI softtool.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI softtool.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3564 schtasks.exe 4248 schtasks.exe 3460 schtasks.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 58 Go-http-client/1.1 -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" alldata.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" alldata.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" alldata.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" alldata.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" alldata.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" alldata.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" alldata.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" alldata.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" alldata.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4948 msedge.exe 4948 msedge.exe 364 taskhost.exe 364 taskhost.exe 364 taskhost.exe 364 taskhost.exe 364 taskhost.exe 364 taskhost.exe 1560 msedge.exe 1560 msedge.exe 2968 msedge.exe 2968 msedge.exe 5080 taskhost.exe 5080 taskhost.exe 5080 taskhost.exe 5080 taskhost.exe 4968 sc.exe 4968 sc.exe 4968 sc.exe 316 softtool.exe 316 softtool.exe 4948 msedge.exe 4948 msedge.exe 312 powershell.exe 312 powershell.exe 4596 taskhost.exe 312 powershell.exe 4596 taskhost.exe 3404 taskhost.exe 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3404 taskhost.exe 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3404 taskhost.exe 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 644 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 316 softtool.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 364 taskhost.exe Token: SeDebugPrivilege 5080 taskhost.exe Token: SeDebugPrivilege 840 taskhost.exe Token: SeDebugPrivilege 4968 sc.exe Token: SeDebugPrivilege 312 powershell.exe Token: SeDebugPrivilege 4596 taskhost.exe Token: SeDebugPrivilege 3404 taskhost.exe Token: SeIncreaseQuotaPrivilege 312 powershell.exe Token: SeSecurityPrivilege 312 powershell.exe Token: SeTakeOwnershipPrivilege 312 powershell.exe Token: SeLoadDriverPrivilege 312 powershell.exe Token: SeSystemProfilePrivilege 312 powershell.exe Token: SeSystemtimePrivilege 312 powershell.exe Token: SeProfSingleProcessPrivilege 312 powershell.exe Token: SeIncBasePriorityPrivilege 312 powershell.exe Token: SeCreatePagefilePrivilege 312 powershell.exe Token: SeBackupPrivilege 312 powershell.exe Token: SeRestorePrivilege 312 powershell.exe Token: SeShutdownPrivilege 312 powershell.exe Token: SeDebugPrivilege 312 powershell.exe Token: SeSystemEnvironmentPrivilege 312 powershell.exe Token: SeRemoteShutdownPrivilege 312 powershell.exe Token: SeUndockPrivilege 312 powershell.exe Token: SeManageVolumePrivilege 312 powershell.exe Token: 33 312 powershell.exe Token: 34 312 powershell.exe Token: 35 312 powershell.exe Token: 36 312 powershell.exe Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeDebugPrivilege 3632 powershell.exe Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeDebugPrivilege 4808 powercfg.exe Token: SeIncreaseQuotaPrivilege 4808 powercfg.exe Token: SeSecurityPrivilege 4808 powercfg.exe Token: SeTakeOwnershipPrivilege 4808 powercfg.exe Token: SeLoadDriverPrivilege 4808 powercfg.exe Token: SeSystemProfilePrivilege 4808 powercfg.exe Token: SeSystemtimePrivilege 4808 powercfg.exe Token: SeProfSingleProcessPrivilege 4808 powercfg.exe Token: SeIncBasePriorityPrivilege 4808 powercfg.exe Token: SeCreatePagefilePrivilege 4808 powercfg.exe Token: SeBackupPrivilege 4808 powercfg.exe Token: SeRestorePrivilege 4808 powercfg.exe Token: SeShutdownPrivilege 4808 powercfg.exe Token: SeDebugPrivilege 4808 powercfg.exe Token: SeSystemEnvironmentPrivilege 4808 powercfg.exe Token: SeRemoteShutdownPrivilege 4808 powercfg.exe Token: SeUndockPrivilege 4808 powercfg.exe Token: SeManageVolumePrivilege 4808 powercfg.exe Token: 33 4808 powercfg.exe Token: 34 4808 powercfg.exe Token: 35 4808 powercfg.exe Token: 36 4808 powercfg.exe Token: SeDebugPrivilege 4600 powershell.exe Token: SeDebugPrivilege 888 powershell.exe Token: SeShutdownPrivilege 436 windefender.exe Token: SeCreatePagefilePrivilege 436 windefender.exe Token: SeShutdownPrivilege 3368 powercfg.exe Token: SeCreatePagefilePrivilege 3368 powercfg.exe Token: SeShutdownPrivilege 1692 powercfg.exe Token: SeCreatePagefilePrivilege 1692 powercfg.exe Token: SeShutdownPrivilege 3260 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3932 oldplayer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4500 wrote to memory of 4668 4500 673192e23603b5a23173abeb594103e7babf154eb3af5288ccfb0fa6db6eacf5.exe 70 PID 4500 wrote to memory of 4668 4500 673192e23603b5a23173abeb594103e7babf154eb3af5288ccfb0fa6db6eacf5.exe 70 PID 4500 wrote to memory of 3932 4500 673192e23603b5a23173abeb594103e7babf154eb3af5288ccfb0fa6db6eacf5.exe 71 PID 4500 wrote to memory of 3932 4500 673192e23603b5a23173abeb594103e7babf154eb3af5288ccfb0fa6db6eacf5.exe 71 PID 4500 wrote to memory of 3932 4500 673192e23603b5a23173abeb594103e7babf154eb3af5288ccfb0fa6db6eacf5.exe 71 PID 3932 wrote to memory of 4972 3932 oldplayer.exe 72 PID 3932 wrote to memory of 4972 3932 oldplayer.exe 72 PID 3932 wrote to memory of 4972 3932 oldplayer.exe 72 PID 4972 wrote to memory of 3564 4972 oneetx.exe 73 PID 4972 wrote to memory of 3564 4972 oneetx.exe 73 PID 4972 wrote to memory of 3564 4972 oneetx.exe 73 PID 4972 wrote to memory of 516 4972 oneetx.exe 74 PID 4972 wrote to memory of 516 4972 oneetx.exe 74 PID 4972 wrote to memory of 516 4972 oneetx.exe 74 PID 516 wrote to memory of 4228 516 cmd.exe 77 PID 516 wrote to memory of 4228 516 cmd.exe 77 PID 516 wrote to memory of 4228 516 cmd.exe 77 PID 516 wrote to memory of 1476 516 cmd.exe 78 PID 516 wrote to memory of 1476 516 cmd.exe 78 PID 516 wrote to memory of 1476 516 cmd.exe 78 PID 516 wrote to memory of 4776 516 cmd.exe 79 PID 516 wrote to memory of 4776 516 cmd.exe 79 PID 516 wrote to memory of 4776 516 cmd.exe 79 PID 516 wrote to memory of 4868 516 cmd.exe 80 PID 516 wrote to memory of 4868 516 cmd.exe 80 PID 516 wrote to memory of 4868 516 cmd.exe 80 PID 516 wrote to memory of 2988 516 cmd.exe 81 PID 516 wrote to memory of 2988 516 cmd.exe 81 PID 516 wrote to memory of 2988 516 cmd.exe 81 PID 516 wrote to memory of 3468 516 cmd.exe 82 PID 516 wrote to memory of 3468 516 cmd.exe 82 PID 516 wrote to memory of 3468 516 cmd.exe 82 PID 4972 wrote to memory of 4932 4972 oneetx.exe 83 PID 4972 wrote to memory of 4932 4972 oneetx.exe 83 PID 4972 wrote to memory of 4932 4972 oneetx.exe 83 PID 4972 wrote to memory of 364 4972 oneetx.exe 84 PID 4972 wrote to memory of 364 4972 oneetx.exe 84 PID 4972 wrote to memory of 364 4972 oneetx.exe 84 PID 4972 wrote to memory of 596 4972 oneetx.exe 85 PID 4972 wrote to memory of 596 4972 oneetx.exe 85 PID 4972 wrote to memory of 4948 4972 oneetx.exe 86 PID 4972 wrote to memory of 4948 4972 oneetx.exe 86 PID 4972 wrote to memory of 1704 4972 oneetx.exe 87 PID 4972 wrote to memory of 1704 4972 oneetx.exe 87 PID 4972 wrote to memory of 1704 4972 oneetx.exe 87 PID 4972 wrote to memory of 5080 4972 oneetx.exe 88 PID 4972 wrote to memory of 5080 4972 oneetx.exe 88 PID 4972 wrote to memory of 5080 4972 oneetx.exe 88 PID 364 wrote to memory of 1380 364 taskhost.exe 89 PID 364 wrote to memory of 1380 364 taskhost.exe 89 PID 364 wrote to memory of 1380 364 taskhost.exe 89 PID 4972 wrote to memory of 4592 4972 oneetx.exe 90 PID 4972 wrote to memory of 4592 4972 oneetx.exe 90 PID 364 wrote to memory of 3024 364 taskhost.exe 91 PID 364 wrote to memory of 3024 364 taskhost.exe 91 PID 364 wrote to memory of 3024 364 taskhost.exe 91 PID 364 wrote to memory of 3476 364 taskhost.exe 92 PID 364 wrote to memory of 3476 364 taskhost.exe 92 PID 364 wrote to memory of 3476 364 taskhost.exe 92 PID 364 wrote to memory of 4968 364 taskhost.exe 93 PID 364 wrote to memory of 4968 364 taskhost.exe 93 PID 364 wrote to memory of 4968 364 taskhost.exe 93 PID 364 wrote to memory of 4968 364 taskhost.exe 93 PID 364 wrote to memory of 4968 364 taskhost.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260 -
C:\Users\Admin\AppData\Local\Temp\673192e23603b5a23173abeb594103e7babf154eb3af5288ccfb0fa6db6eacf5.exe"C:\Users\Admin\AppData\Local\Temp\673192e23603b5a23173abeb594103e7babf154eb3af5288ccfb0fa6db6eacf5.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\ss41.exe"C:\Users\Admin\AppData\Local\Temp\ss41.exe"3⤵
- Executes dropped EXE
PID:4668
-
-
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F5⤵
- Creates scheduled task(s)
PID:3564
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:4228
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"6⤵PID:1476
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E6⤵PID:4776
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:4868
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\207aa4515d" /P "Admin:N"6⤵PID:2988
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\207aa4515d" /P "Admin:R" /E6⤵PID:3468
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000434001\softtool.exe"C:\Users\Admin\AppData\Local\Temp\1000434001\softtool.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\1000434001\softtool.exe"C:\Users\Admin\AppData\Local\Temp\1000434001\softtool.exe"6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:316
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"6⤵PID:1380
-
-
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"6⤵
- Executes dropped EXE
PID:3024
-
-
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"6⤵
- Executes dropped EXE
PID:3476
-
-
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"6⤵
- Executes dropped EXE
PID:4968
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:596
-
-
C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4948
-
-
C:\Users\Admin\AppData\Local\Temp\1000435001\alldata.exe"C:\Users\Admin\AppData\Local\Temp\1000435001\alldata.exe"5⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3632
-
-
C:\Users\Admin\AppData\Local\Temp\1000435001\alldata.exe"C:\Users\Admin\AppData\Local\Temp\1000435001\alldata.exe"6⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3636 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Modifies data under HKEY_USERS
PID:1452
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"7⤵PID:5096
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes8⤵
- Modifies Windows Firewall
PID:1800
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵PID:4844
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵PID:4004
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe7⤵PID:660
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵PID:1252
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F8⤵
- Creates scheduled task(s)
PID:4248
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f8⤵PID:4524
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵PID:3340
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵PID:2820
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll8⤵PID:1916
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F8⤵
- Creates scheduled task(s)
PID:3460
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"8⤵PID:4072
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)9⤵PID:2940
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)10⤵
- Launches sc.exe
PID:4296
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exeC:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe8⤵PID:4400
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "csrss" /f9⤵PID:2200
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "ScheduledUpdate" /f9⤵PID:1800
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"6⤵
- Executes dropped EXE
PID:4212
-
-
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"6⤵
- Executes dropped EXE
PID:420
-
-
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4592 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe6⤵PID:1356
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1560
-
-
C:\Users\Admin\AppData\Local\Temp\1000436001\4t.exe"C:\Users\Admin\AppData\Local\Temp\1000436001\4t.exe"5⤵
- Executes dropped EXE
PID:2360
-
-
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:840 -
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3644
-
-
C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2968
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:4808
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:3800
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:3812
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4516
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2484
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:4936
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2532
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:940
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:436
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3368
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:3316
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:3152
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:3016
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2216
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4428
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:4476
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3316
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:764
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:4200
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:4736
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:4124
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:4284
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:3156
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:2944
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:3664
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:3764
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2196
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:4288
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:3956
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:64
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:4140
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:1776
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:3152
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:2220
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:4228
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:1728
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:3768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:4528
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:2896
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:880
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4384
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:4300
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:4456
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4308
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:5000
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:3120
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:3972
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:4936
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:4572
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:4080
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:2824
-
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe1⤵
- Executes dropped EXE
PID:3808
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Executes dropped EXE
PID:4940
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe1⤵PID:4152
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:436
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.3MB
MD5c1d22d64c028c750f90bc2e763d3535c
SHA14403b1cdfb2fd7ecfba5b8e9cda93b6132accd49
SHA256864b19aacbc59643349d7f9911fd58d8cc851326a5e19eadc31a4f85ccb41dee
SHA512dce11fef1eba295889fc25f57f8b1b903ad23eee5106fcac10d950ec6d56b813df2f9da549c184430df8ccf1ee9e3c2281f0fa4ba9e021c0138c0f8361004ed5
-
Filesize
7.3MB
MD5c1d22d64c028c750f90bc2e763d3535c
SHA14403b1cdfb2fd7ecfba5b8e9cda93b6132accd49
SHA256864b19aacbc59643349d7f9911fd58d8cc851326a5e19eadc31a4f85ccb41dee
SHA512dce11fef1eba295889fc25f57f8b1b903ad23eee5106fcac10d950ec6d56b813df2f9da549c184430df8ccf1ee9e3c2281f0fa4ba9e021c0138c0f8361004ed5
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD574b02915b8ed39b3508a8bd2d27b8e0d
SHA16e9a8794724a958b03eb3e0056a0cfdce33b7072
SHA2562789a602511280d8d60d78ff578a8fcd215b71b70c9c32b8b926a4351ff5ea15
SHA512c7eff4872c014e0b0e14618e9ca786eeb73431d203871ee82ed4af61d5a90d0c6fe487f99e14a9d348072fa6761e30a4c54fbcf68f799b78f6b30d594c9d4f05
-
Filesize
1KB
MD52c955d7bf61471d84fa830e3974e6726
SHA1f114a7ab39f83361991c4f8a939c1e4c6b60e9bd
SHA256a757c092b06970cad64ab436b7e021379205443e997b106e67803fe5bfdf2231
SHA512e0a8f60694f2f08676d15c9eeff687596fc36b7a1e0a7e14be21ba6308596f15268535dac002592e444cd0eac21f6a878667e325e2fdee620eabb1c6b3af91b5
-
Filesize
1KB
MD52c955d7bf61471d84fa830e3974e6726
SHA1f114a7ab39f83361991c4f8a939c1e4c6b60e9bd
SHA256a757c092b06970cad64ab436b7e021379205443e997b106e67803fe5bfdf2231
SHA512e0a8f60694f2f08676d15c9eeff687596fc36b7a1e0a7e14be21ba6308596f15268535dac002592e444cd0eac21f6a878667e325e2fdee620eabb1c6b3af91b5
-
Filesize
1KB
MD5dbc9992083bd4edf9b7a6c75947e73ec
SHA1009cf068c3d074f3997836d361dc118d889e437a
SHA256293d2d203ea7c101ef0523196b5fa41f9a5a991fc9903053e87266fa834fb66f
SHA5129adbea6b0f09994a263c83901c3dbe7e6d2fbf03ab154e909c7b6ec0d6464f2082fe319e74dfc389d615f05ca2c35bf864b07bf0147c2968af256d6fe8f87167
-
Filesize
1KB
MD563156b8f937674bf2994fe78885c5880
SHA11ec217a57cd278d7d9cff4287d77b80f9c9b1186
SHA2566e716db4237eb0edc84cdc3012b0c09f73e598e90e800b8cd7095915fc70e8da
SHA512e7a8a952299c3d116aab270e0f80547b437631bdb9595045a837d9f932b929fa122cb42e84b790bc550e354083f9215ef54e90ba9f0a222cf349d3ec21597ade
-
Filesize
1KB
MD59398b789a74a61f3bbca7b41cf257fdd
SHA140e8cda3e70f24d6e648f5ec34c93466b68720a7
SHA25648a6c4a1fe40ff479372dbeb856ec09dee2347cfc1b428527af2820a70a05d43
SHA51213965f7e3426cbfd14920c5739eaa5cf947f9a748e4c401442b2d2db9523cd2c340792085bbdd90a170db68d39835e2fdea8babb556b802bdcfd395367dafa1b
-
Filesize
1.7MB
MD5d3ec7e37c4d7c6d7adab1ccaa50ce27c
SHA18c13c02fcbb52cf0476aa8ed046f75d0371883dc
SHA25671cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
SHA51262ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d
-
Filesize
1.7MB
MD5d3ec7e37c4d7c6d7adab1ccaa50ce27c
SHA18c13c02fcbb52cf0476aa8ed046f75d0371883dc
SHA25671cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
SHA51262ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d
-
Filesize
1.7MB
MD5d3ec7e37c4d7c6d7adab1ccaa50ce27c
SHA18c13c02fcbb52cf0476aa8ed046f75d0371883dc
SHA25671cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
SHA51262ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d
-
Filesize
1.7MB
MD5d3ec7e37c4d7c6d7adab1ccaa50ce27c
SHA18c13c02fcbb52cf0476aa8ed046f75d0371883dc
SHA25671cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
SHA51262ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d
-
Filesize
1.7MB
MD5d3ec7e37c4d7c6d7adab1ccaa50ce27c
SHA18c13c02fcbb52cf0476aa8ed046f75d0371883dc
SHA25671cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
SHA51262ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d
-
Filesize
1.7MB
MD5d3ec7e37c4d7c6d7adab1ccaa50ce27c
SHA18c13c02fcbb52cf0476aa8ed046f75d0371883dc
SHA25671cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
SHA51262ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d
-
Filesize
1.7MB
MD5d3ec7e37c4d7c6d7adab1ccaa50ce27c
SHA18c13c02fcbb52cf0476aa8ed046f75d0371883dc
SHA25671cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
SHA51262ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d
-
Filesize
1.7MB
MD5d3ec7e37c4d7c6d7adab1ccaa50ce27c
SHA18c13c02fcbb52cf0476aa8ed046f75d0371883dc
SHA25671cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
SHA51262ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d
-
Filesize
1.7MB
MD5d3ec7e37c4d7c6d7adab1ccaa50ce27c
SHA18c13c02fcbb52cf0476aa8ed046f75d0371883dc
SHA25671cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
SHA51262ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d
-
Filesize
1.7MB
MD5d3ec7e37c4d7c6d7adab1ccaa50ce27c
SHA18c13c02fcbb52cf0476aa8ed046f75d0371883dc
SHA25671cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
SHA51262ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d
-
Filesize
1.7MB
MD5d3ec7e37c4d7c6d7adab1ccaa50ce27c
SHA18c13c02fcbb52cf0476aa8ed046f75d0371883dc
SHA25671cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
SHA51262ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d
-
Filesize
1.7MB
MD5d3ec7e37c4d7c6d7adab1ccaa50ce27c
SHA18c13c02fcbb52cf0476aa8ed046f75d0371883dc
SHA25671cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
SHA51262ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d
-
Filesize
1.7MB
MD5d3ec7e37c4d7c6d7adab1ccaa50ce27c
SHA18c13c02fcbb52cf0476aa8ed046f75d0371883dc
SHA25671cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
SHA51262ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d
-
Filesize
3.5MB
MD5062fe47e8efc9041880ed273eda7c8f3
SHA1b77fffa5fce64689758a7180477ffa25bd62f509
SHA256589b49a8e56beb55dcdacec0cdc3e04949eaa678df53d720ba940c7193130344
SHA51267a4536375b34d77b3e61314ab5a6ffbbab11ff5bc4e2dd62c4b141f2b8727aef93438fd0ac74a60b55da92d54e40ee2868a9cacb2e80a60061d324940f5cb80
-
Filesize
3.5MB
MD5062fe47e8efc9041880ed273eda7c8f3
SHA1b77fffa5fce64689758a7180477ffa25bd62f509
SHA256589b49a8e56beb55dcdacec0cdc3e04949eaa678df53d720ba940c7193130344
SHA51267a4536375b34d77b3e61314ab5a6ffbbab11ff5bc4e2dd62c4b141f2b8727aef93438fd0ac74a60b55da92d54e40ee2868a9cacb2e80a60061d324940f5cb80
-
Filesize
3.5MB
MD5062fe47e8efc9041880ed273eda7c8f3
SHA1b77fffa5fce64689758a7180477ffa25bd62f509
SHA256589b49a8e56beb55dcdacec0cdc3e04949eaa678df53d720ba940c7193130344
SHA51267a4536375b34d77b3e61314ab5a6ffbbab11ff5bc4e2dd62c4b141f2b8727aef93438fd0ac74a60b55da92d54e40ee2868a9cacb2e80a60061d324940f5cb80
-
Filesize
3.5MB
MD5062fe47e8efc9041880ed273eda7c8f3
SHA1b77fffa5fce64689758a7180477ffa25bd62f509
SHA256589b49a8e56beb55dcdacec0cdc3e04949eaa678df53d720ba940c7193130344
SHA51267a4536375b34d77b3e61314ab5a6ffbbab11ff5bc4e2dd62c4b141f2b8727aef93438fd0ac74a60b55da92d54e40ee2868a9cacb2e80a60061d324940f5cb80
-
Filesize
3.5MB
MD5062fe47e8efc9041880ed273eda7c8f3
SHA1b77fffa5fce64689758a7180477ffa25bd62f509
SHA256589b49a8e56beb55dcdacec0cdc3e04949eaa678df53d720ba940c7193130344
SHA51267a4536375b34d77b3e61314ab5a6ffbbab11ff5bc4e2dd62c4b141f2b8727aef93438fd0ac74a60b55da92d54e40ee2868a9cacb2e80a60061d324940f5cb80
-
Filesize
7.3MB
MD5c1d22d64c028c750f90bc2e763d3535c
SHA14403b1cdfb2fd7ecfba5b8e9cda93b6132accd49
SHA256864b19aacbc59643349d7f9911fd58d8cc851326a5e19eadc31a4f85ccb41dee
SHA512dce11fef1eba295889fc25f57f8b1b903ad23eee5106fcac10d950ec6d56b813df2f9da549c184430df8ccf1ee9e3c2281f0fa4ba9e021c0138c0f8361004ed5
-
Filesize
7.3MB
MD5c1d22d64c028c750f90bc2e763d3535c
SHA14403b1cdfb2fd7ecfba5b8e9cda93b6132accd49
SHA256864b19aacbc59643349d7f9911fd58d8cc851326a5e19eadc31a4f85ccb41dee
SHA512dce11fef1eba295889fc25f57f8b1b903ad23eee5106fcac10d950ec6d56b813df2f9da549c184430df8ccf1ee9e3c2281f0fa4ba9e021c0138c0f8361004ed5
-
Filesize
7.3MB
MD5c1d22d64c028c750f90bc2e763d3535c
SHA14403b1cdfb2fd7ecfba5b8e9cda93b6132accd49
SHA256864b19aacbc59643349d7f9911fd58d8cc851326a5e19eadc31a4f85ccb41dee
SHA512dce11fef1eba295889fc25f57f8b1b903ad23eee5106fcac10d950ec6d56b813df2f9da549c184430df8ccf1ee9e3c2281f0fa4ba9e021c0138c0f8361004ed5
-
Filesize
7.3MB
MD5c1d22d64c028c750f90bc2e763d3535c
SHA14403b1cdfb2fd7ecfba5b8e9cda93b6132accd49
SHA256864b19aacbc59643349d7f9911fd58d8cc851326a5e19eadc31a4f85ccb41dee
SHA512dce11fef1eba295889fc25f57f8b1b903ad23eee5106fcac10d950ec6d56b813df2f9da549c184430df8ccf1ee9e3c2281f0fa4ba9e021c0138c0f8361004ed5
-
Filesize
7.3MB
MD5c1d22d64c028c750f90bc2e763d3535c
SHA14403b1cdfb2fd7ecfba5b8e9cda93b6132accd49
SHA256864b19aacbc59643349d7f9911fd58d8cc851326a5e19eadc31a4f85ccb41dee
SHA512dce11fef1eba295889fc25f57f8b1b903ad23eee5106fcac10d950ec6d56b813df2f9da549c184430df8ccf1ee9e3c2281f0fa4ba9e021c0138c0f8361004ed5
-
Filesize
385KB
MD594a6c3b42400c62f37c3e09781478ee1
SHA1d56d09178e01a29fe063a0b3a77e94c7de24a6ef
SHA25602afba9405a5b480a7b1b80ec9abab41e462f8c30567f1926105a63eaf13e059
SHA512847012896e12aa1142f634c4b9c47834d7e29e00f5b3e6b296e3fec77954cbe3964e0914f0a20c3ff652d656fd2badc9df037afd85c2b633c23d2bd95daa0301
-
Filesize
385KB
MD594a6c3b42400c62f37c3e09781478ee1
SHA1d56d09178e01a29fe063a0b3a77e94c7de24a6ef
SHA25602afba9405a5b480a7b1b80ec9abab41e462f8c30567f1926105a63eaf13e059
SHA512847012896e12aa1142f634c4b9c47834d7e29e00f5b3e6b296e3fec77954cbe3964e0914f0a20c3ff652d656fd2badc9df037afd85c2b633c23d2bd95daa0301
-
Filesize
385KB
MD594a6c3b42400c62f37c3e09781478ee1
SHA1d56d09178e01a29fe063a0b3a77e94c7de24a6ef
SHA25602afba9405a5b480a7b1b80ec9abab41e462f8c30567f1926105a63eaf13e059
SHA512847012896e12aa1142f634c4b9c47834d7e29e00f5b3e6b296e3fec77954cbe3964e0914f0a20c3ff652d656fd2badc9df037afd85c2b633c23d2bd95daa0301
-
Filesize
385KB
MD594a6c3b42400c62f37c3e09781478ee1
SHA1d56d09178e01a29fe063a0b3a77e94c7de24a6ef
SHA25602afba9405a5b480a7b1b80ec9abab41e462f8c30567f1926105a63eaf13e059
SHA512847012896e12aa1142f634c4b9c47834d7e29e00f5b3e6b296e3fec77954cbe3964e0914f0a20c3ff652d656fd2badc9df037afd85c2b633c23d2bd95daa0301
-
Filesize
4.3MB
MD51d80dd9f0e5db1a685c6bb9e9a91b222
SHA1cbaf6eb478cfaac67372a130f527c63ae4dc496e
SHA2560ed14c1e8965c13065a00f7d3159a4c711faa24643b4c4815e88299cba495ba0
SHA512d9293200e1e046209a26b20486330fe379652ece25de70ef9b4a63221729ccf22fa8f5457ea7b53b0cc1d80474844c7c72730cf1afe6ba1c32e726046d81c8b7
-
Filesize
4.3MB
MD51d80dd9f0e5db1a685c6bb9e9a91b222
SHA1cbaf6eb478cfaac67372a130f527c63ae4dc496e
SHA2560ed14c1e8965c13065a00f7d3159a4c711faa24643b4c4815e88299cba495ba0
SHA512d9293200e1e046209a26b20486330fe379652ece25de70ef9b4a63221729ccf22fa8f5457ea7b53b0cc1d80474844c7c72730cf1afe6ba1c32e726046d81c8b7
-
Filesize
4.3MB
MD51d80dd9f0e5db1a685c6bb9e9a91b222
SHA1cbaf6eb478cfaac67372a130f527c63ae4dc496e
SHA2560ed14c1e8965c13065a00f7d3159a4c711faa24643b4c4815e88299cba495ba0
SHA512d9293200e1e046209a26b20486330fe379652ece25de70ef9b4a63221729ccf22fa8f5457ea7b53b0cc1d80474844c7c72730cf1afe6ba1c32e726046d81c8b7
-
Filesize
4.3MB
MD51d80dd9f0e5db1a685c6bb9e9a91b222
SHA1cbaf6eb478cfaac67372a130f527c63ae4dc496e
SHA2560ed14c1e8965c13065a00f7d3159a4c711faa24643b4c4815e88299cba495ba0
SHA512d9293200e1e046209a26b20486330fe379652ece25de70ef9b4a63221729ccf22fa8f5457ea7b53b0cc1d80474844c7c72730cf1afe6ba1c32e726046d81c8b7
-
Filesize
566KB
MD5cd2d66edbe500051c5d2711026a84f9d
SHA1228297d4933ea3be5ec0c88dfe5031b5685518ce
SHA25632f2561030c5fc44aa2efafeec6a0fdc70409ebd1cb5124e02466dc270f3194d
SHA51244420a72cdab6b891a21207fa1ab5950e0417ff39373a2c1711c544b0002d8b5d73bcd884d6ada755ab78703f271b820f719a31a29154994d21992016db725e0
-
Filesize
566KB
MD5cd2d66edbe500051c5d2711026a84f9d
SHA1228297d4933ea3be5ec0c88dfe5031b5685518ce
SHA25632f2561030c5fc44aa2efafeec6a0fdc70409ebd1cb5124e02466dc270f3194d
SHA51244420a72cdab6b891a21207fa1ab5950e0417ff39373a2c1711c544b0002d8b5d73bcd884d6ada755ab78703f271b820f719a31a29154994d21992016db725e0
-
Filesize
566KB
MD5cd2d66edbe500051c5d2711026a84f9d
SHA1228297d4933ea3be5ec0c88dfe5031b5685518ce
SHA25632f2561030c5fc44aa2efafeec6a0fdc70409ebd1cb5124e02466dc270f3194d
SHA51244420a72cdab6b891a21207fa1ab5950e0417ff39373a2c1711c544b0002d8b5d73bcd884d6ada755ab78703f271b820f719a31a29154994d21992016db725e0
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
416KB
MD57433b89533975644206ecef89d1f69c2
SHA11d39291d98d9ed5280e774ac83400350bdd04dd0
SHA25624bb49806a6bbbbad6be8c3714104d2faf72cf6c68eb8e156b15b00eb91c8a94
SHA51270a69d9f03478327ecf33f323f86de269779362f840698c2c7bac3e21645432c87a0024d787c15a2c0ee5ac06d692955f1b73d94563d89f4f8f58afe57ce28b1
-
Filesize
416KB
MD57433b89533975644206ecef89d1f69c2
SHA11d39291d98d9ed5280e774ac83400350bdd04dd0
SHA25624bb49806a6bbbbad6be8c3714104d2faf72cf6c68eb8e156b15b00eb91c8a94
SHA51270a69d9f03478327ecf33f323f86de269779362f840698c2c7bac3e21645432c87a0024d787c15a2c0ee5ac06d692955f1b73d94563d89f4f8f58afe57ce28b1
-
Filesize
850.5MB
MD5274973baa827ee52de343115b8c4a96a
SHA1e684d7e66dcfbc666214a970869c6a08443a70a7
SHA2565d8aa0e0467ea6de2882c483f4d18982ecc4b5cb8294d375b25972a20c261818
SHA51261fc67be900384aaec39aa354ddcf3cf19fa42212dc16da97172934d9e373227388909f3916712caee2603b9ce7da6b0c1b61daba095a0921230069364ef68c1
-
Filesize
5.4MB
MD5eb4ac7939106b5646b1a9fd301dcd3ed
SHA1b48e8bdbb2bd67bf15da3fc4650801b237e6f220
SHA2566d22e75bacf7d955250d9fa2d5978400884a845800fcd68102ddc157257b81cf
SHA512d39f22aaa6121151633f3950def99afd8c8ad9571fca3c2f04ca928fa8ca20f99e9a9777b82017e1f180b73e4351f1ad3c0778cbbc0294f0212b06465f58d0a1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize41KB
MD50f38a17bbaa7b6f75f51c671be981097
SHA1ee95e5225cfb623b6ddd58902bf72504993e2030
SHA25603f4d293b34e18f429d34282179a04a705d448f3b88b88982486997f6cd51f39
SHA512429100ae213ea857fa3fefea7b512bb616219f76cf2a55a4735776650806d42582ff886cd4779a1406d2bc9d0f514c93e40c3d12d9e764ffa8b880067bd704a2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD51e03e8824087e3a2798285d382be8392
SHA12bd4045fffaa48d89c1a4a586478cd6a4746e76a
SHA256d40d23feb5d84b8b9d20cf47dc9af89d0072e82922547729f38a076f785b3457
SHA51239d2f1bb1c2b74c519dd5ac461ed7f93874dd4a2df37d0ed9008ba4aab1865b28a13e53ada8aea174b7f96314c38dfde799497208fc032a35773f27dd0e17857
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5958b568a85f4b913444ba4a0294a8c33
SHA111f282b6cf1b2deb7fab8b1ddb984da69b963f27
SHA256f46e5a0bb6f7f0f412a07211b9be612f2bb0673dbcbdd1ca25495f83bc8799b1
SHA512832acef80c706143956eb4b0089769d0e251ad266ad390d6fdfb2383ca4636de77e43cb066c668bab6150faed11e7bd214f521d674d40d1c115a207dff531495
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD52992329e284c0364ac85f1243660a4b3
SHA1beae1545ac3514312b9910e0decf38e3125ec613
SHA256d890dbbb42a915eb108a83442f1ecaeb5c51782beb6b1e93474be62290d2b27e
SHA5128a5151055812c875274e760471d0c2db52727104ada4811d274ca7582b90722f3a5d88ff5b8222ffbc391dd033ac03596abaca40bbc55799a3b98a3465feeb2a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD55ad205241b41dea1b063903736c69ca0
SHA1fbdd4ac16e81b215a364df9788dc9f8741d462d3
SHA256ca347b904968c8a7f8ffe1e281400a9c3a23d30d63a058d39981d07219ad171c
SHA5121b768b044d88868fd408dec4286aa506276aafb1b47fc9212d0f6184c0fbce4c742d86331314ad9ad76c24b05a474968e839743ec45eaa9422339d607df09508
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize17KB
MD5ea88f5bb9be05e2c1650bba1a9c0488a
SHA1bae961cc60a4af3af29d67bb357c2d687bc70be9
SHA25692e8673bd41ac03afb744def72b2b5a5feca335076a785f47c920c99078e6a03
SHA51298427416ba62b734e8e2d5526ad860d2a0c7c474a8254a0022d56368ab79fe554d1ba0cf82e1aca5c88f426770f3ca9ab19603cc2c3007aff98698a45add3800
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62
-
Filesize
4.3MB
MD51d80dd9f0e5db1a685c6bb9e9a91b222
SHA1cbaf6eb478cfaac67372a130f527c63ae4dc496e
SHA2560ed14c1e8965c13065a00f7d3159a4c711faa24643b4c4815e88299cba495ba0
SHA512d9293200e1e046209a26b20486330fe379652ece25de70ef9b4a63221729ccf22fa8f5457ea7b53b0cc1d80474844c7c72730cf1afe6ba1c32e726046d81c8b7
-
Filesize
4.3MB
MD51d80dd9f0e5db1a685c6bb9e9a91b222
SHA1cbaf6eb478cfaac67372a130f527c63ae4dc496e
SHA2560ed14c1e8965c13065a00f7d3159a4c711faa24643b4c4815e88299cba495ba0
SHA512d9293200e1e046209a26b20486330fe379652ece25de70ef9b4a63221729ccf22fa8f5457ea7b53b0cc1d80474844c7c72730cf1afe6ba1c32e726046d81c8b7
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize3KB
MD5811d351aabd7b708fef7683cf5e29e15
SHA106fd89e5a575f45d411cf4b3a2d277e642e73dbb
SHA2560915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18
SHA512702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5302a7c179ef577c237c5418fb770fd27
SHA1343ef00d1357a8d2ff6e1143541a8a29435ed30c
SHA2569e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f
SHA512f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec