Analysis
-
max time kernel
300s -
max time network
304s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
15-10-2023 22:25
Static task
static1
Behavioral task
behavioral1
Sample
c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821.exe
Resource
win10-20230915-en
General
-
Target
c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821.exe
-
Size
241KB
-
MD5
df25f71bbfe99d98745cef918cda8d77
-
SHA1
abad71342f8117b6c1ec710874fc3eb2a841497a
-
SHA256
c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821
-
SHA512
aac7b176d863f9793ab56221a8a064c489dd6d54f63e35990f56563926d7ef846d75607ca88208912afc4c5118374ee0ef61f754685b98c6feb0c97dad3fcbf8
-
SSDEEP
3072:kCEWivbZ/pFgRv07856weP7FqAKU/TX9sLsv57qtN+y7qh:qWsbTF8M7856TwHUrXhVqtN+y
Malware Config
Extracted
smokeloader
2022
http://onualituyrs.org/
http://sumagulituyo.org/
http://snukerukeutit.org/
http://lightseinsteniki.org/
http://liuliuoumumy.org/
http://stualialuyastrelia.net/
http://kumbuyartyty.net/
http://criogetikfenbut.org/
http://tonimiuyaytre.org/
http://tyiuiunuewqy.org/
http://wirtshauspost.at/tmp/
http://msktk.ru/tmp/
http://soetegem.com/tmp/
http://gromograd.ru/tmp/
http://talesofpirates.net/tmp/
Extracted
djvu
http://zexeq.com/raud/get.php
-
extension
.pthh
-
offline_id
43WPLl8Cnh3dZoiWhf8tP8Q9CrMBVUL2dwHB2Rt1
-
payload_url
http://colisumy.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-dHFDYXqlkk Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0808ASUDr
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
146.59.161.13:39199
Extracted
amadey
3.87
http://79.137.192.18/9bDc8sQ/index.php
-
install_dir
577f58beff
-
install_file
yiueea.exe
-
strings_key
a5085075a537f09dec81cc154ec0af4d
Extracted
smokeloader
pub1
Extracted
smokeloader
up3
Extracted
vidar
6
d37c48c18c73cc0e155c7e1dfde06db9
https://steamcommunity.com/profiles/76561199560322242
https://t.me/cahalgo
-
profile_id_v2
d37c48c18c73cc0e155c7e1dfde06db9
-
user_agent
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0 uacq
Signatures
-
Detected Djvu ransomware 17 IoCs
resource yara_rule behavioral2/memory/2812-21-0x0000000004A20000-0x0000000004B3B000-memory.dmp family_djvu behavioral2/memory/4928-20-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4928-23-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4928-24-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4928-25-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4928-51-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2544-74-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2544-80-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2544-77-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2544-101-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2544-104-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2544-123-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2544-125-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2544-126-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2544-142-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2544-166-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2544-201-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Detects DLL dropped by Raspberry Robin. 6 IoCs
Raspberry Robin.
resource yara_rule behavioral2/memory/804-48-0x0000000074300000-0x00000000744C2000-memory.dmp Raspberry_Robin_DLL_MAY_2022 behavioral2/memory/804-49-0x0000000074300000-0x00000000744C2000-memory.dmp Raspberry_Robin_DLL_MAY_2022 behavioral2/memory/804-50-0x0000000074300000-0x00000000744C2000-memory.dmp Raspberry_Robin_DLL_MAY_2022 behavioral2/memory/804-56-0x0000000074300000-0x00000000744C2000-memory.dmp Raspberry_Robin_DLL_MAY_2022 behavioral2/memory/804-91-0x0000000074300000-0x00000000744C2000-memory.dmp Raspberry_Robin_DLL_MAY_2022 behavioral2/memory/804-111-0x0000000074300000-0x00000000744C2000-memory.dmp Raspberry_Robin_DLL_MAY_2022 -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 4 IoCs
resource yara_rule behavioral2/memory/256-159-0x00000000050E0000-0x00000000059CB000-memory.dmp family_glupteba behavioral2/memory/256-188-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/256-273-0x00000000050E0000-0x00000000059CB000-memory.dmp family_glupteba behavioral2/memory/4864-301-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4880-65-0x0000000000400000-0x000000000043E000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 21 IoCs
description pid Process procid_target PID 2316 created 3296 2316 Conhost.exe 53 PID 2316 created 3296 2316 Conhost.exe 53 PID 2316 created 3296 2316 Conhost.exe 53 PID 2316 created 3296 2316 Conhost.exe 53 PID 1704 created 3296 1704 mi.exe 53 PID 2316 created 3296 2316 Conhost.exe 53 PID 1704 created 3296 1704 mi.exe 53 PID 1704 created 3296 1704 mi.exe 53 PID 1704 created 3296 1704 mi.exe 53 PID 1704 created 3296 1704 mi.exe 53 PID 1704 created 3296 1704 mi.exe 53 PID 2988 created 3296 2988 updater.exe 53 PID 2988 created 3296 2988 updater.exe 53 PID 2988 created 3296 2988 updater.exe 53 PID 2988 created 3296 2988 updater.exe 53 PID 2988 created 3296 2988 updater.exe 53 PID 2988 created 3296 2988 updater.exe 53 PID 4404 created 3296 4404 updater.exe 53 PID 4404 created 3296 4404 updater.exe 53 PID 4404 created 3296 4404 updater.exe 53 PID 4404 created 3296 4404 updater.exe 53 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 3A0C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 3A0C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 3A0C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 3A0C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 3A0C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3A0C.exe = "0" 3A0C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 3A0C.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 10D5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ mi.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 56 2092 schtasks.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 4 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts updater.exe File created C:\Windows\System32\drivers\etc\hosts Conhost.exe File created C:\Windows\System32\drivers\etc\hosts mi.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 4404 netsh.exe 4248 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 10D5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 10D5.exe -
Deletes itself 1 IoCs
pid Process 3296 Explorer.EXE -
Executes dropped EXE 39 IoCs
pid Process 2812 C5F.exe 4928 C5F.exe 804 10D5.exe 4660 122D.exe 4920 C5F.exe 2544 C5F.exe 1816 Conhost.exe 4252 2D2B.exe 1844 yiueea.exe 256 3A0C.exe 2616 Conhost.exe 4288 toolspub2.exe 1680 toolspub2.exe 1252 build3.exe 648 build2.exe 4864 d21cbe21e38b385a41a68c5e6dd32f4c.exe 2316 Conhost.exe 2192 build3.exe 520 yiueea.exe 2528 mstsca.exe 3312 3A0C.exe 4508 d21cbe21e38b385a41a68c5e6dd32f4c.exe 1704 mi.exe 952 yiueea.exe 2988 updater.exe 4404 updater.exe 4196 csrss.exe 4960 yiueea.exe 4360 mstsca.exe 4636 injector.exe 2320 windefender.exe 3884 windefender.exe 4624 yiueea.exe 2720 mstsca.exe 2972 mstsca.exe 372 f801950a962ddba14caaa44bf084b55c.exe 2324 mstsca.exe 2508 yiueea.exe 1096 mstsca.exe -
Loads dropped DLL 3 IoCs
pid Process 1916 regsvr32.exe 648 build2.exe 648 build2.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4616 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000800000001afd7-37.dat themida behavioral2/files/0x000800000001afd7-36.dat themida behavioral2/memory/804-70-0x00000000011D0000-0x0000000001950000-memory.dmp themida behavioral2/files/0x000800000001b043-1775.dat themida behavioral2/files/0x000800000001b043-3659.dat themida -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3A0C.exe = "0" 3A0C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 3A0C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 3A0C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 3A0C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 3A0C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 3A0C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 3A0C.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 schtasks.exe Key opened \REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 schtasks.exe Key opened \REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 schtasks.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7cc9e995-9fcc-4e46-a140-b0d591141d9d\\C5F.exe\" --AutoStart" C5F.exe Set value (str) \REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 3A0C.exe Set value (str) \REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 10D5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mi.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 api.2ip.ua 21 api.2ip.ua 29 api.2ip.ua -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 15 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log cmd.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive cmd.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 804 10D5.exe 1704 mi.exe -
Suspicious use of SetThreadContext 12 IoCs
description pid Process procid_target PID 2812 set thread context of 4928 2812 C5F.exe 71 PID 4660 set thread context of 4880 4660 122D.exe 79 PID 4920 set thread context of 2544 4920 C5F.exe 81 PID 4288 set thread context of 1680 4288 toolspub2.exe 100 PID 2616 set thread context of 648 2616 Conhost.exe 103 PID 804 set thread context of 3020 804 Process not Found 109 PID 1252 set thread context of 2192 1252 build3.exe 111 PID 2988 set thread context of 3048 2988 updater.exe 214 PID 2988 set thread context of 4820 2988 updater.exe 215 PID 2528 set thread context of 4360 2528 mstsca.exe 220 PID 2720 set thread context of 2972 2720 mstsca.exe 250 PID 2324 set thread context of 1096 2324 mstsca.exe 260 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 3A0C.exe File opened (read-only) \??\VBoxMiniRdrDN d21cbe21e38b385a41a68c5e6dd32f4c.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe mi.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Chrome\updater.exe Conhost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss 3A0C.exe File created C:\Windows\rss\csrss.exe 3A0C.exe File opened for modification C:\Windows\rss d21cbe21e38b385a41a68c5e6dd32f4c.exe File created C:\Windows\rss\csrss.exe d21cbe21e38b385a41a68c5e6dd32f4c.exe -
Launches sc.exe 21 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2756 sc.exe 3332 sc.exe 1084 sc.exe 2380 sc.exe 4196 sc.exe 1060 sc.exe 4868 sc.exe 68 sc.exe 340 sc.exe 3716 sc.exe 3016 sc.exe 1544 sc.exe 1368 sc.exe 3868 sc.exe 4856 sc.exe 3780 sc.exe 2324 sc.exe 4172 sc.exe 1436 sc.exe 4260 sc.exe 712 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4488 4660 WerFault.exe 74 3532 648 WerFault.exe 103 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2D2B.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2D2B.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2D2B.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build2.exe -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5060 schtasks.exe 2092 schtasks.exe 1664 schtasks.exe 4192 schtasks.exe 3500 schtasks.exe 1784 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-571 = "China Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed cmd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1112 c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821.exe 1112 c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821.exe 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3296 Explorer.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 620 Process not Found -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 1112 c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821.exe 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 4252 2D2B.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeDebugPrivilege 804 Process not Found Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeDebugPrivilege 5052 powershell.exe Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeDebugPrivilege 4880 AppLaunch.exe Token: SeDebugPrivilege 1060 sc.exe Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeDebugPrivilege 3020 AppLaunch.exe Token: SeDebugPrivilege 5068 powershell.exe Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeDebugPrivilege 256 3A0C.exe Token: SeImpersonatePrivilege 256 3A0C.exe Token: SeDebugPrivilege 4864 d21cbe21e38b385a41a68c5e6dd32f4c.exe Token: SeImpersonatePrivilege 4864 d21cbe21e38b385a41a68c5e6dd32f4c.exe Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeDebugPrivilege 3768 powershell.exe Token: SeDebugPrivilege 4612 powershell.exe Token: SeIncreaseQuotaPrivilege 5068 powershell.exe Token: SeSecurityPrivilege 5068 powershell.exe Token: SeTakeOwnershipPrivilege 5068 powershell.exe Token: SeLoadDriverPrivilege 5068 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3296 wrote to memory of 2812 3296 Explorer.EXE 70 PID 3296 wrote to memory of 2812 3296 Explorer.EXE 70 PID 3296 wrote to memory of 2812 3296 Explorer.EXE 70 PID 2812 wrote to memory of 4928 2812 C5F.exe 71 PID 2812 wrote to memory of 4928 2812 C5F.exe 71 PID 2812 wrote to memory of 4928 2812 C5F.exe 71 PID 2812 wrote to memory of 4928 2812 C5F.exe 71 PID 2812 wrote to memory of 4928 2812 C5F.exe 71 PID 2812 wrote to memory of 4928 2812 C5F.exe 71 PID 2812 wrote to memory of 4928 2812 C5F.exe 71 PID 2812 wrote to memory of 4928 2812 C5F.exe 71 PID 2812 wrote to memory of 4928 2812 C5F.exe 71 PID 2812 wrote to memory of 4928 2812 C5F.exe 71 PID 3296 wrote to memory of 804 3296 Explorer.EXE 72 PID 3296 wrote to memory of 804 3296 Explorer.EXE 72 PID 3296 wrote to memory of 804 3296 Explorer.EXE 72 PID 4928 wrote to memory of 4616 4928 C5F.exe 73 PID 4928 wrote to memory of 4616 4928 C5F.exe 73 PID 4928 wrote to memory of 4616 4928 C5F.exe 73 PID 3296 wrote to memory of 4660 3296 Explorer.EXE 74 PID 3296 wrote to memory of 4660 3296 Explorer.EXE 74 PID 3296 wrote to memory of 4660 3296 Explorer.EXE 74 PID 4928 wrote to memory of 4920 4928 C5F.exe 77 PID 4928 wrote to memory of 4920 4928 C5F.exe 77 PID 4928 wrote to memory of 4920 4928 C5F.exe 77 PID 3296 wrote to memory of 2552 3296 Explorer.EXE 80 PID 3296 wrote to memory of 2552 3296 Explorer.EXE 80 PID 2552 wrote to memory of 1916 2552 regsvr32.exe 78 PID 2552 wrote to memory of 1916 2552 regsvr32.exe 78 PID 2552 wrote to memory of 1916 2552 regsvr32.exe 78 PID 4660 wrote to memory of 4880 4660 122D.exe 79 PID 4660 wrote to memory of 4880 4660 122D.exe 79 PID 4660 wrote to memory of 4880 4660 122D.exe 79 PID 4660 wrote to memory of 4880 4660 122D.exe 79 PID 4660 wrote to memory of 4880 4660 122D.exe 79 PID 4660 wrote to memory of 4880 4660 122D.exe 79 PID 4660 wrote to memory of 4880 4660 122D.exe 79 PID 4660 wrote to memory of 4880 4660 122D.exe 79 PID 4920 wrote to memory of 2544 4920 C5F.exe 81 PID 4920 wrote to memory of 2544 4920 C5F.exe 81 PID 4920 wrote to memory of 2544 4920 C5F.exe 81 PID 4920 wrote to memory of 2544 4920 C5F.exe 81 PID 4920 wrote to memory of 2544 4920 C5F.exe 81 PID 4920 wrote to memory of 2544 4920 C5F.exe 81 PID 4920 wrote to memory of 2544 4920 C5F.exe 81 PID 4920 wrote to memory of 2544 4920 C5F.exe 81 PID 4920 wrote to memory of 2544 4920 C5F.exe 81 PID 4920 wrote to memory of 2544 4920 C5F.exe 81 PID 3296 wrote to memory of 1816 3296 Explorer.EXE 148 PID 3296 wrote to memory of 1816 3296 Explorer.EXE 148 PID 3296 wrote to memory of 1816 3296 Explorer.EXE 148 PID 3296 wrote to memory of 4252 3296 Explorer.EXE 86 PID 3296 wrote to memory of 4252 3296 Explorer.EXE 86 PID 3296 wrote to memory of 4252 3296 Explorer.EXE 86 PID 1816 wrote to memory of 1844 1816 Conhost.exe 85 PID 1816 wrote to memory of 1844 1816 Conhost.exe 85 PID 1816 wrote to memory of 1844 1816 Conhost.exe 85 PID 1844 wrote to memory of 5060 1844 yiueea.exe 87 PID 1844 wrote to memory of 5060 1844 yiueea.exe 87 PID 1844 wrote to memory of 5060 1844 yiueea.exe 87 PID 1844 wrote to memory of 4780 1844 yiueea.exe 88 PID 1844 wrote to memory of 4780 1844 yiueea.exe 88 PID 1844 wrote to memory of 4780 1844 yiueea.exe 88 PID 4780 wrote to memory of 3604 4780 cmd.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 schtasks.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 schtasks.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Users\Admin\AppData\Local\Temp\c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821.exe"C:\Users\Admin\AppData\Local\Temp\c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1112
-
-
C:\Users\Admin\AppData\Local\Temp\C5F.exeC:\Users\Admin\AppData\Local\Temp\C5F.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\C5F.exeC:\Users\Admin\AppData\Local\Temp\C5F.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\7cc9e995-9fcc-4e46-a140-b0d591141d9d" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
PID:4616
-
-
C:\Users\Admin\AppData\Local\Temp\C5F.exe"C:\Users\Admin\AppData\Local\Temp\C5F.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\C5F.exe"C:\Users\Admin\AppData\Local\Temp\C5F.exe" --Admin IsNotAutoStart IsNotTask5⤵
- Executes dropped EXE
PID:2544 -
C:\Users\Admin\AppData\Local\5ed01e4a-0041-4e1d-b794-dc536cb154fe\build3.exe"C:\Users\Admin\AppData\Local\5ed01e4a-0041-4e1d-b794-dc536cb154fe\build3.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1252 -
C:\Users\Admin\AppData\Local\5ed01e4a-0041-4e1d-b794-dc536cb154fe\build3.exe"C:\Users\Admin\AppData\Local\5ed01e4a-0041-4e1d-b794-dc536cb154fe\build3.exe"7⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"8⤵
- Blocklisted process makes network request
- Accesses Microsoft Outlook profiles
- Creates scheduled task(s)
- outlook_office_path
- outlook_win_path
PID:2092
-
-
-
-
C:\Users\Admin\AppData\Local\5ed01e4a-0041-4e1d-b794-dc536cb154fe\build2.exe"C:\Users\Admin\AppData\Local\5ed01e4a-0041-4e1d-b794-dc536cb154fe\build2.exe"6⤵PID:2616
-
C:\Users\Admin\AppData\Local\5ed01e4a-0041-4e1d-b794-dc536cb154fe\build2.exe"C:\Users\Admin\AppData\Local\5ed01e4a-0041-4e1d-b794-dc536cb154fe\build2.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:648 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 17168⤵
- Program crash
PID:3532
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10D5.exeC:\Users\Admin\AppData\Local\Temp\10D5.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:804 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
-
C:\Users\Admin\AppData\Local\Temp\122D.exeC:\Users\Admin\AppData\Local\Temp\122D.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\mi.exe"C:\Users\Admin\AppData\Local\Temp\mi.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
PID:1704
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 2483⤵
- Program crash
PID:4488
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\15C8.dll2⤵
- Suspicious use of WriteProcessMemory
PID:2552
-
-
C:\Users\Admin\AppData\Local\Temp\2039.exeC:\Users\Admin\AppData\Local\Temp\2039.exe2⤵PID:1816
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F4⤵
- Creates scheduled task(s)
PID:5060
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:3604
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "yiueea.exe" /P "Admin:N"5⤵PID:68
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\577f58beff" /P "Admin:N"5⤵PID:4476
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4208
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "yiueea.exe" /P "Admin:R" /E5⤵PID:1956
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\577f58beff" /P "Admin:R" /E5⤵PID:3936
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4288 -
C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"5⤵
- Executes dropped EXE
PID:1680
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe"C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4864 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:1060
-
-
C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe"C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe"5⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4508 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3768
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵PID:32
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
PID:4404
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1220
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1216
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe"C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe"4⤵PID:2316
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2D2B.exeC:\Users\Admin\AppData\Local\Temp\2D2B.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4252
-
-
C:\Users\Admin\AppData\Local\Temp\3A0C.exeC:\Users\Admin\AppData\Local\Temp\3A0C.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:256 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5052
-
-
C:\Users\Admin\AppData\Local\Temp\3A0C.exe"C:\Users\Admin\AppData\Local\Temp\3A0C.exe"3⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
PID:3312 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:2272
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:4248
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4968
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4060
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:4196 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1548
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2912
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:2908
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
PID:4192
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4016
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
- Executes dropped EXE
PID:4636
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
PID:1784
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"5⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵PID:208
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
- Launches sc.exe
PID:3868
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exeC:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe5⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "csrss" /f6⤵PID:4044
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "ScheduledUpdate" /f6⤵PID:3680
-
-
-
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2092
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2616
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:2272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5068
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:4344
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:340
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2756
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1436
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3716
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4856
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:4584
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:2080
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:3324
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:3480
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:4388
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:4496
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:3492
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:872
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:4380
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:3016
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3332
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:3780
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2380
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4196
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:2524
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:2672
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:3000
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:1164
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:2928
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"2⤵PID:4724
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\grrhfnlxagtw.xml"2⤵
- Creates scheduled task(s)
PID:1664
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:4980
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:2316
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4260
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:4868
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:712
-
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:68
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:828
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:2508
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:3048
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:4820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1520
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4980 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:2316
-
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1544
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4172
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1084
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:1368
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2324
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1980
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:696
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:1096
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:4900
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:2472
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:3568
-
-
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\15C8.dll1⤵
- Loads dropped DLL
PID:1916
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2528 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"3⤵
- Creates scheduled task(s)
PID:3500
-
-
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:520
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:952
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:2988
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:4404
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:4960
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 01⤵PID:2776
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 01⤵PID:4100
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 01⤵PID:3480
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 01⤵PID:1624
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4476
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3884
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:4624
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2720 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
PID:2972
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2324 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
PID:1096
-
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:2508
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
3Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5b3cc1eab5e14e2d7a01804b22ecf4043
SHA11883aeaac8649c5b6848f2131ec56464b964f8fc
SHA25625d844b5a1806454aa4b221dc31f3423928ffcd816771e7d01797831e0a29324
SHA512adaf9402ac330d8daae46af707650d579c9f20c1080c6d97fd38f8e119a59793dd3ec3998fd2fbea3a578087d64b831cd25664e3442e236477a3b79fe6d387f2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5d51a2c922a3697f0f83b25300c0a50e6
SHA18c9dd673a086c4a21691294e900e27027b460430
SHA2569e26060acf4dca0b5eca3988fe8e9dae959f670bbfa36281da0fff3483b595d9
SHA512a0803d2d2de13f99b4e0b15fd6a77756234026b381210da0771589ec6825307844257eff13010aa654634245ededd357d83edbc32fc9ba3260acb7a4dea3d4e0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD5a5419cbed869faee18df5fe7d6815d15
SHA10f50924ab2d165bc4d809fbe4bfd281b330c85e3
SHA2562389b46bbe4d8bd712122302f95c84b80376453f584818f120e27db333349d87
SHA5120a13230eecf6c176a9b45f06b76d0e3f05939255516d90522dec30baf038e83f40c258b86241b5e177cdd57c3a6e90060db97000e776cca2ff6d8201904868d7
-
Filesize
404KB
MD522f2fd94f57b71f36a31ea18be7d4b34
SHA1a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA5125b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173
-
Filesize
404KB
MD522f2fd94f57b71f36a31ea18be7d4b34
SHA1a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA5125b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173
-
Filesize
404KB
MD522f2fd94f57b71f36a31ea18be7d4b34
SHA1a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA5125b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
3KB
MD5811d351aabd7b708fef7683cf5e29e15
SHA106fd89e5a575f45d411cf4b3a2d277e642e73dbb
SHA2560915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18
SHA512702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a
-
Filesize
2KB
MD5177e4097e995e27ef16a82fdc42d1199
SHA14ad1985213a7747facc2daa618a23e0c75b37755
SHA256b0ea0451e27f185b31105e5d796e8af4363134e636d23af3a388679b5027b0b6
SHA51285bad113d4a6a661223e9f14711af6f59e546aa8afbc9d36166434b4d69fe413807746249a09e7b575ed917aa50c49b586495ce5ded048159a516ca4c876e937
-
Filesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
Filesize
45KB
MD50b5d94d20be9eecbaed3dddd04143f07
SHA1c677d0355f4cc7301075a554adc889bce502e15a
SHA2563c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c
SHA512395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916
-
Filesize
51KB
MD57e3a95827a45fe94d35065991f0fc160
SHA10e229284e10b53ac22afdb4a89907a1f839983d6
SHA256942d2f2e33e8f880a7fb7a62f80ac15081651d1e6fc711d078dbddca65eb1d87
SHA512bed29ad257abd93b54ab61b62c79d2902707dba8169a2606f90df574f2780fdc980fc3cf4ec3458915ecc98327e5dbc29a30479fa970138fb020c5cc2badc050
-
Filesize
19KB
MD59a8a3105fd5995dc60baaade61335749
SHA1e6c393a6adbf27c06ec8acb41d31f89ea17231f5
SHA2565cf34ef430f32ab5947d608af72e49c0369dc6b5d3f9430b450e6ee443368ff0
SHA51206dd82853893cb84a0111aa0833e6a8e1191d5beeebc1bec99f33be56540bf2ee0d1dae2ed5d56c49e3ea5b608ec77e488ff7f5e5e633f424127efc99a07127b
-
Filesize
1KB
MD59af38c0e69207c4f1f2629d69c5fb98f
SHA1bdf5728ce243fb6e79c06423fb1fd937c4ca4cdb
SHA25699bb5f15c9d8e8689cf9068484cb2baabe3f87474c31537436063b625d5e48f7
SHA512786e63ff297e4f01457dc90d15523fcc9c30b4f1771cd379cc7c6068b7b5aeeb24973176854ec34cd260415817b1a8e1f0e7fdcc6f1cd70923ec40d91db90d9c
-
Filesize
1KB
MD54835f90aba0a0054293639b02d10c914
SHA180f0302367efdd4f85978d342c018b1fd8050d4a
SHA2560dec8062e3f17ea484981e69056cd34ab630583beab9f640df2c31c36445bbce
SHA51238aa39e4b8983e26e4d428cae593b99cd11182c5282e15cad6a70af9f8df560a222fa7f83a6a710cbcc21e4067b0642c0b010342b23c650845fc0e36f6f98cee
-
Filesize
226KB
MD5c054b59d8acd94091def95ac0eb1b21d
SHA1e68d53a92b4da038658db809ace8a336f711b8db
SHA256bbd51015a08c43511cac74f613bff1060a50c719bc882afe150e4d3c58033aaa
SHA5127d4af6a9bf8e4aa2c01f5bf4774c533de8ad2f349e6e07306027f84b7a62dcb0d9daff5c480db5c071401cb0e7c4e1a3ae6213585dc83cc20b845031ea61405e
-
Filesize
226KB
MD5c054b59d8acd94091def95ac0eb1b21d
SHA1e68d53a92b4da038658db809ace8a336f711b8db
SHA256bbd51015a08c43511cac74f613bff1060a50c719bc882afe150e4d3c58033aaa
SHA5127d4af6a9bf8e4aa2c01f5bf4774c533de8ad2f349e6e07306027f84b7a62dcb0d9daff5c480db5c071401cb0e7c4e1a3ae6213585dc83cc20b845031ea61405e
-
Filesize
226KB
MD5c054b59d8acd94091def95ac0eb1b21d
SHA1e68d53a92b4da038658db809ace8a336f711b8db
SHA256bbd51015a08c43511cac74f613bff1060a50c719bc882afe150e4d3c58033aaa
SHA5127d4af6a9bf8e4aa2c01f5bf4774c533de8ad2f349e6e07306027f84b7a62dcb0d9daff5c480db5c071401cb0e7c4e1a3ae6213585dc83cc20b845031ea61405e
-
Filesize
226KB
MD5c054b59d8acd94091def95ac0eb1b21d
SHA1e68d53a92b4da038658db809ace8a336f711b8db
SHA256bbd51015a08c43511cac74f613bff1060a50c719bc882afe150e4d3c58033aaa
SHA5127d4af6a9bf8e4aa2c01f5bf4774c533de8ad2f349e6e07306027f84b7a62dcb0d9daff5c480db5c071401cb0e7c4e1a3ae6213585dc83cc20b845031ea61405e
-
Filesize
4.1MB
MD58627c70b06ccae7c64acdd10a0d5d0ae
SHA1fd87db535189654374d269e59ff1dd62020e4464
SHA256a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99
-
Filesize
4.1MB
MD58627c70b06ccae7c64acdd10a0d5d0ae
SHA1fd87db535189654374d269e59ff1dd62020e4464
SHA256a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99
-
Filesize
4.1MB
MD58627c70b06ccae7c64acdd10a0d5d0ae
SHA1fd87db535189654374d269e59ff1dd62020e4464
SHA256a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99
-
Filesize
4.1MB
MD58627c70b06ccae7c64acdd10a0d5d0ae
SHA1fd87db535189654374d269e59ff1dd62020e4464
SHA256a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
196B
MD562962daa1b19bbcc2db10b7bfd531ea6
SHA1d64bae91091eda6a7532ebec06aa70893b79e1f8
SHA25680c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880
SHA5129002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7
-
Filesize
2.6MB
MD5df26dcbc3c8289a50c8c1857a0640366
SHA1298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c
-
Filesize
2.6MB
MD5df26dcbc3c8289a50c8c1857a0640366
SHA1298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c
-
Filesize
337KB
MD523aca9b594e0ec61e744a486c34ed0ef
SHA144d7b53c310732634fbf48c2f313505cdb62c6a8
SHA25659f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33
-
Filesize
337KB
MD523aca9b594e0ec61e744a486c34ed0ef
SHA144d7b53c310732634fbf48c2f313505cdb62c6a8
SHA25659f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33
-
Filesize
1.9MB
MD5fe7facf5c1db2d17313299c58c6e1ca2
SHA14dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA2563a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA5121fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
227KB
MD52904eb1a3acfc85cdae1ccde6adfeeab
SHA123b4dfea8ef38206792033cb784644967ac79f49
SHA256f8aae657597062b011d3cd9fbf8ea3c909cabe48fc576bd3bc2f2bd100a88a49
SHA51216b6dfab8cbf6f973ba89ce8dcbe98547050fb5fa19e1ecfe552b1565a58c6afca0c6353f1da41b6fc919a5d96750b1788bc175a7a63e04ce12da8b7d8d89d25
-
Filesize
227KB
MD52904eb1a3acfc85cdae1ccde6adfeeab
SHA123b4dfea8ef38206792033cb784644967ac79f49
SHA256f8aae657597062b011d3cd9fbf8ea3c909cabe48fc576bd3bc2f2bd100a88a49
SHA51216b6dfab8cbf6f973ba89ce8dcbe98547050fb5fa19e1ecfe552b1565a58c6afca0c6353f1da41b6fc919a5d96750b1788bc175a7a63e04ce12da8b7d8d89d25
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
1KB
MD5546d67a48ff2bf7682cea9fac07b942e
SHA1a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA51210d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe
-
Filesize
9.9MB
MD50c5f3483a23c84f846ea7953c4bdd390
SHA1fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA2562dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA5124a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f
-
Filesize
9.9MB
MD50c5f3483a23c84f846ea7953c4bdd390
SHA1fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA2562dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA5124a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
227KB
MD52904eb1a3acfc85cdae1ccde6adfeeab
SHA123b4dfea8ef38206792033cb784644967ac79f49
SHA256f8aae657597062b011d3cd9fbf8ea3c909cabe48fc576bd3bc2f2bd100a88a49
SHA51216b6dfab8cbf6f973ba89ce8dcbe98547050fb5fa19e1ecfe552b1565a58c6afca0c6353f1da41b6fc919a5d96750b1788bc175a7a63e04ce12da8b7d8d89d25
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD58eacfc16bf1fd3f103550d34a74799bd
SHA15ab7ad0a6a23c6a35180ac6efc8243f8e38b529c
SHA256395c47c9e38def88bc3b2a2c7391745e2b274239f1a46c510eb3365a6e221f3c
SHA51200ef7b6f20bab58db056edc1517fc66b2028ce76444f57c9cc8a69c8ac9d1e365501dcc1d0cdf5bdb6e154980688c2a0520b9a5be0a1ef06abd97bf391fb3f59
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD58eacfc16bf1fd3f103550d34a74799bd
SHA15ab7ad0a6a23c6a35180ac6efc8243f8e38b529c
SHA256395c47c9e38def88bc3b2a2c7391745e2b274239f1a46c510eb3365a6e221f3c
SHA51200ef7b6f20bab58db056edc1517fc66b2028ce76444f57c9cc8a69c8ac9d1e365501dcc1d0cdf5bdb6e154980688c2a0520b9a5be0a1ef06abd97bf391fb3f59
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD594fd4bb8acd27126f6876b7d2f3a671f
SHA11a4ab20d7459fdc9e97ca2b2916b2e31e0ff1099
SHA2563e8c4d71af05af6139b4ea5c051a563725333a1b06b356f360296c2f55c928d2
SHA512b48f166ba89ac48e8b6b3e5c989bc8f0ff82f1eb6f5967a14ef783bf5e70f427faeb9a8fdf67fc5e9050559c82e272bbb325429d8a4f025040ae23fcc1c08e66
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD594fd4bb8acd27126f6876b7d2f3a671f
SHA11a4ab20d7459fdc9e97ca2b2916b2e31e0ff1099
SHA2563e8c4d71af05af6139b4ea5c051a563725333a1b06b356f360296c2f55c928d2
SHA512b48f166ba89ac48e8b6b3e5c989bc8f0ff82f1eb6f5967a14ef783bf5e70f427faeb9a8fdf67fc5e9050559c82e272bbb325429d8a4f025040ae23fcc1c08e66
-
Filesize
3KB
MD5afdbe8b5c48f7db75270c64a3b48611c
SHA1cddb22e3a394aafddad3761ef84b00ce51d43184
SHA2565f8432d0251b18591d359c36ef56064dac54369d1e33cd5c2e80f426e6561cd5
SHA512cea0fb172576abb6378bf9c95054eb1066a612ec6ed698a8dd0d49e5d1364642ef6699051b61dbce3ab98f1596fdbe10ec0ede32e2486ea292499c6f9f97fb89
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.9MB
MD5fe7facf5c1db2d17313299c58c6e1ca2
SHA14dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA2563a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA5121fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060