Analysis
-
max time kernel
71s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2024, 13:39
Static task
static1
General
-
Target
file.exe
-
Size
9.3MB
-
MD5
aca54a0ddb87930dc31fe9123c46d76d
-
SHA1
ea2b2453cdff42d802117ab302028c9614a83a43
-
SHA256
9587bda655a2dc730e4bdbd7de5ab39bc37de697fe22f449a6b2f851adaedfb8
-
SHA512
0ce4c6283f9112413e247d3dc79e033afa90321f55f36eb9cb1b38f051987ca3b9c808c5b323112fefe702cb56c90a0006421a2ec46e343e4d1c04ecf63aa44e
-
SSDEEP
196608:Zlzk48Er+gQjoW4fsySabpuYf8GLgB4cmNYqp5eiQt1Cz7Zy:ZKPgAEUy5bpjrLg7mia5JQt1C5
Malware Config
Extracted
stealc
http://185.172.128.79
-
url_path
/3886d2276�6914c4.php
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.cdpo
-
offline_id
Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0844OSkw
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detected Djvu ransomware 4 IoCs
resource yara_rule behavioral2/memory/2780-541-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2780-542-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2780-539-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2780-557-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 8 IoCs
resource yara_rule behavioral2/memory/1968-62-0x0000000002D80000-0x000000000366B000-memory.dmp family_glupteba behavioral2/memory/1968-63-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1968-142-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1828-147-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1968-144-0x0000000002D80000-0x000000000366B000-memory.dmp family_glupteba behavioral2/memory/1828-291-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/992-423-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/992-499-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
XMRig Miner payload 5 IoCs
resource yara_rule behavioral2/memory/4364-517-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4364-520-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4364-523-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4364-518-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4364-530-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 4660 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation D216.exe Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation nsx4C5D.tmp -
Executes dropped EXE 21 IoCs
pid Process 3180 InstallSetup7.exe 1044 toolspub1.exe 1968 31839b57a4f11171d6abc8bbc4451ee4.exe 1796 BroomSetup.exe 2112 rty25.exe 2832 FirstZ.exe 4128 nsx4C5D.tmp 1828 31839b57a4f11171d6abc8bbc4451ee4.exe 992 csrss.exe 1264 injector.exe 2704 Conhost.exe 1864 windefender.exe 4696 windefender.exe 4256 WerFault.exe 2700 tffiuru 2780 D216.exe 3416 explorer.exe 5056 D216.exe 1436 D91C.exe 2700 tffiuru 1884 F139.exe -
Loads dropped DLL 4 IoCs
pid Process 3180 InstallSetup7.exe 3180 InstallSetup7.exe 4128 nsx4C5D.tmp 4128 nsx4C5D.tmp -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1416 icacls.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000700000002322f-434.dat upx behavioral2/files/0x000700000002322f-436.dat upx behavioral2/memory/1864-437-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/files/0x000700000002322f-433.dat upx behavioral2/memory/4364-515-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4364-516-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4364-517-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4364-520-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4364-522-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4364-523-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4364-524-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4364-521-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4364-518-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4364-514-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4364-513-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4364-512-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4364-529-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4364-530-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ad444082-f4b8-4a6d-992f-793edc7f4d66\\D216.exe\" --AutoStart" D216.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\system32\MRT.exe FirstZ.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log explorer.exe File opened for modification C:\Windows\system32\MRT.exe WerFault.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive timeout.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive cmd.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive explorer.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 4256 set thread context of 4604 4256 WerFault.exe 251 PID 4256 set thread context of 4364 4256 WerFault.exe 246 PID 2700 set thread context of 2780 2700 tffiuru 278 PID 3416 set thread context of 5056 3416 explorer.exe 289 PID 1884 set thread context of 4572 1884 F139.exe 312 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rss\csrss.exe 31839b57a4f11171d6abc8bbc4451ee4.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss 31839b57a4f11171d6abc8bbc4451ee4.exe -
Launches sc.exe 15 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2036 sc.exe 620 sc.exe 1176 sc.exe 1916 sc.exe 3776 sc.exe 3320 sc.exe 4060 sc.exe 2328 sc.exe 5056 sc.exe 1144 sc.exe 3584 sc.exe 2456 sc.exe 2168 sc.exe 1548 sc.exe 4572 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 55 IoCs
pid pid_target Process procid_target 3296 1968 WerFault.exe 90 4268 1968 WerFault.exe 90 1124 1968 WerFault.exe 90 3616 1968 WerFault.exe 90 4080 1968 WerFault.exe 90 1184 1968 WerFault.exe 90 3776 1968 WerFault.exe 90 3552 1968 WerFault.exe 90 444 1968 WerFault.exe 90 3544 1968 WerFault.exe 90 3160 1968 WerFault.exe 90 1640 1968 WerFault.exe 90 4132 1968 WerFault.exe 90 4620 1968 WerFault.exe 90 932 1968 WerFault.exe 90 1144 1968 WerFault.exe 90 4488 1968 WerFault.exe 90 4752 1968 WerFault.exe 90 4660 1968 WerFault.exe 90 2016 1828 WerFault.exe 3124 1828 WerFault.exe 3996 1828 WerFault.exe 2700 1828 WerFault.exe 1156 1828 WerFault.exe 436 1828 WerFault.exe 3364 1828 WerFault.exe 2680 1828 WerFault.exe 868 1828 WerFault.exe 3124 992 WerFault.exe 177 4488 992 WerFault.exe 177 4964 992 WerFault.exe 177 3988 992 WerFault.exe 177 4684 992 WerFault.exe 177 3232 992 WerFault.exe 177 4928 992 WerFault.exe 177 2088 992 WerFault.exe 177 1376 992 WerFault.exe 177 2504 992 WerFault.exe 177 5068 992 WerFault.exe 177 1360 992 WerFault.exe 177 1144 992 WerFault.exe 177 4304 992 WerFault.exe 177 2908 5056 WerFault.exe 289 4648 1436 WerFault.exe 292 4524 1436 WerFault.exe 292 4996 1436 WerFault.exe 292 2416 1436 WerFault.exe 292 4636 1436 WerFault.exe 292 4084 1436 WerFault.exe 292 4632 4128 WerFault.exe 113 1104 1436 WerFault.exe 292 1620 992 WerFault.exe 177 3720 992 WerFault.exe 177 2812 992 WerFault.exe 177 3588 992 WerFault.exe 177 -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tffiuru Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tffiuru Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tffiuru Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Conhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Conhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nsx4C5D.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nsx4C5D.tmp -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3384 schtasks.exe 1420 schtasks.exe 3640 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1852 timeout.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates timeout.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates cmd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" cmd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs cmd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-492 = "India Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" windefender.exe -
Modifies registry class 21 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-768304381-2824894965-3840216961-1000\{319BAB5D-0862-4549-BB23-7EA7CE6BBF04} explorer.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-768304381-2824894965-3840216961-1000\{844CA259-0887-4B53-8236-91619C6B3C43} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1044 toolspub1.exe 1044 toolspub1.exe 3728 powershell.exe 3728 powershell.exe 3728 powershell.exe 4128 nsx4C5D.tmp 4128 nsx4C5D.tmp 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 1968 31839b57a4f11171d6abc8bbc4451ee4.exe 1968 31839b57a4f11171d6abc8bbc4451ee4.exe 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3172 powershell.exe 3172 powershell.exe 3556 Process not Found 3556 Process not Found 3172 powershell.exe 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 1044 toolspub1.exe 2704 Conhost.exe 2700 tffiuru -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3728 powershell.exe Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeDebugPrivilege 1968 31839b57a4f11171d6abc8bbc4451ee4.exe Token: SeImpersonatePrivilege 1968 31839b57a4f11171d6abc8bbc4451ee4.exe Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeDebugPrivilege 3172 powershell.exe Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeDebugPrivilege 2888 powershell.exe Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeDebugPrivilege 1852 timeout.exe Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeDebugPrivilege 4672 powershell.exe Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeDebugPrivilege 2460 cmd.exe Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found -
Suspicious use of FindShellTrayWindow 32 IoCs
pid Process 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3416 explorer.exe 3416 explorer.exe 3416 explorer.exe 3416 explorer.exe 3416 explorer.exe 3416 explorer.exe 3416 explorer.exe 3416 explorer.exe 3416 explorer.exe 3416 explorer.exe 3416 explorer.exe 3416 explorer.exe 3416 explorer.exe 3416 explorer.exe 3416 explorer.exe 3416 explorer.exe -
Suspicious use of SendNotifyMessage 22 IoCs
pid Process 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3416 explorer.exe 3416 explorer.exe 3416 explorer.exe 3416 explorer.exe 3416 explorer.exe 3416 explorer.exe 3416 explorer.exe 3416 explorer.exe 3416 explorer.exe 3416 explorer.exe 3416 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1796 BroomSetup.exe 4960 StartMenuExperienceHost.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3556 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4440 wrote to memory of 3180 4440 Process not Found 88 PID 4440 wrote to memory of 3180 4440 Process not Found 88 PID 4440 wrote to memory of 3180 4440 Process not Found 88 PID 4440 wrote to memory of 1044 4440 Process not Found 89 PID 4440 wrote to memory of 1044 4440 Process not Found 89 PID 4440 wrote to memory of 1044 4440 Process not Found 89 PID 4440 wrote to memory of 1968 4440 Process not Found 90 PID 4440 wrote to memory of 1968 4440 Process not Found 90 PID 4440 wrote to memory of 1968 4440 Process not Found 90 PID 3180 wrote to memory of 1796 3180 InstallSetup7.exe 115 PID 3180 wrote to memory of 1796 3180 InstallSetup7.exe 115 PID 3180 wrote to memory of 1796 3180 InstallSetup7.exe 115 PID 4440 wrote to memory of 2112 4440 Process not Found 101 PID 4440 wrote to memory of 2112 4440 Process not Found 101 PID 4440 wrote to memory of 2832 4440 Process not Found 99 PID 4440 wrote to memory of 2832 4440 Process not Found 99 PID 3180 wrote to memory of 4128 3180 InstallSetup7.exe 113 PID 3180 wrote to memory of 4128 3180 InstallSetup7.exe 113 PID 3180 wrote to memory of 4128 3180 InstallSetup7.exe 113 PID 1796 wrote to memory of 3084 1796 BroomSetup.exe 116 PID 1796 wrote to memory of 3084 1796 BroomSetup.exe 116 PID 1796 wrote to memory of 3084 1796 BroomSetup.exe 116 PID 3084 wrote to memory of 4492 3084 cmd.exe 118 PID 3084 wrote to memory of 4492 3084 cmd.exe 118 PID 3084 wrote to memory of 4492 3084 cmd.exe 118 PID 3084 wrote to memory of 3384 3084 cmd.exe 326 PID 3084 wrote to memory of 3384 3084 cmd.exe 326 PID 3084 wrote to memory of 3384 3084 cmd.exe 326 PID 1968 wrote to memory of 3728 1968 31839b57a4f11171d6abc8bbc4451ee4.exe 141 PID 1968 wrote to memory of 3728 1968 31839b57a4f11171d6abc8bbc4451ee4.exe 141 PID 1968 wrote to memory of 3728 1968 31839b57a4f11171d6abc8bbc4451ee4.exe 141 PID 1828 wrote to memory of 3172 1828 31839b57a4f11171d6abc8bbc4451ee4.exe 161 PID 1828 wrote to memory of 3172 1828 31839b57a4f11171d6abc8bbc4451ee4.exe 161 PID 1828 wrote to memory of 3172 1828 31839b57a4f11171d6abc8bbc4451ee4.exe 161 PID 1828 wrote to memory of 2416 1828 31839b57a4f11171d6abc8bbc4451ee4.exe 300 PID 1828 wrote to memory of 2416 1828 31839b57a4f11171d6abc8bbc4451ee4.exe 300 PID 2416 wrote to memory of 4660 2416 WerFault.exe 170 PID 2416 wrote to memory of 4660 2416 WerFault.exe 170 PID 1828 wrote to memory of 2888 1828 31839b57a4f11171d6abc8bbc4451ee4.exe 174 PID 1828 wrote to memory of 2888 1828 31839b57a4f11171d6abc8bbc4451ee4.exe 174 PID 1828 wrote to memory of 2888 1828 31839b57a4f11171d6abc8bbc4451ee4.exe 174 PID 1828 wrote to memory of 1852 1828 31839b57a4f11171d6abc8bbc4451ee4.exe 307 PID 1828 wrote to memory of 1852 1828 31839b57a4f11171d6abc8bbc4451ee4.exe 307 PID 1828 wrote to memory of 1852 1828 31839b57a4f11171d6abc8bbc4451ee4.exe 307 PID 1828 wrote to memory of 992 1828 31839b57a4f11171d6abc8bbc4451ee4.exe 177 PID 1828 wrote to memory of 992 1828 31839b57a4f11171d6abc8bbc4451ee4.exe 177 PID 1828 wrote to memory of 992 1828 31839b57a4f11171d6abc8bbc4451ee4.exe 177 PID 992 wrote to memory of 4672 992 csrss.exe 192 PID 992 wrote to memory of 4672 992 csrss.exe 192 PID 992 wrote to memory of 4672 992 csrss.exe 192 PID 992 wrote to memory of 2460 992 csrss.exe 223 PID 992 wrote to memory of 2460 992 csrss.exe 223 PID 992 wrote to memory of 2460 992 csrss.exe 223 PID 992 wrote to memory of 4456 992 csrss.exe 211 PID 992 wrote to memory of 4456 992 csrss.exe 211 PID 992 wrote to memory of 4456 992 csrss.exe 211 PID 992 wrote to memory of 1264 992 csrss.exe 217 PID 992 wrote to memory of 1264 992 csrss.exe 217 PID 3556 wrote to memory of 2704 3556 Process not Found 233 PID 3556 wrote to memory of 2704 3556 Process not Found 233 PID 3556 wrote to memory of 2704 3556 Process not Found 233 PID 1864 wrote to memory of 2460 1864 windefender.exe 223 PID 1864 wrote to memory of 2460 1864 windefender.exe 223 PID 1864 wrote to memory of 2460 1864 windefender.exe 223 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmpC:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4128 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 23724⤵
- Program crash
PID:4632
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp" & del "C:\ProgramData\*.dll"" & exit4⤵PID:3288
-
-
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\chcp.comchcp 12515⤵PID:4492
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F5⤵
- Creates scheduled task(s)
PID:3384
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1044
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 3723⤵
- Program crash
PID:3296
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 3883⤵
- Program crash
PID:4268
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 4203⤵
- Program crash
PID:1124
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 6763⤵
- Program crash
PID:3616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 6883⤵
- Program crash
PID:4080
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 7443⤵
- Program crash
PID:1184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 7483⤵
- Program crash
PID:3776
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 6883⤵
- Program crash
PID:3552
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 7763⤵
- Program crash
PID:444
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 6363⤵
- Program crash
PID:3544
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 9083⤵
- Program crash
PID:3160
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 9003⤵
- Program crash
PID:1640
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 9963⤵
- Program crash
PID:4132
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 7723⤵
- Program crash
PID:4620
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 9243⤵
- Program crash
PID:932
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 8523⤵
- Program crash
PID:1144
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 8563⤵
- Program crash
PID:4488
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 9803⤵
- Program crash
PID:4752
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 6163⤵
- Program crash
PID:4660
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:2416
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:1852
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 2405⤵
- Program crash
PID:3124
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 3925⤵
- Program crash
PID:4488
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 6125⤵
- Program crash
PID:4964
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 7205⤵
- Program crash
PID:3988
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 7365⤵
- Program crash
PID:4684
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 7365⤵
- Program crash
PID:3232
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 7605⤵
- Program crash
PID:4928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 7885⤵
- Program crash
PID:2088
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 3885⤵
- Program crash
PID:1376 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart6⤵PID:3720
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 9085⤵
- Program crash
PID:2504
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 7125⤵
- Program crash
PID:5068
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 7485⤵
- Program crash
PID:1360
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:2460
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:2036
-
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:4476
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
PID:1420
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 9725⤵
- Program crash
PID:1144
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 6405⤵
- Program crash
PID:4304
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
- Executes dropped EXE
PID:1264
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
PID:3640
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 9005⤵
- Program crash
PID:1620
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 11285⤵
- Program crash
PID:3720
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 11605⤵
- Program crash
PID:2812
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 10885⤵
- Program crash
PID:3588
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2832 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵PID:3008
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WSNKISKT"3⤵
- Launches sc.exe
PID:620
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:3320
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"3⤵
- Launches sc.exe
PID:3584
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WSNKISKT"3⤵
- Launches sc.exe
PID:1548
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵PID:5112
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵PID:4048
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵PID:5088
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵PID:4648
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
PID:2328
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
PID:3776
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
PID:5056
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4572
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
PID:1144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1376
-
-
-
C:\Users\Admin\AppData\Local\Temp\rty25.exe"C:\Users\Admin\AppData\Local\Temp\rty25.exe"2⤵
- Executes dropped EXE
PID:2112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1968 -ip 19681⤵PID:4752
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1968 -ip 19681⤵PID:4684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1968 -ip 19681⤵PID:3312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1968 -ip 19681⤵PID:2256
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1968 -ip 19681⤵PID:4924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1968 -ip 19681⤵PID:4460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1968 -ip 19681⤵PID:3772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1968 -ip 19681⤵PID:2868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1968 -ip 19681⤵PID:1588
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1968 -ip 19681⤵PID:2556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1968 -ip 19681⤵PID:5076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1968 -ip 19681⤵PID:3444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1968 -ip 19681⤵PID:3256
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1968 -ip 19681⤵PID:3996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1968 -ip 19681⤵PID:616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1968 -ip 19681⤵PID:2008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1968 -ip 19681⤵PID:4104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1968 -ip 19681⤵PID:1940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1968 -ip 19681⤵PID:432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 3361⤵
- Program crash
PID:2016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 3521⤵
- Program crash
PID:3124
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1828 -ip 18281⤵PID:1788
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 5841⤵
- Program crash
PID:3996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1828 -ip 18281⤵PID:2036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1828 -ip 18281⤵PID:1376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 7081⤵
- Program crash
PID:2700
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 7041⤵
- Program crash
PID:1156
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 7401⤵
- Program crash
PID:436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1828 -ip 18281⤵PID:5068
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 7361⤵
- Program crash
PID:3364
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1828 -ip 18281⤵PID:4440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1828 -ip 18281⤵PID:312
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 6881⤵
- Program crash
PID:2680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1828 -ip 18281⤵PID:4660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 3521⤵
- Program crash
PID:868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1828 -ip 18281⤵PID:1420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1828 -ip 18281⤵PID:4356
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes1⤵
- Modifies Windows Firewall
PID:4660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 992 -ip 9921⤵PID:5112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 992 -ip 9921⤵PID:2092
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 992 -ip 9921⤵PID:1264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 992 -ip 9921⤵PID:1916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 992 -ip 9921⤵PID:1956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 992 -ip 9921⤵PID:1704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 992 -ip 9921⤵PID:4104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 992 -ip 9921⤵PID:4036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 992 -ip 9921⤵PID:1536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 992 -ip 9921⤵PID:3496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 992 -ip 9921⤵PID:4440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 992 -ip 9921⤵PID:4036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 992 -ip 9921⤵PID:5076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 992 -ip 9921⤵PID:1156
-
C:\Users\Admin\AppData\Local\Temp\AA0B.exeC:\Users\Admin\AppData\Local\Temp\AA0B.exe1⤵PID:2704
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4696
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exeC:\ProgramData\wikombernizc\reakuqnanrkn.exe1⤵PID:4256
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵PID:3416
-
-
C:\Windows\explorer.exeexplorer.exe2⤵PID:4364
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:4604
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵PID:932
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵PID:2868
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵PID:1432
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵PID:2192
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:1176
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2456
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:4060
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:1916
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:2168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:4436
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2704
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart1⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\D216.exeC:\Users\Admin\AppData\Local\Temp\D216.exe1⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\D216.exeC:\Users\Admin\AppData\Local\Temp\D216.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2780 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\ad444082-f4b8-4a6d-992f-793edc7f4d66" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:1416
-
-
C:\Users\Admin\AppData\Local\Temp\D216.exe"C:\Users\Admin\AppData\Local\Temp\D216.exe" --Admin IsNotAutoStart IsNotTask3⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\D216.exe"C:\Users\Admin\AppData\Local\Temp\D216.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 5685⤵
- Program crash
PID:2908
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5056 -ip 50561⤵PID:4136
-
C:\Users\Admin\AppData\Local\Temp\D91C.exeC:\Users\Admin\AppData\Local\Temp\D91C.exe1⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 5522⤵
- Program crash
PID:4648
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 5722⤵
- Program crash
PID:4524
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 6802⤵
- Program crash
PID:4996
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 6802⤵
- Program crash
- Suspicious use of WriteProcessMemory
PID:2416
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 10562⤵
- Program crash
PID:4636
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 10722⤵
- Program crash
PID:4084
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 11042⤵
- Program crash
PID:1104
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1436 -ip 14361⤵PID:1944
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1436 -ip 14361⤵PID:2192
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1436 -ip 14361⤵PID:4268
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1436 -ip 14361⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:4256
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1436 -ip 14361⤵PID:4756
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1436 -ip 14361⤵PID:2180
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4128 -ip 41281⤵PID:1152
-
C:\Windows\SysWOW64\timeout.exetimeout /t 51⤵
- Drops file in System32 directory
- Delays execution with timeout.exe
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
C:\Users\Admin\AppData\Roaming\tffiuruC:\Users\Admin\AppData\Roaming\tffiuru1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2700
-
C:\Users\Admin\AppData\Local\Temp\F139.exeC:\Users\Admin\AppData\Local\Temp\F139.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1884 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:4572
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1436 -ip 14361⤵PID:3332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 992 -ip 9921⤵PID:2680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 992 -ip 9921⤵PID:4252
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3328 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3328 -s 60642⤵PID:3384
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4960
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3416
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:436
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1312
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4088
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4664
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4340
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 4088 -ip 40881⤵PID:3288
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:996
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:212
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3684
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3236
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4368
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3732
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4280
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4244
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4360
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:732
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2372
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5012
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3508
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2680
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3620
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4740
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1820
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:64
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5004
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3220
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3656
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4048
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2876
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3876
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2124
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4924
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3540
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4168
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2328
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2008
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3180
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 992 -ip 9921⤵PID:4524
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 992 -ip 9921⤵PID:5060
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4372
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4116
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3508
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:5060
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1744
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3924
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1432
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5096
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5112
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4048
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5084
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3792
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3032
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:64
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
102KB
MD5df76ce8699fed75b7a3426eebf580127
SHA1290214b2cfd15afc810f4cd55c87f885033702dd
SHA2561681e9a60e272057441a8546fc41a0bc14a877fb011d1d1ebf9a1b6afc68369b
SHA51271d34e5e4b11c9c5b93b62eac084cd10c1782b7bc3b595c3a2fb79d0c9fa2d3801ccc0e6f2728a3252502f96de8fcb7870e9a6768270e1c65c6c008ba797b6a3
-
Filesize
58KB
MD5dc10598651f34fa66cc960426b75addf
SHA134185a08319a9e85a27b1049ed2e180eea3dc1fa
SHA2564f81550500e70bbc82e159ae30f6c36cdf77c8fce8798c2115d2f1009c8c728b
SHA512957d8fc399e2a80e8543948512c4bdcb2bbb8ad9da8db48caeb2795da0d7301dd5e89565b1fb9ab815f999202dcf96cd42679ba835ef7407992676cec74b0aec
-
Filesize
156KB
MD55897931be7c71ddc241122cd20518654
SHA1e3a5456f9c933aa8979b829681adfb4d4eedc016
SHA256ee3de93e66cb39c0ccc31fb9692588cc8d7a9b2124e2899a832fb428002bf3f9
SHA5121d742a2b15f226cf06802978652f0da6a96a0b3dae99d0485c57bb82387e62e244d9129a03a22d421c9966a78440efbbc4401c3334f399cd94b83810188de316
-
Filesize
41KB
MD50d64d3dcbc327c908a8e5d673f48d9fc
SHA139120b24a10e5c466f63121c7ffecec0d7d16fe0
SHA25618b1d3b797f5d432587bf03551e84490a1619c5f8d596ecca7bdbf58af1ab1a7
SHA512a88f591fa056c00a15c761e10ca0646facf14a7e9b6117b340c3da03aa780202e3ccd1b3da583ce0e8d656871027b7c56a8c28d2dd7cc8e73133fd6b17e486e0
-
Filesize
17KB
MD5f8e493230d71938f88d66332848bb073
SHA1d22317e61922e6207f064a8cae23709fb61ea1dd
SHA2565a5bd560d0f7fc62141a60e124a7b8cd0130ebdcaa820fe523cd7979a2a3636f
SHA512ce301f7eef53afa5d6ef5a9cbb602e50295b29ca9c7389aa5f49c18c5bf41577939ffdac9d6ce7b80045804d09f74efc71a2fbd35439c557182893b42db95fcc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize471B
MD562876997ebe1a7782b290d3e0b42cf5e
SHA1125b7fcdd8b115731b16c4ddc12511ba9ef07b4b
SHA256087ab6e9ddb7c92957c39f04bd236dd4d69bc67aefeed8318ba3e3305fd80232
SHA512aa760e4e27f58d798b025f61ccfa11fcf364fbe6a06f2e3c9b855e4ad1386334e0d23783bc980787c3c492746f307a68d7e26e49e444b45923c5a578ac4a2240
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize412B
MD5c2637b6719f6a23e93d0f1166d66cbf4
SHA1c7c236c79bb4224df7ecd9742b79bdd6c0dccd96
SHA256b0a9a7b3d509896eb2c255e94130d9fbdcf4328119d1f489b241ec9662c14e8c
SHA51222e96f546e5c6f1c87704df88916c0657c2acb29fdc4f6877fe2558ef2417f508d869a478556d83048deb1942c4913552fc1562eccdde733e806a52b58a6de98
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\UA6WZR2N\microsoft.windows[1].xml
Filesize96B
MD5b97f6e2cc1520a2e8426851cb68f3b0f
SHA133a930fe90facb202ec3cd87ca0275af9dd20155
SHA256a3546f0c8e475abc90346821be3c3d67f522161ea876c3d14247ba6d79a2b5aa
SHA5129b3771942ffce17a52d4c0598bd0d4bb8f196c8731e5b129524b3d9507d411895e4c43d84479f06e5fb28c3403d6b0ec63b97f3a3cdb598873d17fd637abd06a
-
Filesize
324KB
MD52b112a6d732f1262b4a2ef16e776d687
SHA1300fca0505089ccaa5f54a46926a1878c2c416cc
SHA256903e2c86b85620c74466d1725c8aae91d010cd2808e79c88f8b4e7955ea92834
SHA512822e34171be8967f91e1e81ba81d684156e1d98fedc338b5962316177e68cfb1c81076a06e221ef6071d47090949556604faa8997574e24d9633773301b5e46e
-
Filesize
355KB
MD51548210955eb85eb6ab7c0acbb0e9dc5
SHA17d4ca037aabef29ae050901647035b8d7dcd831c
SHA256d70e2faad95031607770eb2ce3a1e1550a824f36553ac0885b90bd014f6cba39
SHA512b9c70138d92d39f34cf53ad3d6d76b7cd240e8ba0ea96845bc03b255a726aea2696e98a53369eca9ddfb6fca6162b4fe0dd5dd58b2197278055d65cf9078d3f7
-
Filesize
751KB
MD50ff69fb6975af6a20508a93692b9d35c
SHA142bcbb527ab8f847219c1d90044c6e75786c5b1e
SHA256b0685c3314ab8cc0fece3351b2348d705726479af5855d71bf37a31116481b1b
SHA512eaf82efa815c165187c1e01fd2a9a34219de6cefeab8a93876fbce5ffbc96b9e44e71d6543c82026e79ea575468f65b01916a1b1235b9313c470b4fbc612f9bd
-
Filesize
457KB
MD53d497a2919d2e53ee408ac5984676eed
SHA151f93a7222ef01d9c808a1e04110a2a8ad02cc2f
SHA256381ba45ff1a4be6e33a7e4a4bae61e8e9685b02e8079a0766cf674306618f7d2
SHA5123606dd2d887c8934e1d90a544af5a2b682453e57080cf1e0cec2eda0f893c9756650cd5d07fba523e21c8e260a948469fa40058613180961321b8b60298604d5
-
Filesize
35KB
MD5214239b86357459322e74fdb57ce4cce
SHA113295cd242eafeb39f4970918f74a046415ca581
SHA2560a05ac5c787453db65a62ea4987fc1cb47eb386187bfb14eb3565e6a2ede4605
SHA5123af02d1a9d31171beb23807f213d2f859404b46d6ec7d6adba0665eecfd37a4391c1f41db3ee16b76bc6ca394af9943802ffa914d9f385b654191bf2d4038f07
-
Filesize
619KB
MD55cac8c08924e6805b8b976e1a6c1ddd3
SHA14ba4d400cab5ccfe4efc2d99789270733cbd078d
SHA256a49338a38a7702ad6cef0019f1795965088b824dfdafaf87985bd6cb4659d4a2
SHA512b2e807627f4f9fd976a21985408f3b9e4c21dbd0168310fad35afed09f578fd03e5deb72618bdf77058ab1bb6332468bc3beb9530d9b91bd3558caeb6fb2eec9
-
Filesize
89KB
MD5df4153719bf93cc3ef7d3934fe75d815
SHA1d929cacc16bfcd227c7458fd940eddcaac1553c1
SHA2560fadd34aa822d465c602a94722aa35556f064cbb69efa44e77ebfe07e79387ca
SHA5121f8847a341b27a79822046ebff66cab820a3ab59c76dc0548ef8b94ba2203583a6fe88dbd639e93888acfcf1e4918bf8ec7321f49e88fc2738114a17ba57dc62
-
Filesize
105KB
MD53d5860ff13b28a66dd4cbc3bdfa59323
SHA1f5f60293fefc60cced423a1c61506d926f0644c2
SHA2563836672bd9458807f12f7fcf462bf92a0b0e2c9848692b94e1c85578ff6a7296
SHA512affd16034a94cce2c626d685273a4ecff555f384542bea7291758446e85c253d468e09d4e6395bb878a829e0c87a502db2c98a2ee72a4982300b1bf158410aa3
-
Filesize
118KB
MD5f7b3b2856fadd7409aa8a475d7214647
SHA148e34f6198d8833313c86bf96b49210681f0d582
SHA256475a5dbc82008cb8a37eb562ddc4d366bdd15aedce311f3f81dcd6a2d747f7f5
SHA512d2d973bb1a5c2c3564e8175c4e31ddda3a706da607e2cdb26dec377aff1a10fa8998ab6a39d4b2ecc8940c1118c35d938b2d90835e8c0de25b5df456ff7e2295
-
Filesize
23KB
MD5048c672b47545cb53cde88463cff9e8d
SHA1a7202603189c11a7b4161f44959a260d14a802df
SHA256cfdc20f363e5355b39e397b848359bdf2ddf679d7a0d6837b9d2ba85b42e43bd
SHA512eba7c49471bde93b997d9a992ff72bffe66dc5e6bd6e22155e40face33b3cc869b8cc170276449a50e474ed9db87e93b76c3fe9ead91419235f077cae92d1009
-
Filesize
92KB
MD53cee442c6f161beb2d95c3165d2df5f2
SHA1c42c51b040553315b635bfe632d998d9ef4fc8a0
SHA2561d84cf47490d22c25d2bd5180fa4058298cb52339aed3466f7318d2d56dbb3b1
SHA512d8f4cdf5399acc2b00864d4466634c83507e76b914b6591e82275f46ba9fdcbf096034dbee4ac8f416ac3216c4d5937260a10cdc6f7649ec9835ab9e5af37850
-
Filesize
83KB
MD57b08adfddb5e328bb58b6959705cf679
SHA14fd1e84403e024a7399372a620eee253b4c8db19
SHA256a18a0bc0ff8dc32f14b55a399ee043a223d2d4532d2404af585fa09adb046ad6
SHA51212b593c28570e20920a67c3ec021601030d2aff295164387095afcfc620b9a1a05cd2f13d8808da0830c0cb11e06a589b8f61e1bd59f8a83da87f0434f92a162
-
Filesize
56KB
MD5b6748ff05625e9819b726e68a88a9138
SHA134c2a660ed51e28a5c32795bb51887c4dc875721
SHA256e4312e8be1f69de74c32f50f340de53ee042c05b17e834bff82eecf907de6f0d
SHA5120474ac012530069ce2be2fdc9ee851de174a7ec6a680e76b4b4a423c7ea473fdee0f184b0e190a28e9ba1e07c27f992533fe811ebedb6e19fcda4036c2e54a1d
-
Filesize
15KB
MD5545659831744d6fc9a9693cea0399ccf
SHA1c6e3764cb67e4ce16a25eaffa6317ad38134b694
SHA256c70ec3a2fb40276d83d3dddd69a7c98ff2b7cca7babb88fbc18be32656edc13d
SHA51229ca4ba9efeec532afa0f999820c655ab6cd5de2f2d47b826d2000f6f399e307f727450af9d876585bbb723733828d252ad58d1720610921db99f70694eaa9a9
-
Filesize
1KB
MD5416c86010c09fe4b9a27d9254e211a1f
SHA1ba372d9ad6715848c1cf7692ff1236c212f847ae
SHA25622085ff3e536acded0f65127d10233a67a17452b49ce05b30d9e50b77d415ff5
SHA512d26696d353be55d254e2efbf0d8741c9df967c2c42cc4d44b518205685d295747524ffc8ebd9dc46d99965bda6e5d48e209b90c62576398d34694e0ad67130ff
-
Filesize
284KB
MD5027683e722bab2e4377ec452629ad74d
SHA1f59081a2f0fbcd58735c514df074f26cbd2ce014
SHA25621c818b871eadd2c81f307df8f35802b2acdba13958153790e5b1d6bbd563c0c
SHA512ead624dfc963f4152970102903b7f7482ba833dc4d1241fce6ee246e1c95de9014fddc0c0b9a08c799ac701f69a65ef1540c2fe32682003e73fa7db9915ad79f
-
Filesize
407KB
MD5b2024a23ab1c9252e4a8f7025e153bf4
SHA1018a4132ff1f38b25f2760f786393248ac1c6b06
SHA256315720e074330db5058b9796ca0218e87ca1807f1640601f1dbd6562d5afd856
SHA512dd6e590cd908c7c1934436247f97d41325b7efd8fa696e6926d909a183966c225e602664a0c2401b226949d05fe5610894bc5d4f604efdcf2e9354d544ffbda1
-
Filesize
1.2MB
MD5a404b4ae2513376edeecb59baf5dbedc
SHA1afe29cbc40a9699eda7b325db21a7b04e8f25b08
SHA256067d015fdad95156df5b6d9fb0a61c2b3eca6a4984c05d3dc167dc2a1b438f3a
SHA512744775d54bc9a34fb543934cf45c9f71560b78fe12c4dbb2460a70c22eaffebf2f1308f2a64c767f92a1e402c01dd5332347a736335c45083b0501dab3c89274
-
Filesize
582KB
MD5c44759d4de6ae6fb0e8a9f97cbc77c76
SHA104d35db6adb36d4de9238c8742a682442bb5c5d8
SHA256956a64a630a21f51e799fb156d84d220c3f57b80cf574dce9f071d6cf3831e8f
SHA512587b629eaad1b5a3a9da6e0d054fccbf26086631a822170ea118db31408ee4b0e6f2d64366f712be0c451ca54f28988b15f218c46b59d0d2b4bdcb60f0aa6c1d
-
Filesize
326KB
MD5be2b24cc36d5af4fa30b19a7d2c123a2
SHA1311e1ee5bedb11eb422e40fbf2117344eec92c67
SHA25642a9cb5e78a790e8cd6d313d034d5993702adc8524193190fb4d2aac840a6078
SHA51204bf48606cad695649bfe7b0d0c609befe86ed89a71d265f3f7107ff5dd870f8eb71510a9ed52b3e536dee86df3434bcc4d8d60bcc0ed5c134a9c44b4a8ac0ed
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
112KB
MD52fc16440056599d85ef09e0ee6ff8a47
SHA10e2cfcf11cbc2e98199ffe7be977d6e52dfbf7b9
SHA2561b1d16a935d0a1bd3359744f4eabdaf43b82404a719bacbd9066e4da8a71b409
SHA5122a31ca4e391a6f0e2bf335c3a337e76128f4160f0d68d22b46b6e324d9fc6bd10ba5d51dec26a7b66e87978183d3f9cc137161d923454d1f18124ecbc1126753
-
Filesize
101KB
MD5739bcb3bf50d886d959f622d46ba495d
SHA1d177cf5fc654a0707aebf146883d7ff874b20258
SHA2566fdc820c2abb1082c4d05c0e27e2c4c6ec7ac7c30ff703562ea749e0c4b91690
SHA51262657ddeadee9786ecdb6c045587affcb09d3512b6c96670bdf9b084740b50abf4bae40f79a5a1d3aa988e90401a86923868d14ff7b487d585ad51f3c92f95a9
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
112KB
MD5c00e84215fabb2bdbd401b84ee2ca5ca
SHA1b96cae5127b50a2cb411df6d01ba21e4e0db44dc
SHA2565c9fe2ee1ff6e0c06eaf17ad7dd2ad1a34d6f91f0d3c6b89d3f2bdb64fe25be8
SHA512f76555b7188799ea8bde8e6e24ff1d8130ea9d57758f5e0d3ba52d9e9192d32a91a79e625c8491bdd2bfeb10ef53d9898d75cd7246dadcefa2d4c0100a5f482f
-
Filesize
131KB
MD5b0f1006801c660b9a1325c74a4fd5a66
SHA1fcc11968935031574d7608510843c304906b3d4e
SHA256efcb219a54fa8709e0beec5ec8d3d996fa99bc00015b1adb5a0187e2ef941231
SHA512d616e4106c0529fc17d4fbec3966a46a40d2454c6a1e7a8e53158fcacf542a44785f36bfd0f6d4aebbd4f82abe1330739e3763d62b885e107c0a9463d291218e
-
Filesize
64KB
MD58e9e53632a68149939724287033caf49
SHA1fe8a8bed676a9cd446630410cd2cc5c869366472
SHA256a2d6c0f818e1e3d4ca6ed17c7227cef2c6c0ae394f12fcd29e2d2543a7fc8eb6
SHA5126c3ce0e26513a6c1e003708728036c8b87e0049e99c3f444e2c43d825cbef8c2dab5a4081f0723a23a82d5cdd4d74a6e5bcfd51e157593831733c39f58e3f904
-
Filesize
326KB
MD5a6fef0562abecca0d7b3567825ae5b99
SHA12fa30153197cf09fd9bc36a26c062ee69644be2d
SHA256dc66239f557a96a96ac84dcffcaa0c6c166785a3333e974beee0647bbbce8c0b
SHA5127d08bf50a299c8bc2997a41ac42c51613916b609645043ceafc4d7bb14b85f19d4a45641cf4c2b1e1dfe0bf58d6c9ae13cad42b56d4dccc20aed73d47786e1a8
-
Filesize
93KB
MD58558ffd304c5b84d1d5d8ac83e3000d5
SHA16e73dc9a72ae2e46a735907f1f7cca5e5dea810e
SHA256b1a2eadddffe5f5e209e791cf623ba551ae90e8611c8e8491e5b1a82d80ba226
SHA512b499f68f9e1e7ef59ef3093fdbbc210c616cc4e638775ad57d884a64cfca8a2e52bb78e2b28e95a273ec2b88bcdde5fb139687d73cecc6c0963cbdb6852a25b6
-
Filesize
224KB
MD54fe7bef521345515a1a3e94fa4a25c3a
SHA1081fe1bedaabd9586b4c3af635814de71d41467d
SHA256c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4
SHA5123f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec
-
Filesize
6KB
MD509acd913007535d86da7019f1318f7c6
SHA186bfd0a3356ed1e5e6c1366cf2a7cd54f4ad7b73
SHA256101deb9c762d69d4226c96ad4092ddff8fc5c54a931cebffd8814d26889e0bc7
SHA5121ff2a39f45b50cb0123807407da021752faef8bef382d07a5c01b7483c403c28bcffbfd8d3345a2495238474a1a0cc36fc4ea1006cda2e8e06d84655dfe15d48
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
168KB
MD5c7fbc8d52e8a443bce41c27c7f8c9d67
SHA144f73eb8b67d2d0413bc10d0d887d2f3430b09c2
SHA256802849a54e006d1d46be18a9488d103b2e93ffc9f52c9338682152272420a6a7
SHA5128d7d83fed99371939d263b85b96eb2cf7069754647fc805c1ca7c498bf73e45c32d718a90c399dcd9eb7482b60193f01d53ef4025a047ed70c72dbbd0197fcff
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize7KB
MD5a07e733175a0afc9581f7d740a49d472
SHA1029bb70c9aba25e40bed592a72dcadb6b4b87363
SHA256d0176ded22eb1d335e53629cb85c2687d9749e115d43f3d82a1206b57202d9bd
SHA51234ab6de145850403753e7d14bdfa40072982ddbaba3d88e07cdd9a59d16afc42a33468124049701787f5969d561017f5128d6d9a81a6f9dabcc2f24497954dbb
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD596afd9dfaf2c7ff2a178b7f346e4bb4a
SHA1197e28f1aaffd4be5270db8046b74f9674748d44
SHA256c1e7795b77cc1504d75f8a87afb4a96f65b41257bfab2e3332ae491f3436b0b6
SHA512526aa21c79e05374bdb2aa5681773b646dc90d2ba341f9aebafa254edd43b6bcdd6ff5611e0d5d22e955e5937aba059ee551169774ba5cb5584b3033dd4ac18d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize1KB
MD53eae62377debb55af2b61f73e1598110
SHA1162868a11831c00d2e968dcb9e4f89fb365d830e
SHA2567fda39192a02e370770edc1ce889f6459fc0f7179a4f4c80139738e2e635cda0
SHA5121bfca5a95dc586b8166fcd706d0024d7627a5104278d571c9d28fad40dbb5c66014a4d23524dea3fbae20646774e4d48bd797ceffaa8b0ce0c967fcd8aaf3aa7
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD53e5ebd1220679a9073557b5eac36f27b
SHA12d6f411e8c5a4522b2e8a98af21855e7d782df84
SHA256d77bd28955b5bd3255713b54ba0505c96e4d604758f816608ba9924ca19da0d1
SHA5120846e2e66f5696a25af6920aa626c760353669fc976f7c9bba2bbd8d963066e263a5e6235ba301f09aaee67c977b6d350cba7c086790ac7bd02f1a0f108bc5a0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5a77b47df0bf41b18c94d22142f09a768
SHA182eb0e395a656de01f538469f68ffc71b50d8809
SHA256d95c75ffc851636f1dcbf8fd0b4bb7c49fc0e4204063b91727f8ad2a6586faa6
SHA512341ee879d0035a399e364addd96832e6a93f874a715d9713339d7196c298d2d31b10b62b1b9c763ec17385a676cb8486470039f7fabdb8cf8ec0b4c04c4f34c2
-
Filesize
264KB
MD5e3c0646fe55c80b142f372d8b2e8f4b4
SHA1a8fb3a88eda4804a38fad9e65e58efc8c7bb5c10
SHA2565e3a65bbfa34abc775ebe8edb9006e7406dd1651fe01b6671f890d31b2bfc0ac
SHA5121800d8c8fbd3b1012f65bbb80551e4ce46d50fb08362691ad8e37cd9761b23bd60754f8cd15439006eac06f30df1e7a668bbc9db4d24de2edb3951f2ba8507ed
-
Filesize
176KB
MD5029952378098bebba76cbacd56ae5536
SHA169ce96a7f4e053a118062ca9b57f216b2dc7e49c
SHA256953f32f2f5a0d7d054f28a1bca90de11e17976a1fc5980651bc6b895205422c1
SHA51264bd6611be621435bb49cdce72aa389cabeef9aad43c5446440c316944669e499225fbd87fa21a79cb9c872bc420f0d427afe3536dc6c68340e79569b3c8a2b8
-
Filesize
186KB
MD526f07fba3fb0a7a3f50e538e5c6b078c
SHA1ca6f14720bcf080a0784e79002b43b1aae913a0b
SHA25684bd558c894b3849ec28a59774022e188240277ebce74824913f81a4c13cc9e6
SHA5128bf3708a6f1eb9c2b3d55c675e92f76e8723cb9ccff2b98241e578299d970dd9219146e272e7c2f5052c1d0cf9583516af3691245b3eee689e710e8993c07a5f
-
Filesize
182KB
MD5efc594d9dd5875e450e02ce537701b8b
SHA11aae704603c1b579106bc9540e729e3537b53c29
SHA256770be8ecb4ea28c837a972bca2d0fdf0375f2713026f2c8a2c3d90eac7f863e9
SHA512ce9a804e2b533fdeb60d0a4284cb17e2fe1c2f701da466059c0da6c0b559182ac394f356f1ccb9ffe6499aeb0fae0a112e1db7a120e8a25af48cef80a6557fe2
-
Filesize
51KB
MD566f7e843bd0fee8eaab53f4ae38450f0
SHA1e4f46ae90c18182ff51a12a0b798c89ad041a897
SHA2568e83b652e01ad10dc021e7d2cd9a61f2254b8d9338c346c9040dbff1d4d46c2f
SHA512951fa3fdf024cf907a28b5317761770839118c8975cea1aab1eef79aeae9f260a2cbf7bb829a5f94c5830fe9ad5fd7745fef20d7f5bcbe3338660e3000d0fdd6