Analysis
-
max time kernel
129s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-04-2024 13:23
Static task
static1
Behavioral task
behavioral1
Sample
CRACKED-V4 (UPD).exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
CRACKED-V4 (UPD).exe
Resource
win10v2004-20240226-en
General
-
Target
CRACKED-V4 (UPD).exe
-
Size
58.1MB
-
MD5
2d3eebbf8c1a46b2f8443982b64ec61a
-
SHA1
3ed59d3cb1c6c7b91187043a98026de5904f9dd7
-
SHA256
1361f85f419e83f50a754cd8ca3d2c974eb60f6733dc634d7b74eb2ec63d418f
-
SHA512
8a3ec42aa1de6e31befd9de6ebba448bfc7d6216615c08740db000787f03a92bc31311718a309a1862bb753bcfc7a0c72a02fe2cc1b5752cd7ded82954cf9db7
-
SSDEEP
1572864:CRW/tqZfvql5cfSrbpFKCpPI93FvjafI/er3zpAEc34aD:C4/gfvcKSDpuv9eLtANr
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral2/files/0x0005000000016868-56.dat family_umbral behavioral2/memory/3292-66-0x0000024533540000-0x0000024533580000-memory.dmp family_umbral -
Creates new service(s) 1 TTPs
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts MINER.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation CRACKED-V4 (UPD).exe -
Executes dropped EXE 4 IoCs
pid Process 4076 MINER.exe 3292 STEALER.exe 1332 exiffkcmhtzm.exe 2404 RAT.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe MINER.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4076 set thread context of 1980 4076 MINER.exe 127 -
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2172 sc.exe 4528 sc.exe 1692 sc.exe 1416 sc.exe 4520 sc.exe 4328 sc.exe 3520 sc.exe 3980 sc.exe 4764 sc.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral2/files/0x000400000001686a-255.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 Process not Found Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Process not Found Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Process not Found -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Process not Found -
Modifies data under HKEY_USERS 47 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 4076 MINER.exe 864 powershell.exe 864 powershell.exe 864 powershell.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 4076 MINER.exe 4076 MINER.exe 4076 MINER.exe 4076 MINER.exe 4076 MINER.exe 4076 MINER.exe 2256 taskmgr.exe 4076 MINER.exe 4076 MINER.exe 1980 dialer.exe 1980 dialer.exe 4076 MINER.exe 4076 MINER.exe 4076 MINER.exe 4076 MINER.exe 2256 taskmgr.exe 1332 exiffkcmhtzm.exe 2988 powershell.exe 2988 powershell.exe 2256 taskmgr.exe 2256 taskmgr.exe 2988 powershell.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 3920 Process not Found 788 Process not Found 3852 Process not Found 4456 Process not Found 4732 Process not Found 2824 Process not Found 3776 Process not Found 4064 Process not Found 3800 Process not Found 2620 Process not Found 3392 Process not Found 1984 Process not Found 2288 Process not Found 4380 Process not Found 4804 Process not Found 2408 Process not Found 4296 Process not Found 3832 Process not Found 832 Process not Found 4452 Process not Found 3692 Process not Found 3224 Process not Found 760 Process not Found 4808 Process not Found 3088 Process not Found 3148 Process not Found 5088 Process not Found 556 Process not Found 3460 Process not Found 2180 Process not Found 3492 Process not Found 4260 Process not Found 5052 Process not Found 2880 Process not Found 2868 Process not Found 3616 Process not Found 3928 Process not Found 1964 Process not Found 3988 Process not Found 3824 Process not Found 4544 Process not Found 3636 Process not Found 976 Process not Found 2264 Process not Found 2504 Process not Found 4584 Process not Found 4904 Process not Found 1392 Process not Found 2852 Process not Found 3956 Process not Found 1824 Process not Found 4736 Process not Found 3208 Process not Found 3752 Process not Found 3192 Process not Found 4536 Process not Found 1120 Process not Found 1500 Process not Found 1960 Process not Found 3876 Process not Found 224 Process not Found 940 Process not Found 5100 Process not Found 2372 Process not Found -
Suspicious use of AdjustPrivilegeToken 59 IoCs
description pid Process Token: SeDebugPrivilege 2256 taskmgr.exe Token: SeSystemProfilePrivilege 2256 taskmgr.exe Token: SeCreateGlobalPrivilege 2256 taskmgr.exe Token: SeDebugPrivilege 864 powershell.exe Token: SeDebugPrivilege 1980 dialer.exe Token: SeDebugPrivilege 2988 powershell.exe Token: SeDebugPrivilege 3292 STEALER.exe Token: SeIncreaseQuotaPrivilege 4752 wmic.exe Token: SeSecurityPrivilege 4752 wmic.exe Token: SeTakeOwnershipPrivilege 4752 wmic.exe Token: SeLoadDriverPrivilege 4752 wmic.exe Token: SeSystemProfilePrivilege 4752 wmic.exe Token: SeSystemtimePrivilege 4752 wmic.exe Token: SeProfSingleProcessPrivilege 4752 wmic.exe Token: SeIncBasePriorityPrivilege 4752 wmic.exe Token: SeCreatePagefilePrivilege 4752 wmic.exe Token: SeBackupPrivilege 4752 wmic.exe Token: SeRestorePrivilege 4752 wmic.exe Token: SeShutdownPrivilege 4752 wmic.exe Token: SeDebugPrivilege 4752 wmic.exe Token: SeSystemEnvironmentPrivilege 4752 wmic.exe Token: SeRemoteShutdownPrivilege 4752 wmic.exe Token: SeUndockPrivilege 4752 wmic.exe Token: SeManageVolumePrivilege 4752 wmic.exe Token: 33 4752 wmic.exe Token: 34 4752 wmic.exe Token: 35 4752 wmic.exe Token: 36 4752 wmic.exe Token: SeIncreaseQuotaPrivilege 4752 wmic.exe Token: SeSecurityPrivilege 4752 wmic.exe Token: SeTakeOwnershipPrivilege 4752 wmic.exe Token: SeLoadDriverPrivilege 4752 wmic.exe Token: SeSystemProfilePrivilege 4752 wmic.exe Token: SeSystemtimePrivilege 4752 wmic.exe Token: SeProfSingleProcessPrivilege 4752 wmic.exe Token: SeIncBasePriorityPrivilege 4752 wmic.exe Token: SeCreatePagefilePrivilege 4752 wmic.exe Token: SeBackupPrivilege 4752 wmic.exe Token: SeRestorePrivilege 4752 wmic.exe Token: SeShutdownPrivilege 4752 wmic.exe Token: SeDebugPrivilege 4752 wmic.exe Token: SeSystemEnvironmentPrivilege 4752 wmic.exe Token: SeRemoteShutdownPrivilege 4752 wmic.exe Token: SeUndockPrivilege 4752 wmic.exe Token: SeManageVolumePrivilege 4752 wmic.exe Token: 33 4752 wmic.exe Token: 34 4752 wmic.exe Token: 35 4752 wmic.exe Token: 36 4752 wmic.exe Token: SeAuditPrivilege 2704 svchost.exe Token: SeAuditPrivilege 2704 svchost.exe Token: SeShutdownPrivilege 3384 Process not Found Token: SeCreatePagefilePrivilege 3384 Process not Found Token: SeShutdownPrivilege 3384 Process not Found Token: SeCreatePagefilePrivilege 3384 Process not Found Token: SeShutdownPrivilege 4048 Process not Found Token: SeCreatePagefilePrivilege 4048 Process not Found Token: SeShutdownPrivilege 4048 Process not Found Token: SeCreatePagefilePrivilege 4048 Process not Found -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2624 svchost.exe 2624 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4648 wrote to memory of 4076 4648 CRACKED-V4 (UPD).exe 95 PID 4648 wrote to memory of 4076 4648 CRACKED-V4 (UPD).exe 95 PID 3888 wrote to memory of 2644 3888 cmd.exe 118 PID 3888 wrote to memory of 2644 3888 cmd.exe 118 PID 4076 wrote to memory of 1980 4076 MINER.exe 127 PID 4076 wrote to memory of 1980 4076 MINER.exe 127 PID 4076 wrote to memory of 1980 4076 MINER.exe 127 PID 4076 wrote to memory of 1980 4076 MINER.exe 127 PID 4076 wrote to memory of 1980 4076 MINER.exe 127 PID 4076 wrote to memory of 1980 4076 MINER.exe 127 PID 4076 wrote to memory of 1980 4076 MINER.exe 127 PID 4648 wrote to memory of 3292 4648 CRACKED-V4 (UPD).exe 138 PID 4648 wrote to memory of 3292 4648 CRACKED-V4 (UPD).exe 138 PID 2964 wrote to memory of 4760 2964 cmd.exe 139 PID 2964 wrote to memory of 4760 2964 cmd.exe 139 PID 1980 wrote to memory of 616 1980 dialer.exe 939 PID 1980 wrote to memory of 668 1980 dialer.exe 7 PID 668 wrote to memory of 3292 668 lsass.exe 138 PID 668 wrote to memory of 3292 668 lsass.exe 138 PID 668 wrote to memory of 3292 668 lsass.exe 138 PID 668 wrote to memory of 3292 668 lsass.exe 138 PID 668 wrote to memory of 3292 668 lsass.exe 138 PID 668 wrote to memory of 3292 668 lsass.exe 138 PID 668 wrote to memory of 3292 668 lsass.exe 138 PID 668 wrote to memory of 3292 668 lsass.exe 138 PID 668 wrote to memory of 3292 668 lsass.exe 138 PID 668 wrote to memory of 3292 668 lsass.exe 138 PID 668 wrote to memory of 3292 668 lsass.exe 138 PID 1980 wrote to memory of 964 1980 dialer.exe 12 PID 668 wrote to memory of 2692 668 lsass.exe 47 PID 1980 wrote to memory of 332 1980 dialer.exe 13 PID 1980 wrote to memory of 736 1980 dialer.exe 1398 PID 668 wrote to memory of 2692 668 lsass.exe 47 PID 668 wrote to memory of 2692 668 lsass.exe 47 PID 3292 wrote to memory of 4752 3292 STEALER.exe 144 PID 3292 wrote to memory of 4752 3292 STEALER.exe 144 PID 1980 wrote to memory of 1044 1980 dialer.exe 16 PID 1980 wrote to memory of 1052 1980 dialer.exe 17 PID 668 wrote to memory of 2692 668 lsass.exe 47 PID 668 wrote to memory of 2692 668 lsass.exe 47 PID 668 wrote to memory of 3468 668 lsass.exe 1277 PID 668 wrote to memory of 3468 668 lsass.exe 1277 PID 668 wrote to memory of 3468 668 lsass.exe 1277 PID 668 wrote to memory of 3468 668 lsass.exe 1277 PID 668 wrote to memory of 3468 668 lsass.exe 1277 PID 668 wrote to memory of 3468 668 lsass.exe 1277 PID 668 wrote to memory of 3468 668 lsass.exe 1277 PID 668 wrote to memory of 3468 668 lsass.exe 1277 PID 668 wrote to memory of 3468 668 lsass.exe 1277 PID 668 wrote to memory of 3468 668 lsass.exe 1277 PID 668 wrote to memory of 3468 668 lsass.exe 1277 PID 1980 wrote to memory of 1104 1980 dialer.exe 18 PID 1980 wrote to memory of 1140 1980 dialer.exe 19 PID 1980 wrote to memory of 1224 1980 dialer.exe 20 PID 1980 wrote to memory of 1272 1980 dialer.exe 21 PID 1980 wrote to memory of 1312 1980 dialer.exe 22 PID 1980 wrote to memory of 1320 1980 dialer.exe 23 PID 1980 wrote to memory of 1356 1980 dialer.exe 24 PID 668 wrote to memory of 2692 668 lsass.exe 47 PID 1980 wrote to memory of 1524 1980 dialer.exe 25 PID 1980 wrote to memory of 1564 1980 dialer.exe 26 PID 1980 wrote to memory of 1580 1980 dialer.exe 27 PID 1980 wrote to memory of 1632 1980 dialer.exe 28 PID 1980 wrote to memory of 1728 1980 dialer.exe 29 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:964
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1044
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1052
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1104
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1140
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1224
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1524
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:4740
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2000
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:956
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:1968
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:4396
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:3020
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1564
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1580
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1728
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1764
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1784
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1852
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1928
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1944
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2016
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2024
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2052
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2200
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2244
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2508
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2516
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Suspicious use of UnmapMainImage
PID:2624
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2724
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2764
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2780
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:772
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3200
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3772
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:3756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:4136
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:5000
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:1020
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:1516
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:1664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:1844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3216 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:31⤵PID:2496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3788
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc1⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\CRACKED-V4 (UPD).exe"C:\Users\Admin\AppData\Local\Temp\CRACKED-V4 (UPD).exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MINER.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\MINER.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:2644
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
PID:4328
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2172
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
PID:3520
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
PID:4528
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
PID:3980
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "RVUILGKT"3⤵
- Launches sc.exe
PID:1692
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "RVUILGKT" binpath= "C:\ProgramData\qapetckhvsnw\exiffkcmhtzm.exe" start= "auto"3⤵
- Launches sc.exe
PID:1416
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:4520
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "RVUILGKT"3⤵
- Launches sc.exe
PID:4764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\MINER.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵PID:4760
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\STEALER.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\STEALER.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RAT.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\RAT.exe"2⤵
- Executes dropped EXE
PID:2404
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2256
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵PID:3648
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:4892
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:1908
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2832
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵PID:5044
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3972 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:11⤵PID:4944
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5404 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:11⤵PID:3808
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4548 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵PID:1480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5420 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:11⤵PID:5068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=4952 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:11⤵PID:924
-
C:\ProgramData\qapetckhvsnw\exiffkcmhtzm.exeC:\ProgramData\qapetckhvsnw\exiffkcmhtzm.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1332 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:3544
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000003d8 000000881⤵PID:3940
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000344 000000881⤵PID:2464
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000364 000000881⤵PID:2452
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000003c4 000000881⤵PID:616
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000001d8 000000881⤵PID:2256
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000001ec 000000881⤵PID:4740
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000029c 000000881⤵PID:3184
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000003cc 000000881⤵PID:3468
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000003a8 000000881⤵PID:3912
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000003bc 000000881⤵PID:2988
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000003c4 000000881⤵PID:2404
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000390 000000881⤵PID:2556
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000003f8 000000881⤵PID:736
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000398 000000881⤵PID:3512
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000036c 000000881⤵PID:4448
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000324 000000881⤵PID:936
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000380 000000881⤵PID:1488
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000002f8 000000881⤵PID:3384
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000001ec 000000881⤵PID:4048
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000244 000000881⤵PID:3468
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000220 000000881⤵PID:5044
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000254 000000881⤵PID:3976
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000160 000000881⤵PID:64
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000148 000000881⤵PID:3996
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000016c 000000881⤵PID:3104
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000164 000000881⤵PID:2000
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000158 000000881⤵PID:3116
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000108 000000881⤵PID:1968
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000158 000000881⤵PID:4396
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000cc 000000881⤵PID:956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5f63b5a09db52e3818f2dfb20babaaf34
SHA1a967e36e93a70fcbe3b2bb3b74f36a3ec91275b5
SHA2561148a6511e2c89f3491c434b6fecc94b64c6f42c3350cac04e64921eac7af273
SHA512a3a74c721c061c37f00096db8f1bd3754c609d9bbbe78fb384a8811f93335de207c3bfa125ffec4f5a3fe8a785e6697a46c9e097e790426d94be4ff1c51a6fdd
-
Filesize
13KB
MD5752025ba941562fa67632a8e3bf6eae9
SHA16031107bd050dfdfd01b7ce400f23396ebe333c3
SHA256dd057ddc1b8a86a6da2c471f56e1b271d8b6f53b69e8cf849fc13a7b3730cd87
SHA512d0d42e982a2eb4a277caec79bcbd6de8c825a7d5938df184ab52be209dc67d815f7b7f3ce1b9b6a3d718797d50977fd725b8af0f2d38ddd7eb86a76750e442ad
-
Filesize
2.8MB
MD5c2fdd4a1979ec3e039f8fbfd49ba6be4
SHA1f4e99d1ffe37782f0b41c6f9f33ce8fc8e5975c8
SHA256bc571671d79792df1ded4352473296596e33a70fecb923b55606b7e4f1a991e8
SHA5127f911e540512969a81766b25d17a77e0cb0d40b5ac08a973f05564f1d646077cbe66de01eb9af667ce6db56410d35ad0e98a0b1775248a45b307347b68249d4a
-
Filesize
55.7MB
MD537b4aad27e85da5c0a0c6058756bbfd4
SHA153fcdfc30c867f56c00b719b8f92e73ab1ccc489
SHA25632a28701982b9faf976086bed5cdd06c8aba5bd45cfe5c47a29c04b9dbed1dc2
SHA512a5ae5a1bcd617557ce577c199ebffe9824f45df5623cfd0db53184d822a6e9aa8b85488c49f2a3b51bda0b92224427e08f84509c39bda368beb56a4998559670
-
Filesize
231KB
MD5395a42e56b6b43b7e1b54b7ced631900
SHA1299d60e4bc3db4b1b6fd8c1bc09fb0d8ef352059
SHA256d1d026a5437d47bc6b5d8a81678254196256bbfe452708248a18502443357a6e
SHA512e2222ac9fccb6dca0d11d79661236034a1406478a2705272c0c8d72f12bdc58f944286a8f4c934352de5b5e0509530e633f71410f9309af201295865fe10c357
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82