Analysis Overview
SHA256
1361f85f419e83f50a754cd8ca3d2c974eb60f6733dc634d7b74eb2ec63d418f
Threat Level: Known bad
The file CRACKED-V4 (UPD).exe was found to be: Known bad.
Malicious Activity Summary
Detect Umbral payload
Umbral
Stops running service(s)
Creates new service(s)
Drops file in Drivers directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Detects Pyinstaller
Suspicious behavior: LoadsDriver
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Checks processor information in registry
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-21 13:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-21 13:23
Reported
2024-04-21 13:26
Platform
win7-20240221-en
Max time kernel
133s
Max time network
132s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\RarSFX0\MINER.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\MINER.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\STEALER.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CRACKED-V4 (UPD).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CRACKED-V4 (UPD).exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CRACKED-V4 (UPD).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CRACKED-V4 (UPD).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CRACKED-V4 (UPD).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CRACKED-V4 (UPD).exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\MINER.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2916 set thread context of 2760 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\MINER.exe | C:\Windows\system32\dialer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
| File opened for modification | C:\Windows\appcompat\programs\RecentFileCache.bcf | C:\Windows\system32\svchost.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\dialer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\STEALER.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\CRACKED-V4 (UPD).exe
"C:\Users\Admin\AppData\Local\Temp\CRACKED-V4 (UPD).exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MINER.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\MINER.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "RVUILGKT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "RVUILGKT" binpath= "C:\ProgramData\qapetckhvsnw\exiffkcmhtzm.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "RVUILGKT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\MINER.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\STEALER.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\STEALER.exe"
C:\Windows\system32\wlrmdr.exe
-s -1 -f 2 -t You are about to be logged off -m Windows has encountered a critical problem and will restart automatically in one minute. Please save your work now. -a 3
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-438403989523208313-1978641336-762313142-1155045398-1489166070-2928636611727153623"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MINER.exe
| MD5 | c2fdd4a1979ec3e039f8fbfd49ba6be4 |
| SHA1 | f4e99d1ffe37782f0b41c6f9f33ce8fc8e5975c8 |
| SHA256 | bc571671d79792df1ded4352473296596e33a70fecb923b55606b7e4f1a991e8 |
| SHA512 | 7f911e540512969a81766b25d17a77e0cb0d40b5ac08a973f05564f1d646077cbe66de01eb9af667ce6db56410d35ad0e98a0b1775248a45b307347b68249d4a |
memory/2744-16-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2744-17-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2760-21-0x0000000140000000-0x000000014002B000-memory.dmp
memory/2760-20-0x0000000140000000-0x000000014002B000-memory.dmp
memory/2760-19-0x0000000140000000-0x000000014002B000-memory.dmp
memory/2760-22-0x0000000140000000-0x000000014002B000-memory.dmp
memory/2760-24-0x0000000140000000-0x000000014002B000-memory.dmp
memory/2760-25-0x00000000778E0000-0x0000000077A89000-memory.dmp
memory/2760-27-0x00000000776C0000-0x00000000777DF000-memory.dmp
memory/2760-28-0x0000000140000000-0x000000014002B000-memory.dmp
memory/436-31-0x0000000000470000-0x0000000000494000-memory.dmp
memory/436-33-0x0000000000470000-0x0000000000494000-memory.dmp
memory/436-35-0x0000000000540000-0x000000000056B000-memory.dmp
memory/436-37-0x0000000077931000-0x0000000077932000-memory.dmp
memory/436-36-0x000007FEBE320000-0x000007FEBE330000-memory.dmp
memory/436-39-0x0000000037920000-0x0000000037930000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\STEALER.exe
| MD5 | 395a42e56b6b43b7e1b54b7ced631900 |
| SHA1 | 299d60e4bc3db4b1b6fd8c1bc09fb0d8ef352059 |
| SHA256 | d1d026a5437d47bc6b5d8a81678254196256bbfe452708248a18502443357a6e |
| SHA512 | e2222ac9fccb6dca0d11d79661236034a1406478a2705272c0c8d72f12bdc58f944286a8f4c934352de5b5e0509530e633f71410f9309af201295865fe10c357 |
memory/480-44-0x0000000000090000-0x00000000000BB000-memory.dmp
memory/480-60-0x0000000000090000-0x00000000000BB000-memory.dmp
memory/496-72-0x000007FEBE320000-0x000007FEBE330000-memory.dmp
memory/496-74-0x0000000037920000-0x0000000037930000-memory.dmp
memory/2576-70-0x000000001B420000-0x000000001B702000-memory.dmp
memory/496-71-0x0000000000150000-0x000000000017B000-memory.dmp
memory/2576-79-0x0000000002750000-0x0000000002758000-memory.dmp
memory/504-80-0x00000000004A0000-0x00000000004CB000-memory.dmp
memory/504-83-0x000007FEBE320000-0x000007FEBE330000-memory.dmp
memory/596-84-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2576-85-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp
memory/504-87-0x0000000037920000-0x0000000037930000-memory.dmp
memory/2104-88-0x0000000001F40000-0x0000000001F6B000-memory.dmp
memory/2104-89-0x00000000FF5C0000-0x00000000FF5CF000-memory.dmp
memory/596-90-0x000007FEBE320000-0x000007FEBE330000-memory.dmp
memory/2104-93-0x000007FEBE320000-0x000007FEBE330000-memory.dmp
memory/2576-94-0x0000000002AE0000-0x0000000002B60000-memory.dmp
memory/596-95-0x0000000037920000-0x0000000037930000-memory.dmp
memory/672-96-0x00000000001D0000-0x00000000001FB000-memory.dmp
memory/2104-98-0x0000000037920000-0x0000000037930000-memory.dmp
memory/2576-99-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp
memory/672-101-0x000007FEBE320000-0x000007FEBE330000-memory.dmp
memory/2576-104-0x0000000002AE0000-0x0000000002B60000-memory.dmp
memory/2576-105-0x0000000002AEB000-0x0000000002B52000-memory.dmp
memory/748-106-0x0000000000E00000-0x0000000000E2B000-memory.dmp
memory/672-107-0x0000000037920000-0x0000000037930000-memory.dmp
memory/2744-109-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/748-110-0x000007FEBE320000-0x000007FEBE330000-memory.dmp
memory/2576-111-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp
memory/2744-114-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/748-115-0x0000000037920000-0x0000000037930000-memory.dmp
memory/820-116-0x0000000000CA0000-0x0000000000CCB000-memory.dmp
memory/504-132-0x00000000004A0000-0x00000000004CB000-memory.dmp
memory/596-136-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2104-140-0x0000000000340000-0x0000000000341000-memory.dmp
memory/2104-144-0x0000000001F40000-0x0000000001F6B000-memory.dmp
memory/2104-148-0x00000000778E0000-0x0000000077A89000-memory.dmp
memory/672-151-0x00000000001D0000-0x00000000001FB000-memory.dmp
memory/820-154-0x0000000000CA0000-0x0000000000CCB000-memory.dmp
memory/860-159-0x0000000000D90000-0x0000000000DBB000-memory.dmp
memory/820-156-0x0000000037920000-0x0000000037930000-memory.dmp
memory/860-176-0x0000000037920000-0x0000000037930000-memory.dmp
memory/976-179-0x0000000000BC0000-0x0000000000BEB000-memory.dmp
memory/276-186-0x0000000000D50000-0x0000000000D7B000-memory.dmp
memory/976-183-0x0000000037920000-0x0000000037930000-memory.dmp
memory/356-191-0x00000000020B0000-0x00000000020DB000-memory.dmp
memory/2744-195-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/356-196-0x0000000037920000-0x0000000037930000-memory.dmp
memory/1080-202-0x0000000000B90000-0x0000000000BBB000-memory.dmp
memory/1080-212-0x0000000037920000-0x0000000037930000-memory.dmp
memory/1124-219-0x0000000002140000-0x000000000216B000-memory.dmp
memory/1124-222-0x0000000037920000-0x0000000037930000-memory.dmp
memory/1184-225-0x0000000000160000-0x000000000018B000-memory.dmp
memory/1212-227-0x0000000002F40000-0x0000000002F6B000-memory.dmp
memory/1212-229-0x0000000037920000-0x0000000037930000-memory.dmp
memory/2172-232-0x0000000000450000-0x000000000047B000-memory.dmp
memory/2276-235-0x0000000000C50000-0x0000000000C7B000-memory.dmp
memory/2744-237-0x0000000002660000-0x000000000268B000-memory.dmp
memory/2744-238-0x00000000778E0000-0x0000000077A89000-memory.dmp
memory/2744-239-0x0000000037920000-0x0000000037930000-memory.dmp
memory/2468-240-0x0000000000590000-0x00000000005BB000-memory.dmp
memory/2744-241-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2856-242-0x0000000000130000-0x000000000015B000-memory.dmp
memory/2856-243-0x00000000778E0000-0x0000000077A89000-memory.dmp
memory/2104-244-0x00000000000D0000-0x00000000000FB000-memory.dmp
memory/2856-245-0x0000000037920000-0x0000000037930000-memory.dmp
memory/2744-246-0x0000000002500000-0x0000000002501000-memory.dmp
memory/748-247-0x0000000000E00000-0x0000000000E2B000-memory.dmp
memory/276-249-0x0000000037920000-0x0000000037930000-memory.dmp
memory/2744-250-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2856-251-0x0000000001350000-0x0000000001390000-memory.dmp
memory/1184-252-0x0000000037920000-0x0000000037930000-memory.dmp
memory/2172-253-0x0000000037920000-0x0000000037930000-memory.dmp
memory/2276-254-0x0000000037920000-0x0000000037930000-memory.dmp
memory/2468-255-0x0000000037920000-0x0000000037930000-memory.dmp
memory/2744-256-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2856-257-0x00000000778E0000-0x0000000077A89000-memory.dmp
memory/2856-258-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | 7aeaa41fa4e4167fbe447ccd449e3fff |
| SHA1 | e25a42c3f4f93a6374b5c8c1c7c508719fcfb505 |
| SHA256 | 18fd1d0d60be8a9c7344ff152cd48999d46f0a983dc206b7ca718055addfd3c3 |
| SHA512 | 4f6a1fc575abf7a5e43d74847711417631b823df3b94e54f2082d5765a05f0f211772e80aa1601658912f6dae79d0a8062ae788598ba03c577f381fabf1d9660 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-21 13:23
Reported
2024-04-21 13:27
Platform
win10v2004-20240226-en
Max time kernel
129s
Max time network
156s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\RarSFX0\MINER.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CRACKED-V4 (UPD).exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\MINER.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\STEALER.exe | N/A |
| N/A | N/A | C:\ProgramData\qapetckhvsnw\exiffkcmhtzm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\RAT.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\MINER.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4076 set thread context of 1980 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\MINER.exe | C:\Windows\system32\dialer.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | N/A | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\dialer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\STEALER.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3216 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:3
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
C:\Users\Admin\AppData\Local\Temp\CRACKED-V4 (UPD).exe
"C:\Users\Admin\AppData\Local\Temp\CRACKED-V4 (UPD).exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MINER.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\MINER.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3972 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5404 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4548 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5420 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=4952 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "RVUILGKT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "RVUILGKT" binpath= "C:\ProgramData\qapetckhvsnw\exiffkcmhtzm.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "RVUILGKT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\MINER.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\STEALER.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\STEALER.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\ProgramData\qapetckhvsnw\exiffkcmhtzm.exe
C:\ProgramData\qapetckhvsnw\exiffkcmhtzm.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RAT.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\RAT.exe"
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003d8 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000344 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000364 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003c4 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001d8 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001ec 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000029c 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003cc 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003a8 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003bc 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003c4 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000390 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003f8 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000398 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000036c 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000324 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000380 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000002f8 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001ec 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000244 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000220 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000254 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000160 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000148 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000016c 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000164 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000158 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000108 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000158 00000088
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000cc 00000088
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| BE | 104.68.66.114:443 | cxcs.microsoft.net | tcp |
| BE | 2.17.196.115:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 114.66.68.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.125.209.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| GB | 51.140.244.186:443 | nav-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 2.21.17.194:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | 194.17.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| NL | 23.209.125.163:443 | bzib.nelreports.net | tcp |
| US | 8.8.8.8:53 | 163.125.209.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.189.173.21:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 21.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
Files
memory/2256-5-0x0000020F165A0000-0x0000020F165A1000-memory.dmp
memory/2256-6-0x0000020F165A0000-0x0000020F165A1000-memory.dmp
memory/2256-2-0x0000020F165A0000-0x0000020F165A1000-memory.dmp
memory/2256-10-0x0000020F165A0000-0x0000020F165A1000-memory.dmp
memory/2256-12-0x0000020F165A0000-0x0000020F165A1000-memory.dmp
memory/2256-11-0x0000020F165A0000-0x0000020F165A1000-memory.dmp
memory/2256-13-0x0000020F165A0000-0x0000020F165A1000-memory.dmp
memory/2256-15-0x0000020F165A0000-0x0000020F165A1000-memory.dmp
memory/2256-16-0x0000020F165A0000-0x0000020F165A1000-memory.dmp
memory/2256-14-0x0000020F165A0000-0x0000020F165A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MINER.exe
| MD5 | c2fdd4a1979ec3e039f8fbfd49ba6be4 |
| SHA1 | f4e99d1ffe37782f0b41c6f9f33ce8fc8e5975c8 |
| SHA256 | bc571671d79792df1ded4352473296596e33a70fecb923b55606b7e4f1a991e8 |
| SHA512 | 7f911e540512969a81766b25d17a77e0cb0d40b5ac08a973f05564f1d646077cbe66de01eb9af667ce6db56410d35ad0e98a0b1775248a45b307347b68249d4a |
memory/864-26-0x0000023BCB3E0000-0x0000023BCB402000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u03u1ddg.bdw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/864-36-0x00007FFD74930000-0x00007FFD753F1000-memory.dmp
memory/864-37-0x0000023BE3B30000-0x0000023BE3B40000-memory.dmp
memory/864-38-0x0000023BE3B30000-0x0000023BE3B40000-memory.dmp
memory/864-39-0x0000023BE3B30000-0x0000023BE3B40000-memory.dmp
memory/864-42-0x0000023BCB4D0000-0x0000023BCB518000-memory.dmp
memory/864-43-0x00007FFD74930000-0x00007FFD753F1000-memory.dmp
memory/1980-45-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1980-47-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1980-48-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1980-46-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1980-50-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1980-51-0x00007FFD97290000-0x00007FFD97485000-memory.dmp
memory/1980-52-0x00007FFD95D00000-0x00007FFD95DBE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\STEALER.exe
| MD5 | 395a42e56b6b43b7e1b54b7ced631900 |
| SHA1 | 299d60e4bc3db4b1b6fd8c1bc09fb0d8ef352059 |
| SHA256 | d1d026a5437d47bc6b5d8a81678254196256bbfe452708248a18502443357a6e |
| SHA512 | e2222ac9fccb6dca0d11d79661236034a1406478a2705272c0c8d72f12bdc58f944286a8f4c934352de5b5e0509530e633f71410f9309af201295865fe10c357 |
memory/3292-66-0x0000024533540000-0x0000024533580000-memory.dmp
memory/3292-67-0x00007FFD749E0000-0x00007FFD754A1000-memory.dmp
memory/2988-68-0x00007FFD749E0000-0x00007FFD754A1000-memory.dmp
memory/2988-69-0x0000017F6B2E0000-0x0000017F6B2F0000-memory.dmp
memory/2988-70-0x0000017F6B2E0000-0x0000017F6B2F0000-memory.dmp
memory/1980-80-0x0000000140000000-0x000000014002B000-memory.dmp
memory/616-83-0x00000205E1130000-0x00000205E1154000-memory.dmp
memory/616-86-0x00000205E1160000-0x00000205E118B000-memory.dmp
memory/616-89-0x00007FFD9732D000-0x00007FFD9732E000-memory.dmp
memory/668-88-0x00000241861D0000-0x00000241861FB000-memory.dmp
memory/616-85-0x00000205E1160000-0x00000205E118B000-memory.dmp
memory/668-91-0x00007FFD57310000-0x00007FFD57320000-memory.dmp
memory/332-94-0x000001BCDE880000-0x000001BCDE8AB000-memory.dmp
memory/964-93-0x0000024399DF0000-0x0000024399E1B000-memory.dmp
memory/668-92-0x00000241861D0000-0x00000241861FB000-memory.dmp
memory/332-99-0x00007FFD57310000-0x00007FFD57320000-memory.dmp
memory/964-98-0x00007FFD57310000-0x00007FFD57320000-memory.dmp
memory/668-97-0x00007FFD9732D000-0x00007FFD9732E000-memory.dmp
memory/736-104-0x000001F844770000-0x000001F84479B000-memory.dmp
memory/668-103-0x00007FFD9732F000-0x00007FFD97330000-memory.dmp
memory/964-108-0x0000024399DF0000-0x0000024399E1B000-memory.dmp
memory/1044-110-0x00007FFD57310000-0x00007FFD57320000-memory.dmp
memory/332-111-0x000001BCDE880000-0x000001BCDE8AB000-memory.dmp
memory/736-113-0x000001F844770000-0x000001F84479B000-memory.dmp
memory/1044-114-0x000002C3D6E90000-0x000002C3D6EBB000-memory.dmp
memory/736-106-0x00007FFD57310000-0x00007FFD57320000-memory.dmp
memory/668-105-0x00007FFD9732C000-0x00007FFD9732D000-memory.dmp
memory/1044-107-0x000002C3D6E90000-0x000002C3D6EBB000-memory.dmp
memory/1052-116-0x000001BF21AA0000-0x000001BF21ACB000-memory.dmp
memory/1052-117-0x00007FFD57310000-0x00007FFD57320000-memory.dmp
memory/2988-128-0x0000017F6B790000-0x0000017F6B7AC000-memory.dmp
memory/2988-130-0x0000017F6B7B0000-0x0000017F6B865000-memory.dmp
memory/3292-132-0x00007FFD749E0000-0x00007FFD754A1000-memory.dmp
memory/1104-133-0x0000013D03540000-0x0000013D0356B000-memory.dmp
memory/1104-138-0x0000013D03540000-0x0000013D0356B000-memory.dmp
memory/1140-136-0x000001A96E180000-0x000001A96E1AB000-memory.dmp
memory/1140-143-0x000001A96E180000-0x000001A96E1AB000-memory.dmp
memory/1140-140-0x00007FFD57310000-0x00007FFD57320000-memory.dmp
memory/1104-135-0x00007FFD57310000-0x00007FFD57320000-memory.dmp
memory/1272-144-0x0000022EAA530000-0x0000022EAA55B000-memory.dmp
memory/2988-146-0x00007FF47C5B0000-0x00007FF47C5C0000-memory.dmp
memory/1272-147-0x00007FFD57310000-0x00007FFD57320000-memory.dmp
memory/1224-145-0x00007FFD57310000-0x00007FFD57320000-memory.dmp
memory/1224-142-0x000001FDAE7B0000-0x000001FDAE7DB000-memory.dmp
memory/2988-150-0x00007FFD749E0000-0x00007FFD754A1000-memory.dmp
memory/1224-151-0x000001FDAE7B0000-0x000001FDAE7DB000-memory.dmp
memory/2988-152-0x0000017F6B2E0000-0x0000017F6B2F0000-memory.dmp
memory/1312-155-0x0000016EB8B60000-0x0000016EB8B8B000-memory.dmp
memory/2988-157-0x0000017F6B2E0000-0x0000017F6B2F0000-memory.dmp
memory/2988-162-0x0000017F6B570000-0x0000017F6B57A000-memory.dmp
memory/616-166-0x00000205E1160000-0x00000205E118B000-memory.dmp
memory/3292-173-0x000002454DAF0000-0x000002454DB00000-memory.dmp
memory/1320-177-0x000001ACC79D0000-0x000001ACC79FB000-memory.dmp
memory/1356-187-0x0000017FE8660000-0x0000017FE868B000-memory.dmp
memory/1564-191-0x0000020D96340000-0x0000020D9636B000-memory.dmp
memory/1580-198-0x00000211399A0000-0x00000211399CB000-memory.dmp
memory/1728-199-0x000002599A140000-0x000002599A16B000-memory.dmp
memory/2988-200-0x0000017F6B2E0000-0x0000017F6B2F0000-memory.dmp
memory/668-204-0x00000241861D0000-0x00000241861FB000-memory.dmp
memory/1632-207-0x0000022989F60000-0x0000022989F8B000-memory.dmp
memory/1784-216-0x0000025097560000-0x000002509758B000-memory.dmp
memory/1764-213-0x000002449F370000-0x000002449F39B000-memory.dmp
memory/1524-202-0x00000238A0650000-0x00000238A067B000-memory.dmp
memory/1928-221-0x00000278CC9A0000-0x00000278CC9CB000-memory.dmp
memory/1944-226-0x0000025C9CC90000-0x0000025C9CCBB000-memory.dmp
memory/2016-232-0x0000027931CD0000-0x0000027931CFB000-memory.dmp
memory/1852-238-0x000001770F730000-0x000001770F75B000-memory.dmp
memory/2024-240-0x0000020F34970000-0x0000020F3499B000-memory.dmp
memory/3292-243-0x00007FFD749E0000-0x00007FFD754A1000-memory.dmp
memory/2052-245-0x00000000010C0000-0x00000000010EB000-memory.dmp
memory/1104-251-0x0000013D03540000-0x0000013D0356B000-memory.dmp
memory/2988-249-0x0000017F6B9D0000-0x0000017F6B9EC000-memory.dmp
memory/1052-248-0x000001BF21AA0000-0x000001BF21ACB000-memory.dmp
memory/1140-257-0x000001A96E180000-0x000001A96E1AB000-memory.dmp
memory/2200-258-0x00000249BA7A0000-0x00000249BA7CB000-memory.dmp
memory/1272-259-0x0000022EAA530000-0x0000022EAA55B000-memory.dmp
memory/2988-260-0x00007FF47C5B0000-0x00007FF47C5C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RAT.exe
| MD5 | 37b4aad27e85da5c0a0c6058756bbfd4 |
| SHA1 | 53fcdfc30c867f56c00b719b8f92e73ab1ccc489 |
| SHA256 | 32a28701982b9faf976086bed5cdd06c8aba5bd45cfe5c47a29c04b9dbed1dc2 |
| SHA512 | a5ae5a1bcd617557ce577c199ebffe9824f45df5623cfd0db53184d822a6e9aa8b85488c49f2a3b51bda0b92224427e08f84509c39bda368beb56a4998559670 |
memory/2244-264-0x0000016840160000-0x000001684018B000-memory.dmp
memory/1312-267-0x0000016EB8B60000-0x0000016EB8B8B000-memory.dmp
memory/2452-271-0x000001C558D20000-0x000001C558D4B000-memory.dmp
memory/2464-275-0x0000021855450000-0x000002185547B000-memory.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA68.tmp.csv
| MD5 | f63b5a09db52e3818f2dfb20babaaf34 |
| SHA1 | a967e36e93a70fcbe3b2bb3b74f36a3ec91275b5 |
| SHA256 | 1148a6511e2c89f3491c434b6fecc94b64c6f42c3350cac04e64921eac7af273 |
| SHA512 | a3a74c721c061c37f00096db8f1bd3754c609d9bbbe78fb384a8811f93335de207c3bfa125ffec4f5a3fe8a785e6697a46c9e097e790426d94be4ff1c51a6fdd |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAE6.tmp.txt
| MD5 | 752025ba941562fa67632a8e3bf6eae9 |
| SHA1 | 6031107bd050dfdfd01b7ce400f23396ebe333c3 |
| SHA256 | dd057ddc1b8a86a6da2c471f56e1b271d8b6f53b69e8cf849fc13a7b3730cd87 |
| SHA512 | d0d42e982a2eb4a277caec79bcbd6de8c825a7d5938df184ab52be209dc67d815f7b7f3ce1b9b6a3d718797d50977fd725b8af0f2d38ddd7eb86a76750e442ad |