Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 10:24
Static task
static1
Behavioral task
behavioral1
Sample
CLModdingTool.exe
Resource
win7-20231129-en
General
-
Target
CLModdingTool.exe
-
Size
2.8MB
-
MD5
3e8467e2688b2efa61f59f22f809f1e0
-
SHA1
a6c5df599e482932d3beda04c8ec6280fe6d68e8
-
SHA256
eb18e1c355e002f0589621dd7f67605004874c016ac7e3f3ea93ee0092a183ff
-
SHA512
43c252147ac8e63ad28d672ef866608af523e73991093d650b61a40c55b7415208bc472d29e6e8c650ca580b0b71ff35af0e4945d387e242878a114ea84883d5
-
SSDEEP
49152:9svNXfFAw+qqIlu3Ab7AUziVj3djevc2FmpLAcyxEDIUqsfix5b4qPcxxKppk:9sdfmZIllvYj3djeUHhaESV5b4qPIKLk
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1239664839861731431/VT6K0qlAVUjcvrSdaA7o80cVaJyetsfS1bh1v1T-yNWgA-Xp45pD3IwxPT8-ZVpBj_mb
Extracted
xworm
5.0
central-feb.gl.at.ply.gg:50764
v9noCapeVzXu1P4f
-
Install_directory
%AppData%
-
install_file
ModsInstaller.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0009000000016be2-30.dat family_xworm behavioral1/memory/2616-56-0x0000000000EB0000-0x0000000000EE8000-memory.dmp family_xworm -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection svchost.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 916 powershell.exe 1204 powershell.exe -
Creates new service(s) 2 TTPs
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\CVKCQNWB\ImagePath = "C:\\ProgramData\\oaocofwmfjha\\gmstcccpdzbb.exe" services.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ModsInstaller.lnk ModsPack.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ModsInstaller.lnk ModsPack.exe -
Executes dropped EXE 6 IoCs
pid Process 2020 ClokaHelper.exe 2680 ClockModdingToolInstaller.exe 2616 ModsPack.exe 2776 clockamoddingtool.exe 888 gmstcccpdzbb.exe 596 mpdjnz.exe -
Loads dropped DLL 16 IoCs
pid Process 2964 CLModdingTool.exe 2964 CLModdingTool.exe 2964 CLModdingTool.exe 2964 CLModdingTool.exe 2964 CLModdingTool.exe 2964 CLModdingTool.exe 2964 CLModdingTool.exe 2964 CLModdingTool.exe 2964 CLModdingTool.exe 2964 CLModdingTool.exe 2964 CLModdingTool.exe 2964 CLModdingTool.exe 2964 CLModdingTool.exe 2964 CLModdingTool.exe 480 services.exe 480 services.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ModsInstaller = "C:\\Users\\Admin\\AppData\\Roaming\\ModsInstaller.exe" ModsPack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\toad.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toad.exe" mpdjnz.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 freegeoip.app 5 freegeoip.app 16 ip-api.com -
Drops file in System32 directory 22 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe ClockModdingToolInstaller.exe File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.h WMIADAP.EXE File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini WMIADAP.EXE File created C:\Windows\system32\perfh00A.dat WMIADAP.EXE File created C:\Windows\system32\perfh00C.dat WMIADAP.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx svchost.exe File created C:\Windows\system32\perfh009.dat WMIADAP.EXE File created C:\Windows\system32\perfc00A.dat WMIADAP.EXE File created C:\Windows\system32\perfc00C.dat WMIADAP.EXE File created C:\Windows\system32\perfc011.dat WMIADAP.EXE File created C:\Windows\system32\PerfStringBackup.TMP WMIADAP.EXE File opened for modification C:\Windows\system32\PerfStringBackup.INI WMIADAP.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe gmstcccpdzbb.exe File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx svchost.exe File created C:\Windows\system32\perfc007.dat WMIADAP.EXE File created C:\Windows\system32\perfc009.dat WMIADAP.EXE File created C:\Windows\system32\perfh011.dat WMIADAP.EXE File created C:\Windows\system32\perfh007.dat WMIADAP.EXE File created C:\Windows\system32\perfc010.dat WMIADAP.EXE File created C:\Windows\system32\perfh010.dat WMIADAP.EXE -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2680 set thread context of 1492 2680 ClockModdingToolInstaller.exe 55 PID 888 set thread context of 2684 888 gmstcccpdzbb.exe 89 PID 888 set thread context of 1764 888 gmstcccpdzbb.exe 90 PID 888 set thread context of 1148 888 gmstcccpdzbb.exe 91 -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini WMIADAP.EXE File created C:\Windows\wusa.lock wusa.exe File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf svchost.exe File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\inf\WmiApRpl\WmiApRpl.h WMIADAP.EXE File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h WMIADAP.EXE -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1744 sc.exe 384 sc.exe 1908 sc.exe 2204 sc.exe 2220 sc.exe 1900 sc.exe 1796 sc.exe 1628 sc.exe 2060 sc.exe 992 sc.exe 1732 sc.exe 1604 sc.exe 572 sc.exe 2992 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 ClokaHelper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ClokaHelper.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b02127e2e8a5da01 powershell.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e210f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 ClokaHelper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C ClokaHelper.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 ClokaHelper.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 ClokaHelper.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2020 ClokaHelper.exe 2020 ClokaHelper.exe 2020 ClokaHelper.exe 2680 ClockModdingToolInstaller.exe 916 powershell.exe 2680 ClockModdingToolInstaller.exe 2680 ClockModdingToolInstaller.exe 2680 ClockModdingToolInstaller.exe 2680 ClockModdingToolInstaller.exe 2680 ClockModdingToolInstaller.exe 2680 ClockModdingToolInstaller.exe 2680 ClockModdingToolInstaller.exe 2680 ClockModdingToolInstaller.exe 2680 ClockModdingToolInstaller.exe 2680 ClockModdingToolInstaller.exe 2680 ClockModdingToolInstaller.exe 2680 ClockModdingToolInstaller.exe 1492 dialer.exe 1492 dialer.exe 2680 ClockModdingToolInstaller.exe 1492 dialer.exe 1492 dialer.exe 1492 dialer.exe 1492 dialer.exe 2680 ClockModdingToolInstaller.exe 2680 ClockModdingToolInstaller.exe 888 gmstcccpdzbb.exe 1492 dialer.exe 1492 dialer.exe 1492 dialer.exe 1492 dialer.exe 1204 powershell.exe 1492 dialer.exe 1492 dialer.exe 2616 ModsPack.exe 1492 dialer.exe 1492 dialer.exe 888 gmstcccpdzbb.exe 888 gmstcccpdzbb.exe 1492 dialer.exe 1492 dialer.exe 888 gmstcccpdzbb.exe 888 gmstcccpdzbb.exe 888 gmstcccpdzbb.exe 888 gmstcccpdzbb.exe 1492 dialer.exe 1492 dialer.exe 888 gmstcccpdzbb.exe 888 gmstcccpdzbb.exe 888 gmstcccpdzbb.exe 888 gmstcccpdzbb.exe 888 gmstcccpdzbb.exe 888 gmstcccpdzbb.exe 2684 dialer.exe 2684 dialer.exe 888 gmstcccpdzbb.exe 2684 dialer.exe 2684 dialer.exe 2684 dialer.exe 2684 dialer.exe 2684 dialer.exe 2684 dialer.exe 2684 dialer.exe 2684 dialer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2616 ModsPack.exe Token: SeDebugPrivilege 2020 ClokaHelper.exe Token: SeDebugPrivilege 916 powershell.exe Token: SeDebugPrivilege 2680 ClockModdingToolInstaller.exe Token: SeShutdownPrivilege 280 powercfg.exe Token: SeShutdownPrivilege 592 powercfg.exe Token: SeShutdownPrivilege 472 powercfg.exe Token: SeShutdownPrivilege 1128 powercfg.exe Token: SeDebugPrivilege 1492 dialer.exe Token: SeAuditPrivilege 860 svchost.exe Token: SeDebugPrivilege 1204 powershell.exe Token: SeAuditPrivilege 860 svchost.exe Token: SeDebugPrivilege 2616 ModsPack.exe Token: SeDebugPrivilege 888 gmstcccpdzbb.exe Token: SeShutdownPrivilege 2576 powercfg.exe Token: SeDebugPrivilege 2684 dialer.exe Token: SeShutdownPrivilege 2612 powercfg.exe Token: SeShutdownPrivilege 2932 powercfg.exe Token: SeShutdownPrivilege 2476 powercfg.exe Token: SeLockMemoryPrivilege 1148 dialer.exe Token: SeAssignPrimaryTokenPrivilege 860 svchost.exe Token: SeIncreaseQuotaPrivilege 860 svchost.exe Token: SeSecurityPrivilege 860 svchost.exe Token: SeTakeOwnershipPrivilege 860 svchost.exe Token: SeLoadDriverPrivilege 860 svchost.exe Token: SeRestorePrivilege 860 svchost.exe Token: SeSystemEnvironmentPrivilege 860 svchost.exe Token: SeAssignPrimaryTokenPrivilege 860 svchost.exe Token: SeIncreaseQuotaPrivilege 860 svchost.exe Token: SeSecurityPrivilege 860 svchost.exe Token: SeTakeOwnershipPrivilege 860 svchost.exe Token: SeLoadDriverPrivilege 860 svchost.exe Token: SeSystemtimePrivilege 860 svchost.exe Token: SeBackupPrivilege 860 svchost.exe Token: SeRestorePrivilege 860 svchost.exe Token: SeShutdownPrivilege 860 svchost.exe Token: SeSystemEnvironmentPrivilege 860 svchost.exe Token: SeUndockPrivilege 860 svchost.exe Token: SeManageVolumePrivilege 860 svchost.exe Token: SeAssignPrimaryTokenPrivilege 860 svchost.exe Token: SeIncreaseQuotaPrivilege 860 svchost.exe Token: SeSecurityPrivilege 860 svchost.exe Token: SeTakeOwnershipPrivilege 860 svchost.exe Token: SeLoadDriverPrivilege 860 svchost.exe Token: SeRestorePrivilege 860 svchost.exe Token: SeSystemEnvironmentPrivilege 860 svchost.exe Token: SeShutdownPrivilege 1360 Explorer.EXE Token: SeAssignPrimaryTokenPrivilege 860 svchost.exe Token: SeIncreaseQuotaPrivilege 860 svchost.exe Token: SeSecurityPrivilege 860 svchost.exe Token: SeTakeOwnershipPrivilege 860 svchost.exe Token: SeLoadDriverPrivilege 860 svchost.exe Token: SeRestorePrivilege 860 svchost.exe Token: SeSystemEnvironmentPrivilege 860 svchost.exe Token: SeAssignPrimaryTokenPrivilege 860 svchost.exe Token: SeIncreaseQuotaPrivilege 860 svchost.exe Token: SeSecurityPrivilege 860 svchost.exe Token: SeTakeOwnershipPrivilege 860 svchost.exe Token: SeLoadDriverPrivilege 860 svchost.exe Token: SeRestorePrivilege 860 svchost.exe Token: SeSystemEnvironmentPrivilege 860 svchost.exe Token: SeAssignPrimaryTokenPrivilege 860 svchost.exe Token: SeIncreaseQuotaPrivilege 860 svchost.exe Token: SeSecurityPrivilege 860 svchost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2776 clockamoddingtool.exe 1360 Explorer.EXE 1360 Explorer.EXE 596 mpdjnz.exe 1360 Explorer.EXE 1360 Explorer.EXE 1360 Explorer.EXE 1360 Explorer.EXE 596 mpdjnz.exe 1360 Explorer.EXE 1360 Explorer.EXE 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1360 Explorer.EXE 1360 Explorer.EXE 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe 596 mpdjnz.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2616 ModsPack.exe 596 mpdjnz.exe 596 mpdjnz.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2964 wrote to memory of 2020 2964 CLModdingTool.exe 28 PID 2964 wrote to memory of 2020 2964 CLModdingTool.exe 28 PID 2964 wrote to memory of 2020 2964 CLModdingTool.exe 28 PID 2964 wrote to memory of 2020 2964 CLModdingTool.exe 28 PID 2964 wrote to memory of 2680 2964 CLModdingTool.exe 29 PID 2964 wrote to memory of 2680 2964 CLModdingTool.exe 29 PID 2964 wrote to memory of 2680 2964 CLModdingTool.exe 29 PID 2964 wrote to memory of 2680 2964 CLModdingTool.exe 29 PID 2964 wrote to memory of 2616 2964 CLModdingTool.exe 30 PID 2964 wrote to memory of 2616 2964 CLModdingTool.exe 30 PID 2964 wrote to memory of 2616 2964 CLModdingTool.exe 30 PID 2964 wrote to memory of 2616 2964 CLModdingTool.exe 30 PID 2964 wrote to memory of 2776 2964 CLModdingTool.exe 31 PID 2964 wrote to memory of 2776 2964 CLModdingTool.exe 31 PID 2964 wrote to memory of 2776 2964 CLModdingTool.exe 31 PID 2964 wrote to memory of 2776 2964 CLModdingTool.exe 31 PID 2332 wrote to memory of 1584 2332 cmd.exe 40 PID 2332 wrote to memory of 1584 2332 cmd.exe 40 PID 2332 wrote to memory of 1584 2332 cmd.exe 40 PID 2680 wrote to memory of 1492 2680 ClockModdingToolInstaller.exe 55 PID 2680 wrote to memory of 1492 2680 ClockModdingToolInstaller.exe 55 PID 2680 wrote to memory of 1492 2680 ClockModdingToolInstaller.exe 55 PID 2680 wrote to memory of 1492 2680 ClockModdingToolInstaller.exe 55 PID 2680 wrote to memory of 1492 2680 ClockModdingToolInstaller.exe 55 PID 2680 wrote to memory of 1492 2680 ClockModdingToolInstaller.exe 55 PID 2680 wrote to memory of 1492 2680 ClockModdingToolInstaller.exe 55 PID 1492 wrote to memory of 436 1492 dialer.exe 5 PID 1492 wrote to memory of 480 1492 dialer.exe 6 PID 1492 wrote to memory of 496 1492 dialer.exe 7 PID 1492 wrote to memory of 504 1492 dialer.exe 8 PID 1492 wrote to memory of 612 1492 dialer.exe 9 PID 1492 wrote to memory of 696 1492 dialer.exe 10 PID 1492 wrote to memory of 780 1492 dialer.exe 11 PID 1492 wrote to memory of 832 1492 dialer.exe 12 PID 1492 wrote to memory of 860 1492 dialer.exe 13 PID 1492 wrote to memory of 1008 1492 dialer.exe 15 PID 1492 wrote to memory of 352 1492 dialer.exe 16 PID 1492 wrote to memory of 300 1492 dialer.exe 17 PID 1492 wrote to memory of 1032 1492 dialer.exe 18 PID 1492 wrote to memory of 1224 1492 dialer.exe 19 PID 1492 wrote to memory of 1320 1492 dialer.exe 20 PID 1492 wrote to memory of 1360 1492 dialer.exe 21 PID 1492 wrote to memory of 1124 1492 dialer.exe 24 PID 1492 wrote to memory of 2400 1492 dialer.exe 25 PID 1492 wrote to memory of 2020 1492 dialer.exe 28 PID 1492 wrote to memory of 2680 1492 dialer.exe 29 PID 1492 wrote to memory of 2616 1492 dialer.exe 30 PID 1492 wrote to memory of 2832 1492 dialer.exe 32 PID 1492 wrote to memory of 1128 1492 dialer.exe 48 PID 1492 wrote to memory of 280 1492 dialer.exe 49 PID 1492 wrote to memory of 472 1492 dialer.exe 50 PID 1492 wrote to memory of 2452 1492 dialer.exe 52 PID 1492 wrote to memory of 1480 1492 dialer.exe 54 PID 1492 wrote to memory of 800 1492 dialer.exe 56 PID 1492 wrote to memory of 2220 1492 dialer.exe 59 PID 1492 wrote to memory of 2300 1492 dialer.exe 60 PID 480 wrote to memory of 888 480 services.exe 65 PID 480 wrote to memory of 888 480 services.exe 65 PID 480 wrote to memory of 888 480 services.exe 65 PID 1492 wrote to memory of 888 1492 dialer.exe 65 PID 1492 wrote to memory of 1900 1492 dialer.exe 62 PID 1492 wrote to memory of 2384 1492 dialer.exe 64 PID 1492 wrote to memory of 888 1492 dialer.exe 65 PID 1492 wrote to memory of 1204 1492 dialer.exe 66
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:436
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:612
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2832
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding3⤵PID:1284
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:696
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
- Modifies security service
- Drops file in System32 directory
PID:780
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:832
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵PID:1320
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:860 -
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R3⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:2696
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:1008
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:352
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:300
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1032
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1224
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:1124
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:2400
-
-
C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exeC:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1168
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
- Drops file in Windows directory
PID:1932
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
PID:992
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1732
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
PID:1628
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
PID:2992
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
PID:2060
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵PID:1764
-
-
C:\Windows\system32\dialer.exedialer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:496
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵PID:504
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\CLModdingTool.exe"C:\Users\Admin\AppData\Local\Temp\CLModdingTool.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\ClokaHelper.exe"C:\Users\Admin\AppData\Local\Temp\ClokaHelper.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Users\Admin\AppData\Local\Temp\ClockModdingToolInstaller.exe"C:\Users\Admin\AppData\Local\Temp\ClockModdingToolInstaller.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵
- Drops file in Windows directory
PID:1584
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:1604
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:1908
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:1744
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:2204
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:384
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:1128
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:280
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:472
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:592
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "CVKCQNWB"4⤵
- Launches sc.exe
PID:572
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "CVKCQNWB" binpath= "C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe" start= "auto"4⤵
- Launches sc.exe
PID:2220
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:1796
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "CVKCQNWB"4⤵
- Launches sc.exe
PID:1900
-
-
-
C:\Users\Admin\AppData\Local\Temp\ModsPack.exe"C:\Users\Admin\AppData\Local\Temp\ModsPack.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\mpdjnz.exe"C:\Users\Admin\AppData\Local\Temp\mpdjnz.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:596
-
-
-
C:\Users\Admin\AppData\Local\Temp\clockamoddingtool.exe"C:\Users\Admin\AppData\Local\Temp\clockamoddingtool.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2776
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-729158021-2002404973-1871634893-253152973-438060356-1815569439-1129588282-2124233862"1⤵PID:2452
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "704747529-5809733521164742726-616313270-9694525041791869046-143915467-353744529"1⤵PID:1480
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1948534962-1249435004-181435111610448383-896321341-305734298354110587-2068761424"1⤵PID:800
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "113207265202122916-863531226-1382529183-6622117820361874761916349194-1723501790"1⤵PID:2300
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1110952586-265564882-705284807-130646987913822669361013806247-19642899231691794169"1⤵PID:2384
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2041795585493969052-1297496880-1528285344-43283832716377913111674922652-1921072103"1⤵PID:572
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1107594521-10760138591310516421928452996-1695094381876477063-1911243996-1858973900"1⤵PID:856
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-16543384914263451924595308011016592500-1932200442-1787432462-14859068552040878904"1⤵PID:816
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-554521053-816959228-19127645801111412513-191850278418748557731147270801-498497993"1⤵PID:2364
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2949129701966976644250518459-660476500850688703590830231-16628902411655690103"1⤵PID:2928
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2083651521-916116649-1803807126-1235848680-24140468418848758811117458328-504817478"1⤵PID:2784
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-10345335421493806638-985500336-1289243931610125020728699479-6037978871715128439"1⤵PID:2504
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "544963789-1436615092359881-21406719201095280645-156325143811558376031473337286"1⤵PID:2068
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88B
MD55a80ae856d3183cc50a92f7a470a4d44
SHA16fc7f31ce53916c1e308ab77cabaae22c9197395
SHA256248bd46369dc7a6611f0009cc3be813143044d2ddd87ff5fa6d395c665ed7fe6
SHA51285507d5724f1dbc21d6c10c12f9da85d57f7cb674a814a8c506e705ec58f7fc2d32ac8f3c555df93f349409bb75e1ee500920866b514a7401e9eb1e5f4b8ac10
-
Filesize
433B
MD5238eece2e787189a55b66aa9d2062290
SHA12e5005b0e8cf6007b71d2a9e5cf0bab81589c901
SHA2563f27143a41cbb3746e6c8505fe92585714863a74b29d973172edd2ede49dd5ad
SHA5129abeb418bfb13543de6f694e6fb2b27f4026823b3ed09ebedd5b48b047a7f156c7494f671d07f5516e16351e417e5da9c020beb5310ffbb0be8ca015960977a2
-
Filesize
56KB
MD56d10f6618182a146fc3b407f8b0c080e
SHA1f7f6c854b5a5eb0debcc5060453d0d15d66eeb87
SHA256170c9351717e67cda6f3cfa73196c32462e63c87a07336821668b38bd0e1cf01
SHA51214ad694b297090cacf1aeb92badbba68d4ebb1b44da4a9e63137c0aa1ebc3a94236792266783f79b3428e3d611afe46288b9ae818c194fe1deb2fa9ea58febb5
-
Filesize
724B
MD56fce37a06a5293d29e5c2ac30aebf6de
SHA16004445a8019f484799e13d0a9074b3ddc2f611b
SHA256f882f02cae9d07f15306b8aef29aac463a48d05078ea41431eae78cbfa6a90a3
SHA512679b48dd087e5230fcc72926a47fa53eaf19d495d4013f4a677eae7e27c77f7cd5136744650a74880b89bf819fd535b6d540b9ed4fdca3f2ff70ffbee39dc28b
-
Filesize
141KB
MD5cea1b98ec0c3919cc62c836e00c68863
SHA1e02600d4cb930ce357e0df3a1acf3a33ad238fa3
SHA2568f44cd24382a3719b6fe3b0866286f4543257629b087fba76bc43158c22faed6
SHA512af44659dfa613c9a30761b996453e5ff6b5d7ed1e5e5b1003b2f2d6348507bbc4ccd54ced36981fb50706ce880cea69994cfbafccfeb1e19f23c05623c198644
-
Filesize
154KB
MD5124b2850d0d5ea4d72b0b9a332225836
SHA191b4717369678b7924c54beb7b73a13714633b45
SHA25616c79e7814370310048aa440a671ee3f28fd42fe4271211d19739a5dd611c3be
SHA512da705bf51423a48d8eb4592033d32de99cae30cfad9b6222b7d57c13efd56fb82ef3e92cdd04ac7f12f0ae1b616294a7e22879c3f5443765f2ca57c098282b33
-
Filesize
141KB
MD5822e634903f0f097472909713272812c
SHA100014d6d5586deea745580e8555df39115f3e0aa
SHA2566dd5e379751f7294a604c8235162e782d10a2f426239e2c0ea479b732da4f693
SHA5122e0feb10dcdcbce6609d3ea07e20ac2050429081baaa30704a13848c839670b68fa75696d8741cc7473b7ee993843a086e80a6c433f93ab8d22ecd07d72855c4
-
Filesize
142KB
MD571b854c727e136df2704232789a09457
SHA1015010461e0c9f499047591ae850c9d013a04f33
SHA256aa180f83eff8188abc3594032c36a545bb81d9fa01973aa74cf3977f2eeb2459
SHA51217e31ecf14815d4387acc86f34591ce16ccc099557bc2265135be62314d4c6f0946d9472690de8c43313d1839112556ffeee91322dcd656830be234511b1a9f0
-
Filesize
114KB
MD5bee5d91b496fb80f633b314b1dbb55eb
SHA125c99dd2d14166bdb16a3b0238204fa8c0094780
SHA25660f1cd5bc3deb6245e628c6be28bb5425e9c9c24437832929f4d55265ce51334
SHA512468c5745197bf8a044236dcb86ee398d269e35ef1c93bceb171c9e99bd2bcb39240cbe8280daa8f3d0af4f93b616a47d5d73188c3d2fce244f9ad2e089e2f460
-
Filesize
668KB
MD55bf32d9691933ae11b5eada31f1a2377
SHA11124bab5271e006d69968eb2bb365e26fb02e3dd
SHA25626e51dd53f5835053443c5b07158243e71e7baf840af6553a144adade35cad98
SHA512633aaca0a283891d7ff034c2ce22e98b804ecf2f617ce131e5680f43f52d011c10fb7267987c09fa9b803c93ccedbb9f40325f3229a9228ed1c1d236ce55e8f1
-
Filesize
634KB
MD52607d7f6cb436cfc13dcb11cd9d00b66
SHA13e6fec2467a5df541d074fe0e0022eba8232770f
SHA256d9853dc6c034b3a304321c8d26274cb1579a4d20499b68b76fb3b947fb30b975
SHA512b53817c724409e5794a4d767bbb0fc16badc7a5088165401728885daecd0a6d986bc42f80c70cbd98d8602b6ffe742d7ac6c71dfc05a95e4210b4c2185d3a5ee
-
Filesize
715KB
MD5d18094b6e68efa9614d1e416fb102f4d
SHA1131620905e016bc2e5af2fb460aade913b66d48d
SHA2561523ee3af7aa4808b9b7b653ef832a42eae718f73f9928ca78c0e2073e1102dc
SHA5120257a3be68815d4a6c62f15070c9f56494181dec7eca30ff0ce2b6fc38c1c41a762906e6574b8052b1c9b066f75cadf654827abcb42a8894f55df8a360902e21
-
Filesize
727KB
MD578551fda9730bb582b9622a3f2b71eef
SHA151aad2de44090656938526b2f974a2253b77b6b2
SHA2563b01e337147a2415e22ea0aae0af4617e8a368a80eeb590765982edacc23e8c3
SHA512a4e725ea80aceee54d74682cf436649e1cfca140a7db1b8909556b2e2c2c0d3b5b890fe44c614c17a7d8544a178e1871edf9bb9d1c99e96f3799de6a7936af7b
-
Filesize
722KB
MD537997b4a765e0df0944deb7b3c68fc9f
SHA17f70b0f88f8353e6e382f80b38d47736e2de81ca
SHA256f82abb5bf658ddc5bbf83b786d83636f830494a3c259140cab60e52582c87ac6
SHA512e28605ce84f795aa8b100c8da3129a8ed370861bd229265f0a1093fbb0ec5ed13e78657f30f266a707848e1f651543b4dc5fdf5ad61ed5e61b1e68ff03dcb25c
-
Filesize
406KB
MD50e026eb49e299091e1b0052091c3054d
SHA1bc2ba534a80f8eb70513fc3a21b8189bcb66e7a3
SHA2567c61b56375d8dea0a9e1992763fd118b717898fe3a58270288026caad3c29e44
SHA512b4eff969eb5ae37219fa865b9b3649a64aa4f022cc4d1bacb44af06bdaf0bb6d8ff764cc0f2d0d5596895a24a8e30ffdbff28065ed84e3fcfdfe1087c417b2a8
-
Filesize
3KB
MD5b133a676d139032a27de3d9619e70091
SHA11248aa89938a13640252a79113930ede2f26f1fa
SHA256ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15
SHA512c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5
-
Filesize
27KB
MD546d08e3a55f007c523ac64dce6dcf478
SHA162edf88697e98d43f32090a2197bead7e7244245
SHA2565b15b1fc32713447c3fbc952a0fb02f1fd78c6f9ac69087bdb240625b0282614
SHA512b1f42e70c0ba866a9ed34eb531dbcbae1a659d7349c1e1a14b18b9e23d8cbd302d8509c6d3a28bc7509dd92e83bcb400201fb5d5a70f613421d81fe649d02e42
-
Filesize
2.8MB
MD5ea1cd01967246105d1df5dd754c18652
SHA19f8f3d3bd6a8ffe090b20681afc6cd4db5c8f6fc
SHA25664c476205c0ef86807d824120fa30cd0c5ca12c6bf629d311269362b8beb6d1e
SHA512609d4628eb2bb9a33d602fd7520c0a05ca5026f6d595d9d21fa845ea740618f7f5da43a4cdd65bbd47c5b3b8a26b42ef7d0fe4431c9e57fda6030f7ddd2e796f
-
Filesize
274KB
MD50c36ba36eb375ad5dd4caf9f5d9dc986
SHA1120aea60169664c91fc822b6686806c018df5c2d
SHA256b74bb17ed58c3949175b5c0f2afcb5107030b08a863c0650a9ca933ae34a6944
SHA512d30441b58c0e6192e669f1ec2b41799a088ddc8860e50c2151ae817cb07547f7e4df3b5984a3aaf82838ff628ff39d083bcf22cc6b85ad3751fee1a3cdc16409
-
Filesize
205KB
MD5be7caa55623b12b1eedc4065ea0448e9
SHA16adac34012f95232b12961e34ddace02beaeb4d8
SHA2560d44972799c41fbeabeb1d539e6108a4e553f118951f5825626fe7e13785dc9e
SHA5123b101a1f263204f7e0d09d03b51b3c19a52c59309818fc6ec0646a61b368c786939e9d45cb6303c8742a7c6a47594a2bbefbd835cada6b57ab02a18eb6b0c219
-
Filesize
29KB
MD599513e6a542dda990564077a4295f3ae
SHA12e0dd1b6e1e1b0fe7489cced98ed5bbef5fccc46
SHA256a463a392698a6502f64dfc092068b1ea880846ed24e261edf29f6546462fa7c9
SHA512564a2d4404146cd91b4edc4acaed4c388457b97445d1cea7f5a9a41007c6feb170e8ae88704fc00eb4a33ea999db6c1d49af577405ee3729ed764bdf97507d9b