1b8a47aaeae6064db06285e9e43e94ab2056e777272a40c01cc8ebb491ae3439

Resubmissions

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 07:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LibreScore.exe
Size

43.5MB
MD5

7017f55de790d3b97ef7c4c67498287e
SHA1

a8293f3b24083a4cad5bcea20ecd1221c3b7ea7d
SHA256

1b8a47aaeae6064db06285e9e43e94ab2056e777272a40c01cc8ebb491ae3439
SHA512

7600f7cc52cf314d849b4cb0cbfb1ae73e1e500478cd83f48d8d5c6f171d637ba333982689349d3e14428df6cc846db4bfa17c718b5666ecb2ed62bba048e4a2
SSDEEP

786432:EHEsCx3BrScppxpMBpkOGJ5PTMR7agbW/1gqhMpJbGTHMTGeJMjyNQZdJ:YYx1ScYiQI1gqszJMjyI

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4780	powershell.exe
3376	powershell.exe
3928	powershell.exe
3860	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	LibreScore.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.msix	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.msix\ = "msix_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\鰀䆟縀䆁	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\msix_auto_file\shell\Read	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\msix_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\msix_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\鰀䆟縀䆁\ = "msix_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\msix_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\msix_auto_file\shell\Read\command	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3860	powershell.exe
3860	powershell.exe
3376	powershell.exe
3376	powershell.exe
3928	powershell.exe
3928	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
3928	powershell.exe
3928	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2988	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
2988	OpenWith.exe
2988	OpenWith.exe
2988	OpenWith.exe
2988	OpenWith.exe
2988	OpenWith.exe
2988	OpenWith.exe
2988	OpenWith.exe
2988	OpenWith.exe
2988	OpenWith.exe
2988	OpenWith.exe
2988	OpenWith.exe
2988	OpenWith.exe
2988	OpenWith.exe
2988	OpenWith.exe
2988	OpenWith.exe
600	AcroRd32.exe
600	AcroRd32.exe
600	AcroRd32.exe
600	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 1652	5100	LibreScore.exe	94
PID 5100 wrote to memory of 1652	5100	LibreScore.exe	94
PID 1652 wrote to memory of 3860	1652	cmd.exe	96
PID 1652 wrote to memory of 3860	1652	cmd.exe	96
PID 1652 wrote to memory of 3376	1652	cmd.exe	98
PID 1652 wrote to memory of 3376	1652	cmd.exe	98
PID 3376 wrote to memory of 3928	3376	powershell.exe	99
PID 3376 wrote to memory of 3928	3376	powershell.exe	99
PID 3928 wrote to memory of 4596	3928	powershell.exe	101
PID 3928 wrote to memory of 4596	3928	powershell.exe	101
PID 3928 wrote to memory of 2180	3928	powershell.exe	102
PID 3928 wrote to memory of 2180	3928	powershell.exe	102
PID 3928 wrote to memory of 4780	3928	powershell.exe	103
PID 3928 wrote to memory of 4780	3928	powershell.exe	103
PID 3928 wrote to memory of 4708	3928	powershell.exe	108
PID 3928 wrote to memory of 4708	3928	powershell.exe	108
PID 2988 wrote to memory of 600	2988	OpenWith.exe	109
PID 2988 wrote to memory of 600	2988	OpenWith.exe	109
PID 2988 wrote to memory of 600	2988	OpenWith.exe	109
PID 600 wrote to memory of 4896	600	AcroRd32.exe	112
PID 600 wrote to memory of 4896	600	AcroRd32.exe	112
PID 600 wrote to memory of 4896	600	AcroRd32.exe	112
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113
PID 4896 wrote to memory of 4060	4896	RdrCEF.exe	113

C:\Users\Admin\AppData\Local\Temp\LibreScore.exe
"C:\Users\Admin\AppData\Local\Temp\LibreScore.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c LibreScore.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\version.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& {exit ( Start-Process -Wait -PassThru -FilePath PowerShell.exe -WindowStyle Hidden -ArgumentList '-WindowStyle Hidden -ExecutionPolicy Bypass -Command ""C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LibreScore.ps1; exit $LASTEXITCODE"" ' -Verb RunAs).ExitCode}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LibreScore.ps1; exit $LASTEXITCODE
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3928
    - - C:\Windows\system32\certutil.exe
        
        "C:\Windows\system32\certutil.exe" -verifystore root 20d296c383401e8d40c30df9f6928d72
        5⤵
        
        PID:4596
    - - C:\Windows\system32\certutil.exe
        
        "C:\Windows\system32\certutil.exe" -addstore root C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LibreScore.cer
        5⤵
        
        PID:2180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Invoke-Item 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LibreScore.msix'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4780
    - - C:\Windows\system32\certutil.exe
        
        "C:\Windows\system32\certutil.exe" -delstore root 20d296c383401e8d40c30df9f6928d72
        5⤵
        
        PID:4708

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LibreScore.msix"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:600
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D4ECABF8856099C9C7CC65DA28D5DCD5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D4ECABF8856099C9C7CC65DA28D5DCD5 --renderer-client-id=2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:4060
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3051C64EFAAAF6078D7098CD5824B0C8 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:264
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FEA753D18A5285CD9D10221638844FA0 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2616
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=479E75CC58FF4A825EE206131B8AD8CF --mojo-platform-channel-handle=1708 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:788
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=88EE4096D467655CB50FE7E5A4FED674 --mojo-platform-channel-handle=2344 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3784

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5a3360e2602e08e5bc375d2fefa1d69b

SHA1
9fcbf7877275ba3b4a80dcdbd39fb1882976182c

SHA256
2fb053f6eba78c0af0b4a3d68fabfd27b7e21febc1770bae56dfb36a505d482d

SHA512
09a7dc8ba11647fe0fc4315408720dd3e5524a97f2000ca4f826c2eca91a2d3bc3e1a5ded3ceb1290c87b82313e5a456e6809f40e9d796f0df5cd2b1fb96ddf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9fd2ab8d8464245af4bd0c32050b550e

SHA1
000417ac42c7f17434946571a95f74baec153ca7

SHA256
e5e21171532631873c188b53516e679f08a49655ce2a2e376dcd3a7384ef3c04

SHA512
c1530182a8a0ffb59b01a79a8ce6627bee3c67296d2003baa5377a309f219f718caee9f90baff52c36d54093ced82111f210a2c6209e4f06b5cc5f9b3cfc1345

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LibreScore.bat

Filesize
540B

MD5
b534ab3e3040ac92c62f9006cabb7a66

SHA1
d11c17f69da819d3fdfa18a92319e18703b1352d

SHA256
57d489860e84e5df6f7137b3b23f92ad0acd3fe2085df6d538d75b295faed875

SHA512
2ed7d6463d25112838d1a9eae8e56957039c3efdcf9aa8c05e9c73e37308708e5812d1e683ae5af6b1f99a5700b9e265752200d8ed6b9bdcf2016be71c3702b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LibreScore.cer

Filesize
882B

MD5
349296b36790ddcf2ebcbe0bc2550358

SHA1
957bbcf3c4963baade35d627206a668278835666

SHA256
8217fbe5faf4280097786850f2e25a6d2c277419d22640ebd5b2a3815bb4f021

SHA512
defedf1ac4fa700b48a7959704fce2b5a39f3ce0d51b80bf9b31b68606272bfc98b9d44622ff7d9fa887eaadb64003b71ce5d911799e2996d4ce4b70cbf567a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LibreScore.msix

Filesize
24.8MB

MD5
6c705509fca5e7bcf43e68906390f31b

SHA1
030720eeb6424002a5b4b15437119303c05df746

SHA256
33abecdaa887dab512f900fd850755373b86717735a51ae54bfaae62da73adcd

SHA512
9cd67d2aea2c27ef652465625067d1334a76c79a9455ded1d0d64b61039331376758d6b0aa0ca58473191e48078ad2f24f3dd7229a21aae945af2415cd26f398

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LibreScore.ps1

Filesize
1KB

MD5
5fbdde5c06c9de8f860c344b02762bc6

SHA1
741f77dbb4fdd0ea0381b02cda66f4b52e9c1d63

SHA256
c52c684f143d284e2a6c5125418573fb011a2e932084277535d7501386a6dae1

SHA512
36dec3fc7722721e003f535da3c74a56de3f7f376ab31afad009bbd176c6a0e5f92d9b233554a855d4546243a24c221bcb84a7099b331ec0638dbdb1c229966c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\version.ps1

Filesize
229B

MD5
ff03e7abf5bd7092f0aaf2e1167f0269

SHA1
0433d75121835f319c8f0c377c5af633289e8725

SHA256
9f323c610e45665a94ebbbf539f3e70ec673317f718b06fbbba9309819645cf7

SHA512
5711d4de1f06520a002be579ba8aa44093e4a827b8615e29125a163f5f8c224df7515c34cc00d7c8768b88e4b767b39e2ef71dc3fa5ae66119e2138ca2231426

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pesj21kf.udm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3860-29-0x00007FF89BF10000-0x00007FF89C9D1000-memory.dmp

Filesize
10.8MB

Download
memory/3860-25-0x00007FF89BF10000-0x00007FF89C9D1000-memory.dmp

Filesize
10.8MB

Download
memory/3860-24-0x00007FF89BF10000-0x00007FF89C9D1000-memory.dmp

Filesize
10.8MB

Download
memory/3860-14-0x000002A17F200000-0x000002A17F222000-memory.dmp

Filesize
136KB

Download
memory/3860-13-0x00007FF89BF13000-0x00007FF89BF15000-memory.dmp

Filesize
8KB

Download