Overview

overview

10

Static

static

3

launcher.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    49s
  • max time network
    49s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-09-2024 09:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    launcher.exe

  • Size

    291KB

  • MD5

    37992d4e5349d0a9275c8d1fe0290591

  • SHA1

    2ea1bb73a8459672c7f8a1133c4edc8040c2c63c

  • SHA256

    35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6

  • SHA512

    dc2bd50f573d806c88eba2f599476d431ad3b2c64cf14e058e6df53edd2383d2a8b18e99aeae14af6fbbdec7f14c4403ced2883cb20a93c77515b1ed5fae7d88

  • SSDEEP

    6144:rTiaVHkOlGtyUFB3XjdOwkL1xOJ9NLzof6TUIa1bq/KMw:rXJUFB3zEjLPDf6J

Score
10/10
phemedronexwormcredential_accessexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:19121

goods-flex.gl.at.ply.gg:19121
Attributes
  • Install_directory

    %AppData%

  • install_file

    GoogleUpdateUA.exe

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot6766891578:AAE47sIyviQ0_skRFQtvxeYcndg1C8RFyo4/sendDocument

Signatures

  • Detect Xworm Payload 2 IoCs
  • Phemedrone

    An information and wallet stealer written in C#.

    stealerphemedrone
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 43 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 14 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 27 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 14 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4644
    • C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe
      "C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2616
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GoogleUpdateUA.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4444
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3404
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GoogleUpdateUA.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2200
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "GoogleUpdateUA" /tr "C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:468
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3008
    • C:\Users\Admin\AppData\Local\Temp\launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5084
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3188
      • C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe
        "C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2212
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4276
      • C:\Users\Admin\AppData\Local\Temp\launcher.exe
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        3⤵
        • Checks computer location settings
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4188
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4004
        • C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe
          "C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4872
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:184
        • C:\Users\Admin\AppData\Local\Temp\launcher.exe
          "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
          4⤵
          • Checks computer location settings
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4232
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2292
          • C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe
            "C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1136
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3816
          • C:\Users\Admin\AppData\Local\Temp\launcher.exe
            "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
            5⤵
            • Checks computer location settings
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1032
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4532
            • C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe
              "C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:4800
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2648
            • C:\Users\Admin\AppData\Local\Temp\launcher.exe
              "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
              6⤵
              • Checks computer location settings
              • Adds Run key to start application
              • Suspicious use of AdjustPrivilegeToken
              PID:4288
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3524
              • C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe
                "C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:1608
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:4804
              • C:\Users\Admin\AppData\Local\Temp\launcher.exe
                "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
                7⤵
                • Checks computer location settings
                • Adds Run key to start application
                • Suspicious use of AdjustPrivilegeToken
                PID:3268
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe'
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:932
                • C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe
                  "C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4808
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1416
                • C:\Users\Admin\AppData\Local\Temp\launcher.exe
                  "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
                  8⤵
                  • Checks computer location settings
                  • Adds Run key to start application
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5068
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe'
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2960
                  • C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe
                    "C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe"
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3636
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2080
                  • C:\Users\Admin\AppData\Local\Temp\launcher.exe
                    "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
                    9⤵
                    • Checks computer location settings
                    • Adds Run key to start application
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3960
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe'
                      10⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1864
                    • C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe
                      "C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe"
                      10⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3848
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
                      10⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5052
                    • C:\Users\Admin\AppData\Local\Temp\launcher.exe
                      "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
                      10⤵
                      • Checks computer location settings
                      • Adds Run key to start application
                      PID:4504
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe'
                        11⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:1700
                      • C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe
                        "C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe"
                        11⤵
                        • Executes dropped EXE
                        PID:2724
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
                        11⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:1864
                      • C:\Users\Admin\AppData\Local\Temp\launcher.exe
                        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
                        11⤵
                        • Checks computer location settings
                        • Adds Run key to start application
                        PID:3804
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe'
                          12⤵
                          • Command and Scripting Interpreter: PowerShell
                          PID:2452
                        • C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe
                          "C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe"
                          12⤵
                          • Executes dropped EXE
                          PID:1484
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
                          12⤵
                          • Command and Scripting Interpreter: PowerShell
                          PID:1908
                        • C:\Users\Admin\AppData\Local\Temp\launcher.exe
                          "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
                          12⤵
                          • Checks computer location settings
                          • Adds Run key to start application
                          PID:2580
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe'
                            13⤵
                            • Command and Scripting Interpreter: PowerShell
                            PID:4368
                          • C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe
                            "C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe"
                            13⤵
                            • Executes dropped EXE
                            PID:3376
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
                            13⤵
                            • Command and Scripting Interpreter: PowerShell
                            PID:1976
                          • C:\Users\Admin\AppData\Local\Temp\launcher.exe
                            "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
                            13⤵
                            • Checks computer location settings
                            • Adds Run key to start application
                            PID:3596
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe'
                              14⤵
                              • Command and Scripting Interpreter: PowerShell
                              PID:3960
                            • C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe
                              "C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe"
                              14⤵
                              • Executes dropped EXE
                              PID:5100
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
                              14⤵
                              • Command and Scripting Interpreter: PowerShell
                              PID:4232
                            • C:\Users\Admin\AppData\Local\Temp\launcher.exe
                              "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
                              14⤵
                                PID:4060
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
                                14⤵
                                • Command and Scripting Interpreter: PowerShell
                                PID:4988
                              • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
                                "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
                                14⤵
                                • Executes dropped EXE
                                PID:2644
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
                              13⤵
                              • Command and Scripting Interpreter: PowerShell
                              PID:4988
                            • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
                              "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
                              13⤵
                              • Executes dropped EXE
                              PID:1524
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
                            12⤵
                            • Command and Scripting Interpreter: PowerShell
                            PID:3680
                          • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
                            "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
                            12⤵
                            • Executes dropped EXE
                            PID:2644
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
                          11⤵
                          • Command and Scripting Interpreter: PowerShell
                          PID:3520
                        • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
                          "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
                          11⤵
                          • Executes dropped EXE
                          PID:1188
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
                        10⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:8
                      • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
                        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
                        10⤵
                        • Executes dropped EXE
                        PID:4840
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
                      9⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2812
                    • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
                      "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
                      9⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:712
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4596
                  • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
                    "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2320
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2868
                • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
                  "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4504
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3516
              • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
                "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:220
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2276
            • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
              "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3348
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4960
          • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
            "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2888
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:868
        • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
          "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:456
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4048
      • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5028
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3348
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2960
    • C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe
      C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe
      1⤵
      • Executes dropped EXE
      PID:1692

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    3
    T1552

    Credentials In Files

    3
    T1552.001

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    3
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
      Filesize

      64KB

      MD5

      d2fb266b97caff2086bf0fa74eddb6b2

      SHA1

      2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

      SHA256

      b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

      SHA512

      c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

      Download Submit

    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
      Filesize

      4B

      MD5

      f49655f856acb8884cc0ace29216f511

      SHA1

      cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

      SHA256

      7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

      SHA512

      599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

      Download Submit

    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
      Filesize

      944B

      MD5

      6bd369f7c74a28194c991ed1404da30f

      SHA1

      0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

      SHA256

      878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

      SHA512

      8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\GoogleUpdateUA.exe.log
      Filesize

      654B

      MD5

      2ff39f6c7249774be85fd60a8f9a245e

      SHA1

      684ff36b31aedc1e587c8496c02722c6698c1c4e

      SHA256

      e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

      SHA512

      1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Sync Center.exe.log
      Filesize

      1KB

      MD5

      d7e08a6cf500fe5ab87b41795962ee19

      SHA1

      dd08782055e3e72f7a8c14ee8a27953825b18c6a

      SHA256

      e74f68eef03565053effbbfb8a786c8858edea751f40cd8c1030ca673f6ba161

      SHA512

      d4d694cde80f00642174c564969c228ae69dd31707b8e9cf52b5564b98b34d1c20857fddfeff66b597bab150be18b8166425f6cc1001c6154ba77611f0bec4d9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\launcher.exe.log
      Filesize

      1KB

      MD5

      bb6a89a9355baba2918bb7c32eca1c94

      SHA1

      976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2

      SHA256

      192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b

      SHA512

      efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      d8cb3e9459807e35f02130fad3f9860d

      SHA1

      5af7f32cb8a30e850892b15e9164030a041f4bd6

      SHA256

      2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

      SHA512

      045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      3737c3eb5510d74c3d6ea770e9ff4ffb

      SHA1

      88148610a4f00560b06bc8607794d85f15bf3b64

      SHA256

      b716e0860cc27dd1035a125f44833c5999f4a0429635df6d97634f041b25effa

      SHA512

      db4db804933ab50bf56130a939040e33a57e4ec056c9e0c598bcae86bbaf093e2a22fd4ec8801f6b029985170f17859a931e63f28a7abb4f91780da2a33e1ebc

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      22310ad6749d8cc38284aa616efcd100

      SHA1

      440ef4a0a53bfa7c83fe84326a1dff4326dcb515

      SHA256

      55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

      SHA512

      2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      37a924b11cf3f7f57fc56898abe9b0e6

      SHA1

      5ee379727611f74dc5fa677b65881d4c63e10f95

      SHA256

      6e7f7c5fddb3a0300740fdcbe1a8ec3a0be0f16dff193f9806364a19262b52bf

      SHA512

      903e1badb3577e0b3e92b69491596c9a402b51cdf3de43d5fb06b08c5689d2ff7ba25f8d1497d6527e943d9063a7ee79cbf2b47892de1de3b68cc7ca77853d6f

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      4f8703667b46839a352a4f54ea240de8

      SHA1

      5c8b039d0fd3e1f4bb052a7f5241b1e44b63aca8

      SHA256

      944beee96f2aea8a039b4e58a465e2be70941396814e517e1f9dc40c22e129e0

      SHA512

      21591b2cdbbf812e27d8c4328065f0d9e77e0697a526b515586c44119cc55dcc3f55b43df179045b955a2044304c3db3dc82a27e16d2fb6a6cbc231953106311

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      19e1e2a79d89d1a806d9f998551c82a8

      SHA1

      3ea8c6b09bcaa874efc3a220f6f61eed4be85ebd

      SHA256

      210f353fbdf0ed0f95aec9d76a455c1e92f96000551a875c5de55cfa712f4adc

      SHA512

      da427ad972596f8f795ae978337e943cb07f9c5a2ed1c8d1f1cad27c07dcec2f4d4ffe9424db2b90fcba3c2f301524f52931a863efae38fca2bef1def53567b8

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      a2c8179aaa149c0b9791b73ce44c04d1

      SHA1

      703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

      SHA256

      c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

      SHA512

      2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      77b53767c7313369bd565cac6f1d1d5a

      SHA1

      24110e553add455f6070cf299034a40130a2e3e1

      SHA256

      c89655a82dc0b86da5ae6207e6704ffa0e5e460b8820018917434e6ffda85652

      SHA512

      5d6dcfd3ddab58cc5f83dd5ea14e68959794e11e59e306470cff6badd391bd3fd755e553fea8a6a12e1e38672e000f75e71f10ed7f6f0541e3ca0a59d7477639

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      eb1ad317bd25b55b2bbdce8a28a74a94

      SHA1

      98a3978be4d10d62e7411946474579ee5bdc5ea6

      SHA256

      9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

      SHA512

      d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      01fff31a70e26012f37789b179059e32

      SHA1

      555b6f05cce7daf46920df1c01eb5c55dc62c9e6

      SHA256

      adf65afaf1c83572f05a99bf2ede8eb7be1aab0717d5254f501d5e09ba6f587b

      SHA512

      ac310c9bc5c1effc45e1e425972b09d1f961af216b50e1a504caa046b7f1a5f3179760e0b29591d83756ecb686d17a24770cf06fcea57e6f287ca5bbf6b6971b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      b4b6d4cc52b5a3a71149b1f33d94d5de

      SHA1

      97d3dbdd24919eab70e3b14c68797cefc07e90dd

      SHA256

      da8c02ce00d5b1e6d4c3667465c7bbc14d7cd5227eb634f3d9690afd488267fe

      SHA512

      fc894f03709b83df7d2fca2779e1e60549078b67bcdbff0b61c8e5a802982210ae971309c1f92577573299288963ab5c95c6b38cbaedf53dc6062812c57a97af

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      15dde0683cd1ca19785d7262f554ba93

      SHA1

      d039c577e438546d10ac64837b05da480d06bf69

      SHA256

      d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

      SHA512

      57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      60945d1a2e48da37d4ce8d9c56b6845a

      SHA1

      83e80a6acbeb44b68b0da00b139471f428a9d6c1

      SHA256

      314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

      SHA512

      5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      da5c82b0e070047f7377042d08093ff4

      SHA1

      89d05987cd60828cca516c5c40c18935c35e8bd3

      SHA256

      77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

      SHA512

      7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      50d3033f2bc3a3774c469d03e71a79a9

      SHA1

      22027b1d52085de99b3bffa276530fea5d961471

      SHA256

      2987e99ec7fa17bd4ab7de3cb4dc62645e1052012a5a357904d6fc6db9054147

      SHA512

      ecf7ab1a9e4192454a3e24c60453fd702a8c648e00078fc933b9182f4a3d3c10c6f5da622a5729b35727e6ddc8837029caddcaf76f56e805b9744253b56da5d8

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      5cfe303e798d1cc6c1dab341e7265c15

      SHA1

      cd2834e05191a24e28a100f3f8114d5a7708dc7c

      SHA256

      c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

      SHA512

      ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      dbb22d95851b93abf2afe8fb96a8e544

      SHA1

      920ec5fdb323537bcf78f7e29a4fc274e657f7a4

      SHA256

      e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465

      SHA512

      16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      96e3b86880fedd5afc001d108732a3e5

      SHA1

      8fc17b39d744a9590a6d5897012da5e6757439a3

      SHA256

      c3077e4cadb4ed246c02abe55aa6cf832fee4c2546b7addb7d22cd1c7c8c1294

      SHA512

      909b1968f7204fa7029109b02232d8cc5438f6b4dc7c9044e4e47c59fcee538199b13029e36592b12ed573d48a308dd4822d2ced4129ab08d4111897e02be55d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      9078a011b49db705765cff4b845368b0

      SHA1

      533576940a2780b894e1ae46b17d2f4224051b77

      SHA256

      c89240e395a581db1b44d204e2bcbd5b0e7f636ac72585d8257e6b901f5a3615

      SHA512

      48e0896fc4818bb7e3f250c5cad70d5e4ce71d3f6a8d2d17d8becc36050c1de2a270fde8dea5bb3462f1e7f5eaf074053390934f26d0186113215a1c4e92dd1e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      9bc110200117a3752313ca2acaf8a9e1

      SHA1

      fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

      SHA256

      c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

      SHA512

      1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      cae60f0ddddac635da71bba775a2c5b4

      SHA1

      386f1a036af61345a7d303d45f5230e2df817477

      SHA256

      b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

      SHA512

      28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      03534e8f6969e6c830d3aaef3681521a

      SHA1

      cc18221ed87ee1100c87c44510e1ab5be0e3f844

      SHA256

      92a9782d240adcc5c10474e9610f81f9611ae3e65906e94f0f14cc6b366fbbb2

      SHA512

      da9ce5d533fd7c59063397bfe7483f9926d575e764d6b4a2d979d65672dc2c52eb0689aa24d52dba5f0da7801480beb31b2162f1cad86cdf71714648838fe2b7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      6d3e9c29fe44e90aae6ed30ccf799ca8

      SHA1

      c7974ef72264bbdf13a2793ccf1aed11bc565dce

      SHA256

      2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

      SHA512

      60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      0b72469ca0585278ca9c240a42085ad7

      SHA1

      dd0371aab5740e6d5f44d75f02f5f2d0a16089b2

      SHA256

      9e9693e3e021a1a0aeac855d0c2fd330568225282ed4e2d8ea1d876457efa0db

      SHA512

      77929ab5f47ec18e78e9e57f0cb9a41dd02e8974b59f692175fefdd69a6e84c6c289a8e4cb563fb064857f2c3cf6ce330e8efa7dcb352691fdbd662c90c3b577

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      735e7ecd39ed29e19993348e7e826f59

      SHA1

      0ab003c21fa5ae9f0f0669e66a6a28fc368b7c32

      SHA256

      7113df60d3d2df3db0ce1cd0cdb21fffa74beb6d3cb43ae15f451e4b16bcd33d

      SHA512

      9e60847bbd26a3288b8aa61febb68ca16bd16c660938dd742e73fcd5e09c62c405235ad078fb520d9130fa07e5127d032b104a8d330445c5279168645cc156f4

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      dd1d0b083fedf44b482a028fb70b96e8

      SHA1

      dc9c027937c9f6d52268a1504cbae42a39c8d36a

      SHA256

      cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c

      SHA512

      96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe
      Filesize

      63KB

      MD5

      9d84713a034176855221121b1b82e66d

      SHA1

      1f8b51b489510ba4d7d899b698f0ae1cf24380c3

      SHA256

      43fe14e317713480c623a3fef46f3347c7051796eac95f489db2ea2f5a9830f3

      SHA512

      434a8d9e81fb22ed38ba8c593b7d17be1d8b674b9a0441b194352a7072b7dfc20fdb81bb4aa8451d8b69671ac9f008e3d5611a209894cb1fbc86583a924e84dc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
      Filesize

      121KB

      MD5

      7b6c19c2c8fc4ff9cc5b136f22cf490d

      SHA1

      e557a697a268c54a73aaffd02d25e54c4f601719

      SHA256

      cf6c9880812d48fe7ba3a1d1a1692a881745a7fb8cf6534f94555dd7dd1c3353

      SHA512

      afe23d16011e1eb71ce3be9f8796cf0398cc9e01415c93cd4e8403f1ee84f48e23396ab7709b60d5a9e5b3e5daee9e8f90bae99e6a85ece6475fa8bdd82f953b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0fnlrgs4.pek.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleUpdateUA.lnk
      Filesize

      808B

      MD5

      7bc069cba9a23597d92e5eff9210aeb8

      SHA1

      4d9a8b0db59415af8157c1592de30aa5d2a2b7db

      SHA256

      c27edf1aa992b004581d38b80cc96ac67ff42a81bd62b7b7e71eaa4240b8b994

      SHA512

      0494f93929196410f16d87bd7cddd1fe995556c02ea3f72f052a6af59360667491d4f66a91d8bf7d43cc5874a0f82228de1bcb1233a7475f6ea64b2601a2f3bc

      Download Submit

    • memory/2852-313-0x000000001CB20000-0x000000001CB2C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2852-39-0x0000000000F80000-0x0000000000F96000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2960-447-0x00000235EB530000-0x00000235EB531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2960-450-0x00000235EB530000-0x00000235EB531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2960-449-0x00000235EB530000-0x00000235EB531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2960-451-0x00000235EB530000-0x00000235EB531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2960-439-0x00000235EB530000-0x00000235EB531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2960-441-0x00000235EB530000-0x00000235EB531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2960-448-0x00000235EB530000-0x00000235EB531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2960-440-0x00000235EB530000-0x00000235EB531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2960-446-0x00000235EB530000-0x00000235EB531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3348-11-0x0000026D5BB20000-0x0000026D5BB21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3348-10-0x0000026D5BB20000-0x0000026D5BB21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3348-4-0x0000026D5BB20000-0x0000026D5BB21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3348-5-0x0000026D5BB20000-0x0000026D5BB21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3348-3-0x0000026D5BB20000-0x0000026D5BB21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3348-9-0x0000026D5BB20000-0x0000026D5BB21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3348-13-0x0000026D5BB20000-0x0000026D5BB21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3348-14-0x0000026D5BB20000-0x0000026D5BB21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3348-12-0x0000026D5BB20000-0x0000026D5BB21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3348-15-0x0000026D5BB20000-0x0000026D5BB21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4644-17-0x0000020479290000-0x00000204792B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4768-0-0x00007FFA8FFC3000-0x00007FFA8FFC5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4768-1-0x0000000000C60000-0x0000000000CAE000-memory.dmp

      Filesize

      312KB

      Download

    • memory/4768-2-0x00007FFA8FFC0000-0x00007FFA90A81000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4768-76-0x00007FFA8FFC0000-0x00007FFA90A81000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5028-75-0x0000000000240000-0x0000000000264000-memory.dmp

      Filesize

      144KB

      Download