Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 19:55
Static task
static1
Behavioral task
behavioral1
Sample
Loader.zip
Resource
win7-20240903-en
General
-
Target
Loader.zip
-
Size
2.1MB
-
MD5
eac7fe177734fad674dd89e3db205aaa
-
SHA1
7cb4e2a116c9186d27964dfe19bc60bd3e48393d
-
SHA256
c92ea83f50af7717023de2d09b5a1d6e7975d9faf7d9758100d80b23946016d3
-
SHA512
fb85fc58af4c07257dae9b9e256d590fa2cc6e4d0978922e7e1a71c236e64496941e9fb0fde0b94d34ef037258b2ffc5a6604435a89d19b6ed1fcd0793834352
-
SSDEEP
49152:dcwa4DKh+xntUEA5LHPF+LdOEY6h97TVlCd9hauQTmHfLbBXgH:dcwa4DKMAlPGbHh97owLKH32
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
193.161.193.99:53757
hsaurcrgqwhjimnkbht
-
delay
1
-
install
true
-
install_file
Load.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Xmrig family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023cb8-29.dat family_asyncrat -
XMRig Miner payload 9 IoCs
resource yara_rule behavioral2/memory/3796-180-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/3796-181-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/3796-183-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/3796-185-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/3796-187-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/3796-186-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/3796-184-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/3796-188-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/3796-189-0x0000000140000000-0x0000000140835000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1712 powershell.exe 2172 powershell.exe 5024 powershell.exe 4712 powershell.exe 2640 powershell.exe 3772 powershell.exe 4768 powershell.exe -
Creates new service(s) 2 TTPs
-
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Done.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Load.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Loader.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk Done.exe -
Executes dropped EXE 64 IoCs
pid Process 2980 Loader.exe 3708 Done.exe 1140 Load.exe 4228 Loader.exe 208 apihost.exe 2720 Load.exe 2884 nnegaqupnsqi.exe 512 Loader.exe 404 Done.exe 4388 Load.exe 1416 Loader.exe 4440 Loader.exe 2772 Done.exe 4728 Load.exe 3296 Loader.exe 4792 Loader.exe 1796 Done.exe 2000 Load.exe 3116 Loader.exe 4532 Loader.exe 5000 nnegaqupnsqi.exe 2176 Loader.exe 2340 Done.exe 4980 Load.exe 1040 Loader.exe 2372 Loader.exe 320 Done.exe 32 Load.exe 1768 Loader.exe 4624 Done.exe 2864 Load.exe 400 Loader.exe 2112 Loader.exe 5028 Loader.exe 4552 Loader.exe 4672 Loader.exe 4176 Loader.exe 3772 Loader.exe 4724 Done.exe 3620 Load.exe 8 Loader.exe 2772 Done.exe 3268 Load.exe 4032 Loader.exe 2820 Done.exe 4484 Load.exe 4336 Loader.exe 1772 Loader.exe 3728 Loader.exe 3612 Done.exe 1600 Load.exe 1796 Loader.exe 4284 Done.exe 3016 Load.exe 876 Loader.exe 4536 Done.exe 1448 Load.exe 2064 Loader.exe 1512 Done.exe 1620 Load.exe 4156 Loader.exe 2380 Done.exe 2372 Load.exe 4908 Loader.exe -
Power Settings 1 TTPs 24 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 2728 powercfg.exe 2784 powercfg.exe 1636 powercfg.exe 4268 powercfg.exe 3612 powercfg.exe 3252 powercfg.exe 2692 powercfg.exe 1868 powercfg.exe 3540 powercfg.exe 3776 powercfg.exe 808 powercfg.exe 3664 powercfg.exe 1900 powercfg.exe 3976 powercfg.exe 3540 powercfg.exe 1628 powercfg.exe 3728 powercfg.exe 1832 powercfg.exe 4192 powercfg.exe 224 powercfg.exe 2972 powercfg.exe 3792 powercfg.exe 2052 powercfg.exe 1932 powercfg.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe nnegaqupnsqi.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe nnegaqupnsqi.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\MRT.exe nnegaqupnsqi.exe File opened for modification C:\Windows\system32\MRT.exe Loader.exe File opened for modification C:\Windows\system32\MRT.exe Loader.exe File opened for modification C:\Windows\system32\MRT.exe Loader.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2884 set thread context of 1612 2884 nnegaqupnsqi.exe 160 PID 2884 set thread context of 3796 2884 nnegaqupnsqi.exe 165 -
resource yara_rule behavioral2/memory/3796-176-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3796-180-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3796-181-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3796-183-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3796-185-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3796-187-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3796-186-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3796-184-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3796-179-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3796-177-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3796-175-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3796-178-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3796-188-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3796-189-0x0000000140000000-0x0000000140835000-memory.dmp upx -
Launches sc.exe 38 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4224 sc.exe 2292 sc.exe 848 sc.exe 4968 sc.exe 1172 sc.exe 3396 sc.exe 1928 sc.exe 2616 sc.exe 3420 sc.exe 4984 sc.exe 3220 sc.exe 4952 sc.exe 4932 sc.exe 4032 sc.exe 4500 sc.exe 1560 sc.exe 2708 sc.exe 4104 sc.exe 2524 sc.exe 4400 sc.exe 3620 sc.exe 4296 sc.exe 4528 sc.exe 1472 sc.exe 4300 sc.exe 396 sc.exe 3316 sc.exe 3608 sc.exe 1224 sc.exe 1596 sc.exe 4100 sc.exe 1704 sc.exe 1796 sc.exe 4080 sc.exe 4536 sc.exe 3328 sc.exe 3664 sc.exe 3840 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Done.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Done.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Done.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Done.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Done.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Done.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Done.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language apihost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Done.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Done.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Done.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Done.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Done.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Done.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Done.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Done.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2696 timeout.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3244 schtasks.exe 432 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 208 apihost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1708 7zFM.exe 1708 7zFM.exe 1140 Load.exe 1140 Load.exe 1140 Load.exe 1140 Load.exe 1140 Load.exe 1140 Load.exe 1140 Load.exe 1140 Load.exe 1140 Load.exe 1140 Load.exe 1140 Load.exe 1140 Load.exe 1140 Load.exe 1140 Load.exe 1140 Load.exe 1140 Load.exe 1140 Load.exe 1140 Load.exe 1140 Load.exe 1140 Load.exe 1140 Load.exe 1140 Load.exe 1140 Load.exe 1708 7zFM.exe 1708 7zFM.exe 1708 7zFM.exe 1708 7zFM.exe 1708 7zFM.exe 1708 7zFM.exe 2172 powershell.exe 2172 powershell.exe 1708 7zFM.exe 1708 7zFM.exe 2172 powershell.exe 1708 7zFM.exe 1708 7zFM.exe 1708 7zFM.exe 1708 7zFM.exe 1708 7zFM.exe 1708 7zFM.exe 2720 Load.exe 2720 Load.exe 1708 7zFM.exe 1708 7zFM.exe 1708 7zFM.exe 1708 7zFM.exe 2720 Load.exe 4228 Loader.exe 5024 powershell.exe 5024 powershell.exe 4228 Loader.exe 4228 Loader.exe 4228 Loader.exe 4228 Loader.exe 4228 Loader.exe 4228 Loader.exe 4228 Loader.exe 4228 Loader.exe 4228 Loader.exe 4228 Loader.exe 4228 Loader.exe 4228 Loader.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1708 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 1708 7zFM.exe Token: 35 1708 7zFM.exe Token: SeSecurityPrivilege 1708 7zFM.exe Token: SeDebugPrivilege 1140 Load.exe Token: SeDebugPrivilege 3708 Done.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 2720 Load.exe Token: SeDebugPrivilege 208 apihost.exe Token: SeDebugPrivilege 5024 powershell.exe Token: SeShutdownPrivilege 3776 powercfg.exe Token: SeCreatePagefilePrivilege 3776 powercfg.exe Token: SeShutdownPrivilege 1636 powercfg.exe Token: SeCreatePagefilePrivilege 1636 powercfg.exe Token: SeShutdownPrivilege 4268 powercfg.exe Token: SeCreatePagefilePrivilege 4268 powercfg.exe Token: SeShutdownPrivilege 2784 powercfg.exe Token: SeCreatePagefilePrivilege 2784 powercfg.exe Token: SeDebugPrivilege 4712 powershell.exe Token: SeShutdownPrivilege 3252 powercfg.exe Token: SeCreatePagefilePrivilege 3252 powercfg.exe Token: SeShutdownPrivilege 3612 powercfg.exe Token: SeCreatePagefilePrivilege 3612 powercfg.exe Token: SeShutdownPrivilege 1932 powercfg.exe Token: SeCreatePagefilePrivilege 1932 powercfg.exe Token: SeShutdownPrivilege 2728 powercfg.exe Token: SeCreatePagefilePrivilege 2728 powercfg.exe Token: SeLockMemoryPrivilege 3796 explorer.exe Token: SeSecurityPrivilege 1708 7zFM.exe Token: SeSecurityPrivilege 1708 7zFM.exe Token: SeDebugPrivilege 4388 Load.exe Token: SeDebugPrivilege 4728 Load.exe Token: SeDebugPrivilege 2000 Load.exe Token: SeDebugPrivilege 2640 powershell.exe Token: SeSecurityPrivilege 1708 7zFM.exe Token: SeShutdownPrivilege 1868 powercfg.exe Token: SeCreatePagefilePrivilege 1868 powercfg.exe Token: SeShutdownPrivilege 2692 powercfg.exe Token: SeCreatePagefilePrivilege 2692 powercfg.exe Token: SeShutdownPrivilege 4192 powercfg.exe Token: SeCreatePagefilePrivilege 4192 powercfg.exe Token: SeShutdownPrivilege 1832 powercfg.exe Token: SeCreatePagefilePrivilege 1832 powercfg.exe Token: SeDebugPrivilege 3772 powershell.exe Token: SeShutdownPrivilege 3728 powercfg.exe Token: SeCreatePagefilePrivilege 3728 powercfg.exe Token: SeShutdownPrivilege 3664 powercfg.exe Token: SeCreatePagefilePrivilege 3664 powercfg.exe Token: SeShutdownPrivilege 224 powercfg.exe Token: SeCreatePagefilePrivilege 224 powercfg.exe Token: SeShutdownPrivilege 3540 powercfg.exe Token: SeCreatePagefilePrivilege 3540 powercfg.exe Token: SeDebugPrivilege 4980 Load.exe Token: SeDebugPrivilege 32 Load.exe Token: SeDebugPrivilege 2864 Load.exe Token: SeDebugPrivilege 3620 Load.exe Token: SeDebugPrivilege 3268 Load.exe Token: SeDebugPrivilege 4484 Load.exe Token: SeDebugPrivilege 1600 Load.exe Token: SeDebugPrivilege 3016 Load.exe Token: SeDebugPrivilege 1448 Load.exe Token: SeDebugPrivilege 1620 Load.exe Token: SeDebugPrivilege 2372 Load.exe Token: SeDebugPrivilege 4768 powershell.exe Token: SeShutdownPrivilege 3540 powercfg.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 1708 7zFM.exe 1708 7zFM.exe 1708 7zFM.exe 1708 7zFM.exe 1708 7zFM.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2720 Load.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1708 wrote to memory of 2980 1708 7zFM.exe 87 PID 1708 wrote to memory of 2980 1708 7zFM.exe 87 PID 2980 wrote to memory of 3708 2980 Loader.exe 90 PID 2980 wrote to memory of 3708 2980 Loader.exe 90 PID 2980 wrote to memory of 3708 2980 Loader.exe 90 PID 2980 wrote to memory of 1140 2980 Loader.exe 91 PID 2980 wrote to memory of 1140 2980 Loader.exe 91 PID 2980 wrote to memory of 4228 2980 Loader.exe 92 PID 2980 wrote to memory of 4228 2980 Loader.exe 92 PID 1140 wrote to memory of 3164 1140 Load.exe 95 PID 1140 wrote to memory of 3164 1140 Load.exe 95 PID 1140 wrote to memory of 3196 1140 Load.exe 97 PID 1140 wrote to memory of 3196 1140 Load.exe 97 PID 3196 wrote to memory of 2696 3196 cmd.exe 100 PID 3196 wrote to memory of 2696 3196 cmd.exe 100 PID 3164 wrote to memory of 3244 3164 cmd.exe 99 PID 3164 wrote to memory of 3244 3164 cmd.exe 99 PID 3708 wrote to memory of 2172 3708 Done.exe 101 PID 3708 wrote to memory of 2172 3708 Done.exe 101 PID 3708 wrote to memory of 2172 3708 Done.exe 101 PID 3708 wrote to memory of 432 3708 Done.exe 102 PID 3708 wrote to memory of 432 3708 Done.exe 102 PID 3708 wrote to memory of 432 3708 Done.exe 102 PID 3708 wrote to memory of 208 3708 Done.exe 105 PID 3708 wrote to memory of 208 3708 Done.exe 105 PID 3708 wrote to memory of 208 3708 Done.exe 105 PID 3196 wrote to memory of 2720 3196 cmd.exe 106 PID 3196 wrote to memory of 2720 3196 cmd.exe 106 PID 4980 wrote to memory of 1620 4980 cmd.exe 114 PID 4980 wrote to memory of 1620 4980 cmd.exe 114 PID 4792 wrote to memory of 3296 4792 cmd.exe 147 PID 4792 wrote to memory of 3296 4792 cmd.exe 147 PID 2884 wrote to memory of 1612 2884 nnegaqupnsqi.exe 160 PID 2884 wrote to memory of 1612 2884 nnegaqupnsqi.exe 160 PID 2884 wrote to memory of 1612 2884 nnegaqupnsqi.exe 160 PID 2884 wrote to memory of 1612 2884 nnegaqupnsqi.exe 160 PID 2884 wrote to memory of 1612 2884 nnegaqupnsqi.exe 160 PID 2884 wrote to memory of 1612 2884 nnegaqupnsqi.exe 160 PID 2884 wrote to memory of 1612 2884 nnegaqupnsqi.exe 160 PID 2884 wrote to memory of 1612 2884 nnegaqupnsqi.exe 160 PID 2884 wrote to memory of 1612 2884 nnegaqupnsqi.exe 160 PID 2884 wrote to memory of 3796 2884 nnegaqupnsqi.exe 165 PID 2884 wrote to memory of 3796 2884 nnegaqupnsqi.exe 165 PID 2884 wrote to memory of 3796 2884 nnegaqupnsqi.exe 165 PID 2884 wrote to memory of 3796 2884 nnegaqupnsqi.exe 165 PID 2884 wrote to memory of 3796 2884 nnegaqupnsqi.exe 165 PID 1708 wrote to memory of 512 1708 7zFM.exe 166 PID 1708 wrote to memory of 512 1708 7zFM.exe 166 PID 512 wrote to memory of 404 512 Loader.exe 167 PID 512 wrote to memory of 404 512 Loader.exe 167 PID 512 wrote to memory of 404 512 Loader.exe 167 PID 512 wrote to memory of 4388 512 Loader.exe 168 PID 512 wrote to memory of 4388 512 Loader.exe 168 PID 512 wrote to memory of 1416 512 Loader.exe 169 PID 512 wrote to memory of 1416 512 Loader.exe 169 PID 4440 wrote to memory of 2772 4440 Loader.exe 172 PID 4440 wrote to memory of 2772 4440 Loader.exe 172 PID 4440 wrote to memory of 2772 4440 Loader.exe 172 PID 4440 wrote to memory of 4728 4440 Loader.exe 173 PID 4440 wrote to memory of 4728 4440 Loader.exe 173 PID 4440 wrote to memory of 3296 4440 Loader.exe 174 PID 4440 wrote to memory of 3296 4440 Loader.exe 174 PID 4792 wrote to memory of 1796 4792 Loader.exe 176 PID 4792 wrote to memory of 1796 4792 Loader.exe 176 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Loader.zip"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\7zOCA6E6BF7\Loader.exe"C:\Users\Admin\AppData\Local\Temp\7zOCA6E6BF7\Loader.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\Done.exe"C:\Users\Admin\AppData\Local\Temp\Done.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\ACCApi'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Local\ACCApi\apihost.exe" /st 20:01 /du 23:59 /sc daily /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:432
-
-
C:\Users\Admin\AppData\Local\ACCApi\apihost.exe"C:\Users\Admin\AppData\Local\ACCApi\apihost.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
-
C:\Users\Admin\AppData\Local\Temp\Load.exe"C:\Users\Admin\AppData\Local\Temp\Load.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'5⤵
- Scheduled Task/Job: Scheduled Task
PID:3244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFF9D.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:2696
-
-
C:\Users\Admin\AppData\Roaming\Load.exe"C:\Users\Admin\AppData\Roaming\Load.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2720
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4228 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:1620
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:3220
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:3664
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:4224
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:2616
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:4536
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3776
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "KFUNOUIY"4⤵
- Launches sc.exe
PID:1472
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "KFUNOUIY" binpath= "C:\ProgramData\xqgefzhhbtbb\nnegaqupnsqi.exe" start= "auto"4⤵
- Launches sc.exe
PID:4300
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:4100
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "KFUNOUIY"4⤵
- Launches sc.exe
PID:2708
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zOCA64B0C8\Loader.exe"C:\Users\Admin\AppData\Local\Temp\7zOCA64B0C8\Loader.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Users\Admin\AppData\Local\Temp\Done.exe"C:\Users\Admin\AppData\Local\Temp\Done.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:404
-
-
C:\Users\Admin\AppData\Local\Temp\Load.exe"C:\Users\Admin\AppData\Local\Temp\Load.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1416 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:3724
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:2064
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:2524
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:3316
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:2292
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:4500
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:3328
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4192
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:4400
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "KFUNOUIY"4⤵
- Launches sc.exe
PID:848
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zOCA6CAD09\Loader.exe"C:\Users\Admin\AppData\Local\Temp\7zOCA6CAD09\Loader.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\Done.exe"C:\Users\Admin\AppData\Local\Temp\Done.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2340
-
-
C:\Users\Admin\AppData\Local\Temp\Load.exe"C:\Users\Admin\AppData\Local\Temp\Load.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1040 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:3788
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:4104
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:1704
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:3608
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:3396
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:4296
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:1796
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
PID:1900
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
PID:2972
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3540
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
PID:3976
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:4080
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "KFUNOUIY"4⤵
- Launches sc.exe
PID:1224
-
-
-
-
C:\ProgramData\xqgefzhhbtbb\nnegaqupnsqi.exeC:\ProgramData\xqgefzhhbtbb\nnegaqupnsqi.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:3296
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:4952
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:396
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:4932
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:4104
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:4032
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3612
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3252
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:1612
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3796
-
-
C:\Users\Admin\Desktop\Loader.exe"C:\Users\Admin\Desktop\Loader.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\Done.exe"C:\Users\Admin\AppData\Local\Temp\Done.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2772
-
-
C:\Users\Admin\AppData\Local\Temp\Load.exe"C:\Users\Admin\AppData\Local\Temp\Load.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Executes dropped EXE
PID:3296
-
-
C:\Users\Admin\Desktop\Loader.exe"C:\Users\Admin\Desktop\Loader.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Users\Admin\AppData\Local\Temp\Done.exe"C:\Users\Admin\AppData\Local\Temp\Done.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1796
-
-
C:\Users\Admin\AppData\Local\Temp\Load.exe"C:\Users\Admin\AppData\Local\Temp\Load.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Executes dropped EXE
PID:3116
-
-
C:\ProgramData\xqgefzhhbtbb\nnegaqupnsqi.exeC:\ProgramData\xqgefzhhbtbb\nnegaqupnsqi.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5000 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:1444
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:396
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:4968
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:3620
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:1172
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:3840
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:3420
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3540
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3664
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:224
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3728
-
-
C:\Users\Admin\Desktop\Loader.exe"C:\Users\Admin\Desktop\Loader.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\Done.exe"C:\Users\Admin\AppData\Local\Temp\Done.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:320
-
-
C:\Users\Admin\AppData\Local\Temp\Load.exe"C:\Users\Admin\AppData\Local\Temp\Load.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:32
-
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Executes dropped EXE
PID:1768
-
-
C:\Users\Admin\Desktop\Loader.exe"C:\Users\Admin\Desktop\Loader.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\Done.exe"C:\Users\Admin\AppData\Local\Temp\Done.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4624
-
-
C:\Users\Admin\AppData\Local\Temp\Load.exe"C:\Users\Admin\AppData\Local\Temp\Load.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Executes dropped EXE
PID:400
-
-
C:\Users\Admin\Desktop\Loader.exe"C:\Users\Admin\Desktop\Loader.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\Done.exe"C:\Users\Admin\AppData\Local\Temp\Done.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4724
-
-
C:\Users\Admin\AppData\Local\Temp\Load.exe"C:\Users\Admin\AppData\Local\Temp\Load.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3620
-
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Executes dropped EXE
PID:8
-
-
C:\Users\Admin\Desktop\Loader.exe"C:\Users\Admin\Desktop\Loader.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\Done.exe"C:\Users\Admin\AppData\Local\Temp\Done.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2772
-
-
C:\Users\Admin\AppData\Local\Temp\Load.exe"C:\Users\Admin\AppData\Local\Temp\Load.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Executes dropped EXE
PID:4032
-
-
C:\Users\Admin\Desktop\Loader.exe"C:\Users\Admin\Desktop\Loader.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\Done.exe"C:\Users\Admin\AppData\Local\Temp\Done.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2820
-
-
C:\Users\Admin\AppData\Local\Temp\Load.exe"C:\Users\Admin\AppData\Local\Temp\Load.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Executes dropped EXE
PID:1772
-
-
C:\Users\Admin\Desktop\Loader.exe"C:\Users\Admin\Desktop\Loader.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4672 -
C:\Users\Admin\AppData\Local\Temp\Done.exe"C:\Users\Admin\AppData\Local\Temp\Done.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3612
-
-
C:\Users\Admin\AppData\Local\Temp\Load.exe"C:\Users\Admin\AppData\Local\Temp\Load.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Executes dropped EXE
PID:1796
-
-
C:\Users\Admin\Desktop\Loader.exe"C:\Users\Admin\Desktop\Loader.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\Done.exe"C:\Users\Admin\AppData\Local\Temp\Done.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4284
-
-
C:\Users\Admin\AppData\Local\Temp\Load.exe"C:\Users\Admin\AppData\Local\Temp\Load.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Executes dropped EXE
PID:876
-
-
C:\Users\Admin\Desktop\Loader.exe"C:\Users\Admin\Desktop\Loader.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3772 -
C:\Users\Admin\AppData\Local\Temp\Done.exe"C:\Users\Admin\AppData\Local\Temp\Done.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4536
-
-
C:\Users\Admin\AppData\Local\Temp\Load.exe"C:\Users\Admin\AppData\Local\Temp\Load.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Executes dropped EXE
PID:2064
-
-
C:\Users\Admin\Desktop\Loader.exe"C:\Users\Admin\Desktop\Loader.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\Done.exe"C:\Users\Admin\AppData\Local\Temp\Done.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1512
-
-
C:\Users\Admin\AppData\Local\Temp\Load.exe"C:\Users\Admin\AppData\Local\Temp\Load.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Executes dropped EXE
PID:4156
-
-
C:\Users\Admin\Desktop\Loader.exe"C:\Users\Admin\Desktop\Loader.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\Done.exe"C:\Users\Admin\AppData\Local\Temp\Done.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2380
-
-
C:\Users\Admin\AppData\Local\Temp\Load.exe"C:\Users\Admin\AppData\Local\Temp\Load.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Executes dropped EXE
PID:4908
-
-
C:\ProgramData\xqgefzhhbtbb\nnegaqupnsqi.exeC:\ProgramData\xqgefzhhbtbb\nnegaqupnsqi.exe1⤵
- Drops file in System32 directory
PID:4140 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:2212
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:2196
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:4528
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:1596
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:1560
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:4984
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:1928
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
PID:1628
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:808
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
PID:3792
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
PID:2052
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
410B
MD53bbb825ef1319deb378787046587112b
SHA167da95f0031be525b4cf10645632ca34d66b913b
SHA256d9c6d00fad02f7a9ef0fcddc298ffd58b17020fb12b1336d5733237cbfadb1e0
SHA5127771ae543e188d544e1bb6c65e0453a6777c1c39790a355f4cce652a815bfaf94dd426de3db910a67bd06e463ac0143d9e2ca44d2b12af7f0d84c27b4a09cc54
-
Filesize
18KB
MD50a2780fa4f0d771141c9253793798520
SHA1674954e2e5225931b56d072904e4105980cce370
SHA256578a2f2929c3ad3500fc20a68ca4efe40f9404a36c9dfee5ac96ad3fdcbfb642
SHA512a75043ddf0c6c6192da8a85c610afe6cddebf7ae96f94305d9fb53b1d5d42f64a266b2952faa9b2922044e030ad0c996343d775858db84e857676396bb52bee7
-
Filesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
Filesize
2.1MB
MD5084519881ac16c16cf9206f97a68f79e
SHA17b0fbc312ec9176a69ccb3036636e2423320cd79
SHA25689057bbeb5618835524cf8fc3a645fc5137553638520e763901fa1f2f8cdbe66
SHA51284b2867560cdbd3ca797196b208495631e49a87a2ea7451d6d68b52ea1ada0546c81d9b2e37b630440565cd53661c6541eb91c8bd662bb10780f87a7c7db5633
-
Filesize
69KB
MD52453fa8ef7ccc79cada8679f06f2be53
SHA1b3db41bc85d300a069e6636b5c9e7dcf0a6a95b2
SHA256e0e329ca03adcd56c5ff4a5cbdaff475a1cf636dfce64b7da1a05f5c74daac88
SHA512a28398843232745153b3f57d2166aca95e9f930a8334c0ffdb2db192fc8cc8b2d5f5a0a0d123a996f2aa738668209a3541ffb9ed6f42f665aefb9300cd3d45d4
-
Filesize
74KB
MD54fc5086bcb8939429aea99f7322e619b
SHA18d3bd7d005710a8ae0bd0143d18b437be20018d7
SHA256e31d6dc4d6f89573321f389c5b3f12838545ff8d2f1380cfba1782d39853e9fd
SHA51204e230f5b39356aecf4732ac9a2f4fea96e51018907e2f22c7e3f22e51188b64cdb3e202fe324f5e3500761fae43f898bf9489aa8faa34eff3566e1119a786d2
-
Filesize
2.5MB
MD535c54b6a9227ccb7149698254dc8dd52
SHA133433b0716128f7c887d7929ec50fab495e45f38
SHA256db7744a5e7567b151e15c6159b03eb71974233db90716b38d7bb726fd61798e4
SHA512492de363f0252005a303b7b169721f8536d131bbca71ef37bae59b4b17427dda869c14eea72fd3ed69efc0a3b19b9c3b18e7d6ada1721fbf9b0ce3bfaa57cc12
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
148B
MD5246fe91ccd751c6b75df0b860f5c12ec
SHA1a9a3624872f712ec99b2817b0c51e3900ad81e51
SHA256821d60cb76835f06a4a54ed396663e689460ba031febba91c0af05ea5b637014
SHA512ea602b566e2fb24d2be07f2e7947a397d40e1e6fba0822d78d65abd9dcf0e41115d7281acc1cbccbb1855e606ef2623c6c3245e1edc1edb5399a01b28f049f91
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
14KB
MD50c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5