xmrig | hxxps://github[.]com/imperiska/lekers/blob/main/uthjasjedf[.]exe

Resubmissions

25-01-2025 13:26

250125-qp1zjswmhj 10

25-01-2025 13:25

250125-qn4ztawmdr 3

24-01-2025 18:46

250124-xepxvstpdk 10

Analysis

max time kernel
90s
max time network
88s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
25-01-2025 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/imperiska/lekers/blob/main/uthjasjedf.exe

Score

10^/10

xmrig defense_evasion discovery execution miner persistence upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/5012-409-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5012-410-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5012-416-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5012-415-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5012-413-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5012-412-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5012-414-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5012-536-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5012-537-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4668	powershell.exe
1300	powershell.exe
2060	powershell.exe
1528	powershell.exe
3988	powershell.exe
3316	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 1 IoCs

flow	pid	Process
63	4796	msedge.exe

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	uthjasjedf.exe
File created	C:\Windows\system32\drivers\etc\hosts	Updater.exe
File created	C:\Windows\system32\drivers\etc\hosts	uthjasjedf.exe
File created	C:\Windows\system32\drivers\etc\hosts	Updater.exe
File created	C:\Windows\system32\drivers\etc\hosts	uthjasjedf.exe
File created	C:\Windows\system32\drivers\etc\hosts	Updater.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 7 IoCs

pid	Process
3740	uthjasjedf.exe
3360	uthjasjedf.exe
3316	Updater.exe
1160	uthjasjedf.exe
4436	Updater.exe
5844	uthjasjedf.exe
5400	Updater.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
89	pastebin.com
90	pastebin.com
62	raw.githubusercontent.com
63	raw.githubusercontent.com

Power Settings 1 TTPs 24 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1516	powercfg.exe
944	powercfg.exe
4856	powercfg.exe
348	powercfg.exe
3976	powercfg.exe
5560	powercfg.exe
2160	powercfg.exe
2716	powercfg.exe
4988	powercfg.exe
3920	powercfg.exe
4300	powercfg.exe
3816	powercfg.exe
1520	powercfg.exe
692	powercfg.exe
4812	powercfg.exe
3028	powercfg.exe
6036	powercfg.exe
6004	powercfg.exe
4092	powercfg.exe
3616	powercfg.exe
4344	powercfg.exe
5560	powercfg.exe
4956	powercfg.exe
4280	powercfg.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	uthjasjedf.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Updater.exe
File opened for modification	C:\Windows\system32\MRT.exe	uthjasjedf.exe
File opened for modification	C:\Windows\system32\MRT.exe	uthjasjedf.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Updater.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Updater.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3316 set thread context of 4020	3316	Updater.exe	175
PID 3316 set thread context of 5012	3316	Updater.exe	180

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5012-406-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5012-409-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5012-410-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5012-416-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5012-415-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5012-413-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5012-412-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5012-414-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5012-408-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5012-407-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5012-404-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5012-405-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5012-536-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5012-537-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\40d7a73f-adcb-4a91-b190-75bbb3945b95.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250125132714.pma	setup.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6048	sc.exe
932	sc.exe
3064	sc.exe
2444	sc.exe
5348	sc.exe
2076	sc.exe
4012	sc.exe
6104	sc.exe
1008	sc.exe
1780	sc.exe
3688	sc.exe
6116	sc.exe
3936	sc.exe
4624	sc.exe
4340	sc.exe
5552	sc.exe
4804	sc.exe
1644	sc.exe
5940	sc.exe
5888	sc.exe
6088	sc.exe
4668	sc.exe
6040	sc.exe
5260	sc.exe
6128	sc.exe
3800	sc.exe
3244	sc.exe
4344	sc.exe
5928	sc.exe
2880	sc.exe
3100	sc.exe
1468	sc.exe
6112	sc.exe
4496	sc.exe
4784	sc.exe
2244	sc.exe
2708	sc.exe
4016	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 782342.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4796	msedge.exe
4796	msedge.exe
1724	msedge.exe
1724	msedge.exe
4736	identity_helper.exe
4736	identity_helper.exe
984	msedge.exe
984	msedge.exe
3740	uthjasjedf.exe
4668	powershell.exe
4668	powershell.exe
4668	powershell.exe
3740	uthjasjedf.exe
3740	uthjasjedf.exe
3740	uthjasjedf.exe
3740	uthjasjedf.exe
3740	uthjasjedf.exe
3740	uthjasjedf.exe
3740	uthjasjedf.exe
3740	uthjasjedf.exe
3740	uthjasjedf.exe
3740	uthjasjedf.exe
3740	uthjasjedf.exe
3740	uthjasjedf.exe
3740	uthjasjedf.exe
3740	uthjasjedf.exe
3316	Updater.exe
1300	powershell.exe
1300	powershell.exe
1300	powershell.exe
3316	Updater.exe
3316	Updater.exe
3316	Updater.exe
3316	Updater.exe
3316	Updater.exe
3316	Updater.exe
3316	Updater.exe
3316	Updater.exe
3316	Updater.exe
3316	Updater.exe
3316	Updater.exe
3316	Updater.exe
5012	explorer.exe
5012	explorer.exe
5012	explorer.exe
5012	explorer.exe
5012	explorer.exe
5012	explorer.exe
5012	explorer.exe
5012	explorer.exe
5012	explorer.exe
5012	explorer.exe
5012	explorer.exe
5012	explorer.exe
1160	uthjasjedf.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
5012	explorer.exe
5012	explorer.exe
1160	uthjasjedf.exe
1160	uthjasjedf.exe
1160	uthjasjedf.exe
1160	uthjasjedf.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeIncreaseQuotaPrivilege	4668	powershell.exe
Token: SeSecurityPrivilege	4668	powershell.exe
Token: SeTakeOwnershipPrivilege	4668	powershell.exe
Token: SeLoadDriverPrivilege	4668	powershell.exe
Token: SeSystemProfilePrivilege	4668	powershell.exe
Token: SeSystemtimePrivilege	4668	powershell.exe
Token: SeProfSingleProcessPrivilege	4668	powershell.exe
Token: SeIncBasePriorityPrivilege	4668	powershell.exe
Token: SeCreatePagefilePrivilege	4668	powershell.exe
Token: SeBackupPrivilege	4668	powershell.exe
Token: SeRestorePrivilege	4668	powershell.exe
Token: SeShutdownPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeSystemEnvironmentPrivilege	4668	powershell.exe
Token: SeRemoteShutdownPrivilege	4668	powershell.exe
Token: SeUndockPrivilege	4668	powershell.exe
Token: SeManageVolumePrivilege	4668	powershell.exe
Token: 33	4668	powershell.exe
Token: 34	4668	powershell.exe
Token: 35	4668	powershell.exe
Token: 36	4668	powershell.exe
Token: SeShutdownPrivilege	1516	powercfg.exe
Token: SeCreatePagefilePrivilege	1516	powercfg.exe
Token: SeShutdownPrivilege	348	powercfg.exe
Token: SeCreatePagefilePrivilege	348	powercfg.exe
Token: SeShutdownPrivilege	3028	powercfg.exe
Token: SeCreatePagefilePrivilege	3028	powercfg.exe
Token: SeShutdownPrivilege	4280	powercfg.exe
Token: SeCreatePagefilePrivilege	4280	powercfg.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	1300	powershell.exe
Token: SeIncreaseQuotaPrivilege	1300	powershell.exe
Token: SeSecurityPrivilege	1300	powershell.exe
Token: SeTakeOwnershipPrivilege	1300	powershell.exe
Token: SeLoadDriverPrivilege	1300	powershell.exe
Token: SeSystemtimePrivilege	1300	powershell.exe
Token: SeBackupPrivilege	1300	powershell.exe
Token: SeRestorePrivilege	1300	powershell.exe
Token: SeShutdownPrivilege	1300	powershell.exe
Token: SeSystemEnvironmentPrivilege	1300	powershell.exe
Token: SeUndockPrivilege	1300	powershell.exe
Token: SeManageVolumePrivilege	1300	powershell.exe
Token: SeShutdownPrivilege	6036	powercfg.exe
Token: SeCreatePagefilePrivilege	6036	powercfg.exe
Token: SeShutdownPrivilege	6004	powercfg.exe
Token: SeCreatePagefilePrivilege	6004	powercfg.exe
Token: SeShutdownPrivilege	4988	powercfg.exe
Token: SeCreatePagefilePrivilege	4988	powercfg.exe
Token: SeShutdownPrivilege	944	powercfg.exe
Token: SeCreatePagefilePrivilege	944	powercfg.exe
Token: SeLockMemoryPrivilege	5012	explorer.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeIncreaseQuotaPrivilege	2060	powershell.exe
Token: SeSecurityPrivilege	2060	powershell.exe
Token: SeTakeOwnershipPrivilege	2060	powershell.exe
Token: SeLoadDriverPrivilege	2060	powershell.exe
Token: SeSystemProfilePrivilege	2060	powershell.exe
Token: SeSystemtimePrivilege	2060	powershell.exe
Token: SeProfSingleProcessPrivilege	2060	powershell.exe
Token: SeIncBasePriorityPrivilege	2060	powershell.exe
Token: SeCreatePagefilePrivilege	2060	powershell.exe
Token: SeBackupPrivilege	2060	powershell.exe
Token: SeRestorePrivilege	2060	powershell.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 4296	1724	msedge.exe	84
PID 1724 wrote to memory of 4296	1724	msedge.exe	84
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 2816	1724	msedge.exe	85
PID 1724 wrote to memory of 4796	1724	msedge.exe	86
PID 1724 wrote to memory of 4796	1724	msedge.exe	86
PID 1724 wrote to memory of 2440	1724	msedge.exe	87
PID 1724 wrote to memory of 2440	1724	msedge.exe	87
PID 1724 wrote to memory of 2440	1724	msedge.exe	87
PID 1724 wrote to memory of 2440	1724	msedge.exe	87
PID 1724 wrote to memory of 2440	1724	msedge.exe	87
PID 1724 wrote to memory of 2440	1724	msedge.exe	87
PID 1724 wrote to memory of 2440	1724	msedge.exe	87
PID 1724 wrote to memory of 2440	1724	msedge.exe	87
PID 1724 wrote to memory of 2440	1724	msedge.exe	87
PID 1724 wrote to memory of 2440	1724	msedge.exe	87
PID 1724 wrote to memory of 2440	1724	msedge.exe	87
PID 1724 wrote to memory of 2440	1724	msedge.exe	87
PID 1724 wrote to memory of 2440	1724	msedge.exe	87
PID 1724 wrote to memory of 2440	1724	msedge.exe	87
PID 1724 wrote to memory of 2440	1724	msedge.exe	87
PID 1724 wrote to memory of 2440	1724	msedge.exe	87
PID 1724 wrote to memory of 2440	1724	msedge.exe	87
PID 1724 wrote to memory of 2440	1724	msedge.exe	87
PID 1724 wrote to memory of 2440	1724	msedge.exe	87
PID 1724 wrote to memory of 2440	1724	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/imperiska/lekers/blob/main/uthjasjedf.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffd1fc346f8,0x7ffd1fc34708,0x7ffd1fc34718
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,3371306452535214442,18174690425867572150,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,3371306452535214442,18174690425867572150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,3371306452535214442,18174690425867572150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3371306452535214442,18174690425867572150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:5484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3371306452535214442,18174690425867572150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,3371306452535214442,18174690425867572150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:1572
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff76a5d5460,0x7ff76a5d5470,0x7ff76a5d5480
    3⤵
    PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,3371306452535214442,18174690425867572150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,3371306452535214442,18174690425867572150,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3371306452535214442,18174690425867572150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,3371306452535214442,18174690425867572150,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6652 /prefetch:8
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3371306452535214442,18174690425867572150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3371306452535214442,18174690425867572150,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3371306452535214442,18174690425867572150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3371306452535214442,18174690425867572150,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,3371306452535214442,18174690425867572150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:984
- C:\Users\Admin\Downloads\uthjasjedf.exe
  "C:\Users\Admin\Downloads\uthjasjedf.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3740
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1528
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3936
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4344
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5348
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:6048
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:6040
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:6116
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:348
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4280
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
    3⤵
    - Launches sc.exe
    PID:2076
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:5888
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4804
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
    3⤵
    - Launches sc.exe
    PID:4012
- C:\Users\Admin\Downloads\uthjasjedf.exe
  "C:\Users\Admin\Downloads\uthjasjedf.exe"
  2⤵
  - Executes dropped EXE
  PID:3360
- C:\Users\Admin\Downloads\uthjasjedf.exe
  "C:\Users\Admin\Downloads\uthjasjedf.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1160
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3800
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2944
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4496
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:6128
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:932
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:5928
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1008
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:3976
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:4300
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:3920
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:4092
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1780
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
    3⤵
    - Launches sc.exe
    PID:4668
- C:\Users\Admin\Downloads\uthjasjedf.exe
  "C:\Users\Admin\Downloads\uthjasjedf.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:5844
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:884
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4868
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3800
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3244
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2244
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:5940
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:6088
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:2160
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:4812
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:4344
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:692
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3064
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
    3⤵
    - Launches sc.exe
    PID:3936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3640

C:\ProgramData\GoogleUP\Chrome\Updater.exe
C:\ProgramData\GoogleUP\Chrome\Updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3316
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2488
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3140
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5260
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:6104
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:6112
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:5552
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3936
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4016
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:6036
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:6004
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4988
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4020
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5012

C:\ProgramData\GoogleUP\Chrome\Updater.exe
C:\ProgramData\GoogleUP\Chrome\Updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
PID:4436
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4988
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5360
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3688
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2880
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4784
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1644
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3100
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1520
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:3616
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:3816
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:5560

C:\ProgramData\GoogleUP\Chrome\Updater.exe
C:\ProgramData\GoogleUP\Chrome\Updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
PID:5400
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4976
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3828
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1468
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4624
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2444
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2708
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4340
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2716
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:4956
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:5560
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ef0e81b130f8dcf42e80097a75e5d04d

SHA1
d8694b7c5fba1ee2e73e69dd7790ca5b1cb882db

SHA256
fc53158d948d1742e3f960124f9fdb138eaa4aa711d0f43833fa893247de4918

SHA512
c85df1696537dfce601de46183b1b22d7f0007b0f695f1904bbd1a6e429d7787c3d6199bcecdb21936d811b35eeca57a9800bcd3a3b585569aabeb0b5b497efd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c58ccb4da696442ae40d3db9e4b41c3f

SHA1
e27933a94d57f04c75b8bff25ad7012171917f87

SHA256
d0d75be801bf0c5f715665c73214bfa38fd714dd9ee846de410855d96dd75931

SHA512
82a7cd39758d67f1d177ce7f46a5ee560eb60207ca7ca1e39b9a08a269ed140532bf1ec85899a033a54d20a0d59592d1cd5f5d35f71da98f6b6e35cd904e1872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
033acc152c2a9e00a2cb700ee0fc2359

SHA1
0831ffffc7d1b4bd24e0252b8fc7fd556cb4122c

SHA256
544695e17f15f26154759ef7075127aa014a508bcc03d550be0fe36b93d3cba2

SHA512
4aea2a6bb034abbaa6ade28be3b98eff8b601b344a509e328672a39f8bd2f123fbf9bf3c4316d995f6fbb2302945a4c07cbb460d7ba066c1002c382a320a6269

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3c7554fe089c3bc97d7e3ba674579466

SHA1
41304ecb7630440a9ce59e012b92457811908cde

SHA256
f5ac2f2b4f942b5e769c7fbceabde5a0106a44d390e7eab990c66d0ee22d3794

SHA512
2a9e02cb38586331c182915a0a7adb68e27a9092187195273243b4be4a8d382468eef49982c1ed515ff40aabd90d4af50a505c1e83fc58f4a2eb7a3ee35bf38f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
775d89fb1a0bd136a43ed46024f60929

SHA1
3b5bb6fe40081473a85111973eca3f61620a933b

SHA256
4ec51bee0724dd6a83c7e78a60f06f54a77b64ecbbe52fdb9415ae971a95f038

SHA512
f2b45e5354db467a52c77b63486a906a45b0cec1b6afd8361a2258c590e18d49f15db2cbd5b4263f083183aa7851f9c82d09526729bc0284aa52458c38330201

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5872aa.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b517f763dccdae5290ee1af7b84a9d51

SHA1
715712feabfb3df3c5a737be9d82a004eceef573

SHA256
1e0483dda83c45f915278ad6f6b42c2547d82efe45136ddc4f53009c5d06fd7d

SHA512
eba692de3bf8cc08cab5a8e7d2deda8d20b5c84cae5757de192557ed883a8913076cb61ed18d1f83733413a84184c85cd976fbe099dcc1670bc5022728dec9b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
35ff7057c03af79766ac33256e2a5d2e

SHA1
e4b009c2f9465ad50499639d300c156b1429ae4e

SHA256
25118882f5c1073a07c209dae9a2058c62ab33cb6dae26eb613ffc0d9d17cd47

SHA512
4dfcb205f08783fcb0b0be2476b145f86de276ce2cbc530f567af01949ddbff03b89f9f0d8d852efd7360fddda32faf901906d3ed1f87a37148bc251c667e0f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c0344997659ef3ebd4be8a332a6b8a93

SHA1
fab82f658c757531508c2f92b166881cb21359e7

SHA256
345c0d1d489ad8af1a40f5b5b4a51e902be59c74c71962acf43c4a7ebc4d434e

SHA512
60de07e37cfb9e22ae92f53a86aa7e7317ba7afac38176121a7470deb8b82611ea188fb62a80a82fd0f35078a27266f0bc8cebc523457f736007ef9a866525ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b440d9cc3f7690b6995b82f7e1814a5f

SHA1
2b9c3cc429bbf0b9b5d312a9dd14240402377aaf

SHA256
1e10b87cd2f4cf433e0a9584f561466d2a3f71cfe0afa8d857061de7ecff7ea5

SHA512
ee68bbc76de2edfcbd71bf309d4c6bb9db6ea88924324df015e9f983759bf7c3212ca64db289be2048ef798bbdd6b8dce2ab02c43e76f5713908472b8823b80a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
62aee047a3c6cf2fec2a29a34157633b

SHA1
51b6eed704d65a62d8793ea18885d12aa39a5cf2

SHA256
342e67b65a4070bbd6e7c2fbf75c98e727d9db45fa071181cae0f5eade726ddf

SHA512
21ee4907a0dcf077f9233542462b8bfd01d976dc1fe4a7b7c4ad70d691e7b9101bddcc292e13fc83a22f56355aa5b93949ac124c84da1f43a80851bf313d895e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
a18e33a424007376b810134dde07fec6

SHA1
3acbb4070e7fab6fea0f6c618aeca0964e39f7f8

SHA256
12852fe3bc04c3a3f6cdb76d7fa37cf0d7f91ffe801c70caf5ee4f5bb34e2821

SHA512
3a08afee6762546ba967965d72b90a0e0ed2a45bee0e195696c92f511c4b92634acdb669e6320359cb436e809c9672c0371042990aaf26b90da06da523ce6b9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
fea58c86a0dbd74b9a46fa1d6c90fbb2

SHA1
9fa2dddabddab6c9c412e56544eec342527abb2e

SHA256
fdfd3b4694ee694b1f4e0d60a52760d4223906a81f1eaba36b911db3a7b46b49

SHA512
f89e765f73fb35cfe82dd01b3cba9a98bef22a2e181a00a8484d9a16762b9b3864aaac48d80d6df08fcab5141dbc750d04ca172966b2e5f8a4fae3f807588a83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bd5231d31be5689f08e37a31f0acfc5d

SHA1
cb349062f2f8dad37f9c15a61b7e4980577b42f8

SHA256
dbb835d6cf0d95242961ffc79cdb625d82bb7ef3bf1152be85bc1c705c6f7004

SHA512
8b3263cb243e559c2b17f0272c8a21f8a1e03a077f1e2b767356be1549f891b72694dc55c79f7545100bf87414b5f6efaaafd34bfc9bcbc2394cb0c9721856e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c722f4183cce708e74ff23d57653e629

SHA1
db47966d9c659f0a6dc286571f1b6c3cc5d82b92

SHA256
b389dd643ee1b7b9110abb78fad37f72ee3cf4684da22e08a9832bcda55974cf

SHA512
45445d70f8f6e7beeca7a695d8a5a82b11962e289f32bfa395178fa956c05f611e783cc6a5e33e0f673b0821112a6e7b9ca8516ffcb7576b0bd8ff2f0ddb8095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c9569d209d2c7736dd0bf85e5b391e18

SHA1
123597f50a683c6b8b724460aba71b8fbd92d7a7

SHA256
e65255c123e55f2972607e6f596be0e8f879a946bdceb235b635f557046bc4b7

SHA512
40d491e266869814da5f87410ca2b1de279a1bcd89ef382b13940bdbb9f017d3ad6ece22ab98c8f06fb9d227c4adeafd390be622cb27dd08240f201e96a5ca6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b0qhiw2d.zrp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
355723876af59ce8ee552cb39a3a7f11

SHA1
772c886ab31c7135cbfb562679890cbfa3e904ef

SHA256
3071959a475eb04aaa1c6d2a71d66a8dcabd4a63a9abc9347602ee794ac07c1b

SHA512
14b75ce6344edefd5b9393a44c17aeab3d6dae14a2f8c24b36a8e52d917fbe438cf68ea13ef9d256b23a7bab910b124a60e6262c8d984e1a88d213c5565cf1ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
6d8e614fc3917be616ec05d6a7d828fd

SHA1
fe7499a5113e71a3524748b416b6c969a85bbb84

SHA256
9d105474862f18bb796409c056f09729801ff0c11deaf25118aa9496e8cde974

SHA512
3644db6afe3f6641b6930ef10d7bc029f71b4ace3495e941b2bc1c3610cd7e82fc6def19bda3b82ca9fc5978ffde67ca7b6a2522212910893f766a44e5ed3d37

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 782342.crdownload

Filesize
5.2MB

MD5
6f163d9cd94d4a58ad722301cf9847d0

SHA1
ffcf6d1a5956dfb60a0fd7267039e30fbe2fd981

SHA256
827642649f28e190ac328f026c6c1a332d45b2be4af76bd8f6c8e85838c90b11

SHA512
5503fefd77a87f8030dbd468168abeb3b778857bd770720942f3f1b41cf498f79a3f9138bb1cb7b24b52f55d67724de31aeb42225ee21c8712719323d45e7d67

Download Submit
C:\Windows\TEMP\mfmmhcqgqlts.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
6db666b8eea8c87bb44fc342dbda5fcb

SHA1
2536fb957e13fd2144e482970707286ca2625816

SHA256
079b31aa6c5078c9a97ffc9cfd2778942fbb12359b05975eb18507b6a1f18438

SHA512
88fcd3e8aaefc443b3fac3ec5a55762424a9d2211b051a36daad0c6be63f7a3f6f51d4be4e89189be044c7df6bcbded7eab6d3cba07a7a1458c48604b365579e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a4fe0be11fb007b21a2fafa6abe0bf6f

SHA1
d0f2c0a5c7ee3491272101c3aaf7998bbb2fd22a

SHA256
ec0577e1bf334d310a1a70fd57fd1e561a90bbdd34737daed674f01c36c0c8d2

SHA512
1c51108e19f5a97acb7bba7c996c26a2715e3a4bb04b79c9afd718f8b8822bf906123e42eb1e40c88206bbce86b43546644d88794cc0de26126a38d9e27e01c0

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cb5075ee0b1a199b015045a57d9523eb

SHA1
9955b08788ac35e48603c92fe8ced4c70fb772d2

SHA256
951cdefbc72b2c2e00e635208282f54cfe4ca9710c563376e4749a573c7db280

SHA512
b58c476da9e608097624d2a3aabc0f9497d367a014596da6c7bc8aaa2d0e50c3375c64c2fc491e730be1c0fd94f2d0c16d68f8e746ec4ab3977a912f2a36de5a

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
memory/1300-393-0x0000020531D30000-0x0000020531F4D000-memory.dmp

Filesize
2.1MB

Download
memory/1300-390-0x0000020519990000-0x000002051999A000-memory.dmp

Filesize
40KB

Download
memory/1300-388-0x00000205199A0000-0x00000205199BC000-memory.dmp

Filesize
112KB

Download
memory/1300-389-0x0000020532250000-0x0000020532305000-memory.dmp

Filesize
724KB

Download
memory/1528-466-0x000001BCCA860000-0x000001BCCA915000-memory.dmp

Filesize
724KB

Download
memory/1528-468-0x000001BCCA2C0000-0x000001BCCA4DD000-memory.dmp

Filesize
2.1MB

Download
memory/2060-441-0x00000183FAD50000-0x00000183FAF6D000-memory.dmp

Filesize
2.1MB

Download
memory/3316-513-0x00000226EE910000-0x00000226EEB2D000-memory.dmp

Filesize
2.1MB

Download
memory/3988-487-0x0000022DC5280000-0x0000022DC549D000-memory.dmp

Filesize
2.1MB

Download
memory/4020-400-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4020-399-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4020-398-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4020-396-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4020-397-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4020-403-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4668-361-0x00000196647E0000-0x0000019664802000-memory.dmp

Filesize
136KB

Download
memory/4668-364-0x0000019664490000-0x00000196646AD000-memory.dmp

Filesize
2.1MB

Download
memory/5012-412-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5012-410-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5012-414-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5012-407-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5012-413-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5012-415-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5012-416-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5012-408-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5012-411-0x0000000001170000-0x0000000001190000-memory.dmp

Filesize
128KB

Download
memory/5012-536-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5012-537-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5012-409-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5012-404-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5012-405-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5012-406-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download