gcleaner | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
586s
max time network
695s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
24-06-2024 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

gcleaner lumma monster phorphiex redline rhadamanthys risepro xehook xworm @logscloudyt_bot bootkit evasion execution infostealer loader persistence rat spyware stealer themida trojan upx worm

Malware Config

Extracted

Family

gcleaner

185.172.128.90

5.42.65.64

Attributes

url_path
/advdlc.php

Extracted

Family

xworm

Version

5.0

64.226.123.178:6098

Mutex

1z0ENxCLSR3XRSre

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

risepro

77.91.77.66:58709

Extracted

Family

redline

Botnet

@LOGSCLOUDYT_BOT

185.172.128.33:8970

Extracted

Family

lumma

https://greentastellesqwm.shop/api

https://distincttangyflippan.shop/api

https://macabrecondfucews.shop/api

https://stickyyummyskiwffe.shop/api

https://sturdyregularrmsnhw.shop/api

https://lamentablegapingkwaq.shop/api

https://innerverdanytiresw.shop/api

https://standingcomperewhitwo.shop/api

Signatures

Detect Xehook Payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/17364-205875-0x00000000006D0000-0x00000000006FC000-memory.dmp family_xehook
Detect Xworm Payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/4104-34-0x0000000000400000-0x0000000000436000-memory.dmp family_xworm
Detects Monster Stealer. 1 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\onefile_4468_133636643131222293\stub.exe family_monster
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster
Phorphiex payload 1 IoCs

Processes:

resource yara_rule

C:\Windows\sysmablsvr.exe family_phorphiex
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/24520-207746-0x0000000000DB0000-0x0000000000E02000-memory.dmp family_redline
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

resource	yara_rule
behavioral1/memory/17364-205875-0x00000000006D0000-0x00000000006FC000-memory.dmp	family_xehook

resource	yara_rule
behavioral1/memory/4104-34-0x0000000000400000-0x0000000000436000-memory.dmp	family_xworm

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\onefile_4468_133636643131222293\stub.exe	family_monster

resource	yara_rule
C:\Windows\sysmablsvr.exe	family_phorphiex

resource	yara_rule
behavioral1/memory/24520-207746-0x0000000000DB0000-0x0000000000E02000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

asdfg.exeghjk.exesvchost.exenative.exesvchost.exe

description	pid	process	target process
PID 3240 created 2372	3240	asdfg.exe	svchost.exe
PID 2656 created 2372	2656	ghjk.exe	svchost.exe
PID 2444 created 2416	2444	svchost.exe	file.exe
PID 9484 created 2372	9484	native.exe	svchost.exe
PID 5864 created 49132	5864	svchost.exe	time2time.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

time2time.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" time2time.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	time2time.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysmablsvr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe

Xehook stealer
Xehook is an infostealer written in C#.
stealer xehook
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

limba.exeda_protected.exerandom.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	limba.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	da_protected.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

Powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
33340	Powershell.exe
4172	powershell.exe
49240	powershell.exe
47376	powershell.exe
12872	powershell.exe
46144	powershell.exe
792	powershell.exe
52232	powershell.exe
41512	powershell.exe
13860	powershell.exe
28752	powershell.exe
35120	powershell.exe
51740	powershell.exe
34732	powershell.exe
52316	powershell.exe
33452	powershell.exe
15896	powershell.exe
55636	powershell.exe
47052	powershell.exe
4572	powershell.exe
212	powershell.exe
30692	powershell.exe
28752	powershell.exe
51740	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

WindowsAutHostinstaller2.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts WindowsAutHost
File created C:\Windows\system32\drivers\etc\hosts installer2.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

19696 netsh.exe
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

14628 attrib.exe
26828 attrib.exe
31660 attrib.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource yara_rule

behavioral1/memory/26076-207882-0x00000000007E0000-0x0000000000B02000-memory.dmp net_reactor

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	WindowsAutHost
File created	C:\Windows\system32\drivers\etc\hosts	installer2.exe

pid	process
19696	netsh.exe

pid	process
14628	attrib.exe
26828	attrib.exe
31660	attrib.exe

resource	yara_rule
behavioral1/memory/26076-207882-0x00000000007E0000-0x0000000000B02000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

da_protected.exerandom.exewmiprvse.exelimba.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	da_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	da_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	limba.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	limba.exe

Drops startup file 3 IoCs

Processes:

Powershell.exejsc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winxs.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winxs.exe	Powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wqnpo4bBbcAAM9ualwBCQLiQ.bat	jsc.exe

Executes dropped EXE 54 IoCs

Processes:

inte.exezardsystemschange.exelook.exelook.exeinstaller2.exefile.exeasdfg.exemonster.exestub.exemotruhjgmawes.exeworld.exeghjk.exelimba.exekorawe.exeBLueHvffhw.exeasdfg.exeBLueHvffhw.exeghjk.exenative.exeservice.exeuniv.exeFallbackBuffer.exenative.exe64.exeonecommander.exedeep.exeda_protected.exeFallbackBuffer.exesetup222.exe0x3fg.exetime2time.exeHkbsse.exeeee01.exemsa.exemsa.exe%E7%9B%AE%E5%BD%95%E8%A1%A8%E6%A0%BC%E5%90%8D%E5%8D%956001.exeSetupWizard.exeSetupWizard.exewinsvc.exeHkbsse.exe27.exewinsvc.exeUser%20OOBE%20Broker.exesetup%E7%9B%AE%E5%BD%95%E8%A1%A8%E6%A0%BC%E5%90%8D%E5%8D%956001.exenpp.exe2252720708.exesysmablsvr.exeHkbsse.exe106992676.exelumma123.exerandom.exemain.exeluma22222.exe1.exe

pid	process
3688	inte.exe
3560	zardsystemschange.exe
3772	look.exe
4104	look.exe
3892	installer2.exe
2416	file.exe
2020	asdfg.exe
4468	monster.exe
1540	stub.exe
372	motruhjgmawes.exe
1876	world.exe
2676	ghjk.exe
1392	limba.exe
4980	korawe.exe
5196	BLueHvffhw.exe
3240	asdfg.exe
5140	BLueHvffhw.exe
2656	ghjk.exe
5280	native.exe
7696	service.exe
8164	univ.exe
1696	FallbackBuffer.exe
9484	native.exe
28880	64.exe
12540	onecommander.exe
22844	deep.exe
38040	da_protected.exe
43096	FallbackBuffer.exe
46704	setup222.exe
6128	0x3fg.exe
49132	time2time.exe
27940	Hkbsse.exe
42132	eee01.exe
30136	msa.exe
30736	msa.exe
2316	%E7%9B%AE%E5%BD%95%E8%A1%A8%E6%A0%BC%E5%90%8D%E5%8D%956001.exe
60240	SetupWizard.exe
38108	SetupWizard.exe
37072	winsvc.exe
30492	Hkbsse.exe
17364	27.exe
53648	winsvc.exe
28744	User%20OOBE%20Broker.exe
10960	setup%E7%9B%AE%E5%BD%95%E8%A1%A8%E6%A0%BC%E5%90%8D%E5%8D%956001.exe
49140	npp.exe
26652	2252720708.exe
21328	sysmablsvr.exe
37212	Hkbsse.exe
31280	106992676.exe
57856	lumma123.exe
12112	random.exe
28532	main.exe
15056	luma22222.exe
28024	1.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

random.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine random.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	random.exe

Loads dropped DLL 33 IoCs

Processes:

WindowsAutHoststub.exeKoordinatorer.exe

pid	process
3912	WindowsAutHost
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
1540	stub.exe
60260	Koordinatorer.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1392-4708-0x0000000000400000-0x0000000000983000-memory.dmp	themida
behavioral1/memory/1392-18012-0x0000000000400000-0x0000000000983000-memory.dmp	themida
behavioral1/memory/38040-193289-0x0000000000A50000-0x00000000013A8000-memory.dmp	themida
behavioral1/memory/38040-193294-0x0000000000A50000-0x00000000013A8000-memory.dmp	themida

UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral1/memory/21916-207740-0x0000000000400000-0x00000000006AB000-memory.dmp upx
behavioral1/memory/21916-207749-0x0000000000400000-0x00000000006AB000-memory.dmp upx

resource	yara_rule
behavioral1/memory/21916-207740-0x0000000000400000-0x00000000006AB000-memory.dmp	upx
behavioral1/memory/21916-207749-0x0000000000400000-0x00000000006AB000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysmablsvr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2252720708.exemain.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmablsvr.exe"	2252720708.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\main = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\main.exe"	main.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

limba.exeda_protected.exetime2time.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	limba.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	da_protected.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	time2time.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	time2time.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

85 bitbucket.org
160 pastebin.com
161 pastebin.com
189 raw.githubusercontent.com
190 raw.githubusercontent.com
84 bitbucket.org
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

237 ip-api.com
191 ip-api.com

flow	ioc
85	bitbucket.org
160	pastebin.com
161	pastebin.com
189	raw.githubusercontent.com
190	raw.githubusercontent.com
84	bitbucket.org

flow	ioc
237	ip-api.com
191	ip-api.com

Power Settings 1 TTPs 13 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid	process
41660	powercfg.exe
40924	powercfg.exe
1532	powercfg.exe
2220	powercfg.exe
2580	powercfg.exe
5112	powercfg.exe
780	powercfg.exe
4292	powercfg.exe
12400	powercfg.exe
2096	powercfg.exe
3636	powercfg.exe
12976	powercfg.exe
51540	powercfg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

eee01.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 eee01.exe
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.

Processes:

resource yara_rule

behavioral1/memory/12112-208036-0x00000000003D0000-0x0000000000919000-memory.dmp autoit_exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	eee01.exe

resource	yara_rule
behavioral1/memory/12112-208036-0x00000000003D0000-0x0000000000919000-memory.dmp	autoit_exe

Drops file in System32 directory 39 IoCs

Processes:

OfficeClickToRun.exesvchost.exeservice.exepowershell.exeWindowsAutHostsvchost.exeSetupWizard.exepowershell.exepowershell.exepowershell.exewinsvc.exesvchost.exepowershell.exepowershell.exepowershell.exeinstaller2.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Tasks\uqzsd	svchost.exe
File opened for modification	C:\Windows\SysWOW64\kobberbrylluppers.dis	service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	WindowsAutHost
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\System32\.coD753.tmp	SetupWizard.exe
File opened for modification	C:\Windows\system32\winsvc.exe	SetupWizard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Current\FallbackBuffer	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\.coD753.tmp	SetupWizard.exe
File opened for modification	C:\Windows\system32\wincfg.exe	winsvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Hkbsse	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\qpgtwo	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	installer2.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\winnet.exe	winsvc.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

installer2.exeWindowsAutHostpowershell.exeKoordinatorer.exeda_protected.exerandom.exe

pid process

3892 installer2.exe
3892 installer2.exe
3912 WindowsAutHost
3912 WindowsAutHost
792 powershell.exe
60260 Koordinatorer.exe
38040 da_protected.exe
12112 random.exe

Suspicious use of SetThreadContext 18 IoCs

Processes:

look.exezardsystemschange.exeinstaller2.exeWindowsAutHostasdfg.exeBLueHvffhw.exeghjk.exenative.exepowershell.exeonecommander.exeFallbackBuffer.exeFallbackBuffer.exetime2time.exemsa.exeInstallUtil.exelumma123.exe

description	pid	process	target process
PID 3772 set thread context of 4104	3772	look.exe	look.exe
PID 3560 set thread context of 3600	3560	zardsystemschange.exe	BitLockerToGo.exe
PID 3892 set thread context of 1016	3892	installer2.exe	dialer.exe
PID 3912 set thread context of 2136	3912	WindowsAutHost	dialer.exe
PID 3912 set thread context of 888	3912	WindowsAutHost	dialer.exe
PID 3912 set thread context of 4128	3912	WindowsAutHost	dialer.exe
PID 2020 set thread context of 3240	2020	asdfg.exe	asdfg.exe
PID 5196 set thread context of 5140	5196	BLueHvffhw.exe	BLueHvffhw.exe
PID 2676 set thread context of 2656	2676	ghjk.exe	ghjk.exe
PID 5280 set thread context of 9484	5280	native.exe	native.exe
PID 792 set thread context of 60260	792	powershell.exe	Koordinatorer.exe
PID 12540 set thread context of 33828	12540	onecommander.exe	BitLockerToGo.exe
PID 1696 set thread context of 43096	1696	FallbackBuffer.exe	FallbackBuffer.exe
PID 43096 set thread context of 52688	43096	FallbackBuffer.exe	InstallUtil.exe
PID 49132 set thread context of 31748	49132	time2time.exe	jsc.exe
PID 30136 set thread context of 30736	30136	msa.exe	msa.exe
PID 52688 set thread context of 13548	52688	InstallUtil.exe	InstallUtil.exe
PID 57856 set thread context of 31428	57856	lumma123.exe	RegAsm.exe

Drops file in Windows directory 6 IoCs

Processes:

0x3fg.exesvchost.exewmiprvse.exe2252720708.exeservice.exe

description	ioc	process
File created	C:\Windows\Tasks\Hkbsse.job	0x3fg.exe
File opened for modification	C:\Windows\Tasks\Hkbsse.job	svchost.exe
File created	C:\Windows\rescache\_merged\3623239459\11870838.pri	wmiprvse.exe
File created	C:\Windows\sysmablsvr.exe	2252720708.exe
File opened for modification	C:\Windows\sysmablsvr.exe	2252720708.exe
File opened for modification	C:\Windows\resources\0409\Protoplasmaet.ini	service.exe

Launches sc.exe 21 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
4420	sc.exe
788	sc.exe
3480	sc.exe
1128	sc.exe
53296	sc.exe
2744	sc.exe
4244	sc.exe
1544	sc.exe
5052	sc.exe
4896	sc.exe
22776	sc.exe
18984	sc.exe
2964	sc.exe
220	sc.exe
1440	sc.exe
3768	sc.exe
9148	sc.exe
9804	sc.exe
32032	sc.exe
1636	sc.exe
3492	sc.exe

Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.

Processes:

resource yara_rule

\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd embeds_openssl
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

resource	yara_rule
\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd	embeds_openssl

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3676	3688	WerFault.exe	inte.exe
2416	3688	WerFault.exe	inte.exe
1812	3688	WerFault.exe	inte.exe
4792	3688	WerFault.exe	inte.exe
1972	3688	WerFault.exe	inte.exe
4680	3688	WerFault.exe	inte.exe
2396	3688	WerFault.exe	inte.exe
828	3688	WerFault.exe	inte.exe
976	2416	WerFault.exe	file.exe
29064	28024	WerFault.exe	1.exe

NSIS installer 2 IoCs
installer

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\Koordinatorer.exe nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\Koordinatorer.exe nsis_installer_2

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Koordinatorer.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\Koordinatorer.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmiprvse.exe1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

6084 tasklist.exe

pid	process
6084	tasklist.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 11 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

6908 taskkill.exe
31088 taskkill.exe
37892 taskkill.exe
5180 taskkill.exe
45812 taskkill.exe
1868 taskkill.exe
12664 taskkill.exe
35076 taskkill.exe
4400 taskkill.exe
32816 taskkill.exe
9172 taskkill.exe

pid	process
6908	taskkill.exe
31088	taskkill.exe
37892	taskkill.exe
5180	taskkill.exe
45812	taskkill.exe
1868	taskkill.exe
12664	taskkill.exe
35076	taskkill.exe
4400	taskkill.exe
32816	taskkill.exe
9172	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

OfficeClickToRun.exepowershell.exewmiprvse.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-36255 = "Outbound rule for Proximity sharing over TCP"	wmiprvse.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-36507 = "Outbound rule for remote TPM Virtual Smart Card Management traffic. [TCP]"	wmiprvse.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-31308 = "Inbound rule for the Windows Media Player Network Sharing Service to allow sharing traffic. [UDP]"	wmiprvse.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@icsvc.dll,-705 = "Virtual Machine Monitoring (NB-Session-In)"	wmiprvse.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-33503 = "Distributed Transaction Coordinator (TCP-In)"	wmiprvse.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-37102 = "DIAL protocol server (HTTP-In)"	wmiprvse.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-25408 = "Outbound rule to allow remote LSASS traffic for Group Policy updates [TCP]."	wmiprvse.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-25306 = "Allows DHCPV6 (Dynamic Host Configuration Protocol for IPv6) messages for stateful and stateless configuration."	wmiprvse.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-31281 = "Windows Media Player Network Sharing Service (UPnP-Out)"	wmiprvse.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-28006 = "Inbound rule for the Key Management Service to allow for machine counting and license compliance. [TCP 1688]"	wmiprvse.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-29257 = "Remote Event Log Management (NP-In)"	wmiprvse.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-34755 = "Performance Logs and Alerts (DCOM-In)"	wmiprvse.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-36104 = "Cast to Device SSDP Discovery (UDP-In)"	wmiprvse.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-33253 = "Remote Scheduled Tasks Management (RPC)"	wmiprvse.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@firewallapi.dll,-36755 = "Inbound Rule for Remote Shutdown (RPC-EP-In)"	wmiprvse.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-36863 = "Outbound rule to use WSD scanners on Wi-Fi Direct networks."	wmiprvse.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-30813 = "Outbound rule for Media Center Extenders to allow traffic for Device Provisioning. [TCP]"	wmiprvse.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes	wmiprvse.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-28519 = "File and Printer Sharing (NB-Name-In)"	wmiprvse.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-36862 = "Wi-Fi Direct Scan Service Use (Out)"	wmiprvse.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-28779 = "Inbound rule for the Remote Desktop service to allow shadowing of an existing Remote Desktop session. (TCP-In)"	wmiprvse.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-34254 = "Windows Management Instrumentation (WMI-In)"	wmiprvse.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-32010 = "Outbound rule for the Windows Peer to Peer Collaboration Foundation for Peer to Peer Communication. [TCP]"	wmiprvse.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-30524 = "Outbound rule for Wireless Portable Devices to allow use of Universal Plug and Play. [TCP]"	wmiprvse.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-25012 = "Core Networking - Router Advertisement (ICMPv6-In)"	wmiprvse.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-25333 = "Outbound UDP rule to allow Teredo edge traversal, a technology that provides address assignment and automatic tunneling for unicast IPv6 traffic when an IPv6/IPv4 host is located behind an IPv4 network address translator."	wmiprvse.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-28546 = "File and Printer Sharing (Echo Request - ICMPv6-Out)"	wmiprvse.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-34506 = "Remote Volume Management (RPC-EPMAP)"	wmiprvse.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@FirewallAPI.dll,-31292 = "Outbound rule for the Windows Media Player Network Sharing Service to allow HTTP Media Streaming. [TCP 10243]"	wmiprvse.exe

Modifies registry class 7 IoCs

Processes:

Explorer.EXEmain.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\ms-settings\shell\open\command	main.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\ms-settings	main.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\ms-settings\shell	main.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\ms-settings\shell\open	main.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\ms-settings\shell\open\command\	main.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

installer2.exepowershell.exedialer.exeWindowsAutHostpowershell.exe

pid	process
3892	installer2.exe
3892	installer2.exe
3892	installer2.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
3892	installer2.exe
3892	installer2.exe
3892	installer2.exe
3892	installer2.exe
3892	installer2.exe
3892	installer2.exe
3892	installer2.exe
3892	installer2.exe
3892	installer2.exe
3892	installer2.exe
3892	installer2.exe
3892	installer2.exe
1016	dialer.exe
1016	dialer.exe
3892	installer2.exe
3892	installer2.exe
3892	installer2.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
3912	WindowsAutHost
3912	WindowsAutHost
1016	dialer.exe
1016	dialer.exe
3912	WindowsAutHost
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
212	powershell.exe
212	powershell.exe
1016	dialer.exe
1016	dialer.exe
212	powershell.exe
1016	dialer.exe
1016	dialer.exe
212	powershell.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3112 Explorer.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

792 powershell.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3948 chrome.exe
3948 chrome.exe
3948 chrome.exe

pid	process
3112	Explorer.EXE

pid	process
792	powershell.exe

pid	process
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4363463463464363463463463.exetaskkill.exelook.exepowershell.exeinstaller2.exedialer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exeExplorer.EXEWindowsAutHostdialer.exedialer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2304	4363463463464363463463463.exe
Token: SeDebugPrivilege	1868	taskkill.exe
Token: SeDebugPrivilege	4104	look.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeIncreaseQuotaPrivilege	4572	powershell.exe
Token: SeSecurityPrivilege	4572	powershell.exe
Token: SeTakeOwnershipPrivilege	4572	powershell.exe
Token: SeLoadDriverPrivilege	4572	powershell.exe
Token: SeSystemProfilePrivilege	4572	powershell.exe
Token: SeSystemtimePrivilege	4572	powershell.exe
Token: SeProfSingleProcessPrivilege	4572	powershell.exe
Token: SeIncBasePriorityPrivilege	4572	powershell.exe
Token: SeCreatePagefilePrivilege	4572	powershell.exe
Token: SeBackupPrivilege	4572	powershell.exe
Token: SeRestorePrivilege	4572	powershell.exe
Token: SeShutdownPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeSystemEnvironmentPrivilege	4572	powershell.exe
Token: SeRemoteShutdownPrivilege	4572	powershell.exe
Token: SeUndockPrivilege	4572	powershell.exe
Token: SeManageVolumePrivilege	4572	powershell.exe
Token: 33	4572	powershell.exe
Token: 34	4572	powershell.exe
Token: 35	4572	powershell.exe
Token: 36	4572	powershell.exe
Token: SeDebugPrivilege	3892	installer2.exe
Token: SeDebugPrivilege	1016	dialer.exe
Token: SeShutdownPrivilege	780	powercfg.exe
Token: SeCreatePagefilePrivilege	780	powercfg.exe
Token: SeShutdownPrivilege	2096	powercfg.exe
Token: SeCreatePagefilePrivilege	2096	powercfg.exe
Token: SeShutdownPrivilege	1532	powercfg.exe
Token: SeCreatePagefilePrivilege	1532	powercfg.exe
Token: SeShutdownPrivilege	5112	powercfg.exe
Token: SeCreatePagefilePrivilege	5112	powercfg.exe
Token: SeDebugPrivilege	212	powershell.exe
Token: SeShutdownPrivilege	3112	Explorer.EXE
Token: SeCreatePagefilePrivilege	3112	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	212	powershell.exe
Token: SeIncreaseQuotaPrivilege	212	powershell.exe
Token: SeSecurityPrivilege	212	powershell.exe
Token: SeTakeOwnershipPrivilege	212	powershell.exe
Token: SeLoadDriverPrivilege	212	powershell.exe
Token: SeSystemtimePrivilege	212	powershell.exe
Token: SeBackupPrivilege	212	powershell.exe
Token: SeRestorePrivilege	212	powershell.exe
Token: SeShutdownPrivilege	212	powershell.exe
Token: SeSystemEnvironmentPrivilege	212	powershell.exe
Token: SeUndockPrivilege	212	powershell.exe
Token: SeManageVolumePrivilege	212	powershell.exe
Token: SeDebugPrivilege	3912	WindowsAutHost
Token: SeDebugPrivilege	2136	dialer.exe
Token: SeLockMemoryPrivilege	4128	dialer.exe
Token: SeShutdownPrivilege	2220	powercfg.exe
Token: SeCreatePagefilePrivilege	2220	powercfg.exe
Token: SeShutdownPrivilege	4292	powercfg.exe
Token: SeCreatePagefilePrivilege	4292	powercfg.exe
Token: SeShutdownPrivilege	2580	powercfg.exe
Token: SeCreatePagefilePrivilege	2580	powercfg.exe
Token: SeShutdownPrivilege	3636	powercfg.exe
Token: SeCreatePagefilePrivilege	3636	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	2700	svchost.exe
Token: SeIncreaseQuotaPrivilege	2700	svchost.exe
Token: SeSecurityPrivilege	2700	svchost.exe

Suspicious use of FindShellTrayWindow 62 IoCs

Processes:

dwm.exerandom.exeExplorer.EXEchrome.exe

pid	process
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
12112	random.exe
3112	Explorer.EXE
3112	Explorer.EXE
12112	random.exe
12112	random.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
996	dwm.exe
996	dwm.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
12112	random.exe
3948	chrome.exe
12112	random.exe
12112	random.exe
996	dwm.exe
12112	random.exe
996	dwm.exe
12112	random.exe
12112	random.exe

Suspicious use of SendNotifyMessage 33 IoCs

Processes:

random.exechrome.exe

pid	process
12112	random.exe
12112	random.exe
12112	random.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
12112	random.exe
12112	random.exe
12112	random.exe
12112	random.exe
12112	random.exe
12112	random.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

Conhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exe

pid process

4500 Conhost.exe
5044 Conhost.exe
1620 Conhost.exe
1436 Conhost.exe
1916 Conhost.exe
12724 Conhost.exe
54200 Conhost.exe
20544 Conhost.exe
30968 Conhost.exe
42712 Conhost.exe
19320 Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.exeinte.execmd.exelook.exezardsystemschange.execmd.exeinstaller2.exedialer.exe

description	pid	process	target process
PID 2304 wrote to memory of 3688	2304	4363463463464363463463463.exe	inte.exe
PID 2304 wrote to memory of 3688	2304	4363463463464363463463463.exe	inte.exe
PID 2304 wrote to memory of 3688	2304	4363463463464363463463463.exe	inte.exe
PID 3688 wrote to memory of 4508	3688	inte.exe	cmd.exe
PID 3688 wrote to memory of 4508	3688	inte.exe	cmd.exe
PID 3688 wrote to memory of 4508	3688	inte.exe	cmd.exe
PID 4508 wrote to memory of 1868	4508	cmd.exe	taskkill.exe
PID 4508 wrote to memory of 1868	4508	cmd.exe	taskkill.exe
PID 4508 wrote to memory of 1868	4508	cmd.exe	taskkill.exe
PID 2304 wrote to memory of 3560	2304	4363463463464363463463463.exe	zardsystemschange.exe
PID 2304 wrote to memory of 3560	2304	4363463463464363463463463.exe	zardsystemschange.exe
PID 2304 wrote to memory of 3772	2304	4363463463464363463463463.exe	look.exe
PID 2304 wrote to memory of 3772	2304	4363463463464363463463463.exe	look.exe
PID 2304 wrote to memory of 3772	2304	4363463463464363463463463.exe	look.exe
PID 3772 wrote to memory of 4104	3772	look.exe	look.exe
PID 3772 wrote to memory of 4104	3772	look.exe	look.exe
PID 3772 wrote to memory of 4104	3772	look.exe	look.exe
PID 3772 wrote to memory of 4104	3772	look.exe	look.exe
PID 3772 wrote to memory of 4104	3772	look.exe	look.exe
PID 3772 wrote to memory of 4104	3772	look.exe	look.exe
PID 3772 wrote to memory of 4104	3772	look.exe	look.exe
PID 3772 wrote to memory of 4104	3772	look.exe	look.exe
PID 3560 wrote to memory of 3600	3560	zardsystemschange.exe	BitLockerToGo.exe
PID 3560 wrote to memory of 3600	3560	zardsystemschange.exe	BitLockerToGo.exe
PID 3560 wrote to memory of 3600	3560	zardsystemschange.exe	BitLockerToGo.exe
PID 3560 wrote to memory of 3600	3560	zardsystemschange.exe	BitLockerToGo.exe
PID 3560 wrote to memory of 3600	3560	zardsystemschange.exe	BitLockerToGo.exe
PID 2304 wrote to memory of 3892	2304	4363463463464363463463463.exe	installer2.exe
PID 2304 wrote to memory of 3892	2304	4363463463464363463463463.exe	installer2.exe
PID 2960 wrote to memory of 4648	2960	cmd.exe	wusa.exe
PID 2960 wrote to memory of 4648	2960	cmd.exe	wusa.exe
PID 3892 wrote to memory of 1016	3892	installer2.exe	dialer.exe
PID 3892 wrote to memory of 1016	3892	installer2.exe	dialer.exe
PID 3892 wrote to memory of 1016	3892	installer2.exe	dialer.exe
PID 3892 wrote to memory of 1016	3892	installer2.exe	dialer.exe
PID 3892 wrote to memory of 1016	3892	installer2.exe	dialer.exe
PID 3892 wrote to memory of 1016	3892	installer2.exe	dialer.exe
PID 3892 wrote to memory of 1016	3892	installer2.exe	dialer.exe
PID 1016 wrote to memory of 588	1016	dialer.exe	winlogon.exe
PID 1016 wrote to memory of 648	1016	dialer.exe	lsass.exe
PID 1016 wrote to memory of 748	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 916	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 996	1016	dialer.exe	dwm.exe
PID 1016 wrote to memory of 384	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 704	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 596	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1048	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1068	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1116	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1212	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1240	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1320	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1328	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1352	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1404	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1512	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1556	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1600	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1628	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1680	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1728	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1752	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1760	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1896	1016	dialer.exe	svchost.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

time2time.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" time2time.exe
Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

14628 attrib.exe
26828 attrib.exe
31660 attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:588

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
- Suspicious use of FindShellTrayWindow
PID:996

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:648

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:748

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:916

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:384

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:704

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:596

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:1048

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1068

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAARgBhAGwAbABiAGEAYwBrAEIAdQBmAGYAZQByAC4AZQB4AGUAOwA=
2⤵
- Command and Scripting Interpreter: PowerShell
PID:4172

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5852

C:\Users\Admin\AppData\Local\Current\emsngl\FallbackBuffer.exe
C:\Users\Admin\AppData\Local\Current\emsngl\FallbackBuffer.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1696

C:\Users\Admin\AppData\Local\Current\emsngl\FallbackBuffer.exe
"C:\Users\Admin\AppData\Local\Current\emsngl\FallbackBuffer.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:43096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
- Suspicious use of SetThreadContext
PID:52688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
5⤵
PID:13548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAARgBhAGwAbABiAGEAYwBrAEIAdQBmAGYAZQByAC4AZQB4AGUAOwA=
2⤵
- Command and Scripting Interpreter: PowerShell
PID:52232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of SetWindowsHookEx
PID:54200

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
2⤵
- Executes dropped EXE
PID:30492

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
2⤵
- Executes dropped EXE
PID:37212

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
2⤵
PID:46928

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1116

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1212

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1240

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1320

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1328

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1352

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1404

c:\windows\system32\sihost.exe
sihost.exe
2⤵
PID:2384

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1512

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1556

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1600

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1680

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1760

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1896

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1960

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:832

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1548

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2188

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2372

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5848

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:6864

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:8424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2544

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2556

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2636

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2644

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2680

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2720

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2748

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:2876

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2912

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3112

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\Files\inte.exe
"C:\Users\Admin\AppData\Local\Temp\Files\inte.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 760
4⤵
- Program crash
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 764
4⤵
- Program crash
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 844
4⤵
- Program crash
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 944
4⤵
- Program crash
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 844
4⤵
- Program crash
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 1112
4⤵
- Program crash
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 1156
4⤵
- Program crash
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 1256
4⤵
- Program crash
PID:828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "inte.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\Files\inte.exe" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "inte.exe" /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Users\Admin\AppData\Local\Temp\Files\zardsystemschange.exe
"C:\Users\Admin\AppData\Local\Temp\Files\zardsystemschange.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\Files\look.exe
"C:\Users\Admin\AppData\Local\Temp\Files\look.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3772

C:\Users\Admin\AppData\Local\Temp\Files\look.exe
"C:\Users\Admin\AppData\Local\Temp\Files\look.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Users\Admin\AppData\Local\Temp\Files\installer2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\installer2.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
4⤵
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:4648

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
4⤵
- Launches sc.exe
PID:2964

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:3492

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
4⤵
- Launches sc.exe
PID:4244

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
4⤵
- Launches sc.exe
PID:1544

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
4⤵
- Launches sc.exe
PID:2744

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WindowsAutHost"
4⤵
- Launches sc.exe
PID:220

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WindowsAutHost" binpath= "C:\ProgramData\WindowsServices\WindowsAutHost" start= "auto"
4⤵
- Launches sc.exe
PID:1440

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:5052

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WindowsAutHost"
4⤵
- Launches sc.exe
PID:3768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\Files\file.exe
"C:\Users\Admin\AppData\Local\Temp\Files\file.exe"
3⤵
- Executes dropped EXE
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 1560
4⤵
- Program crash
PID:976

C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
"C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2020

C:\Users\Admin\AppData\Local\Temp\BLueHvffhw.exe
"C:\Users\Admin\AppData\Local\Temp\BLueHvffhw.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5196

C:\Users\Admin\AppData\Local\Temp\BLueHvffhw.exe
"C:\Users\Admin\AppData\Local\Temp\BLueHvffhw.exe"
5⤵
- Executes dropped EXE
PID:5140

C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
"C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:3240

C:\Users\Admin\AppData\Local\Temp\Files\monster.exe
"C:\Users\Admin\AppData\Local\Temp\Files\monster.exe"
3⤵
- Executes dropped EXE
PID:4468

C:\Users\Admin\AppData\Local\Temp\onefile_4468_133636643131222293\stub.exe
"C:\Users\Admin\AppData\Local\Temp\Files\monster.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
5⤵
PID:3924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
- Suspicious use of SetWindowsHookEx
PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
5⤵
PID:248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
- Suspicious use of SetWindowsHookEx
PID:1436

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
6⤵
PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
5⤵
PID:496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
- Suspicious use of SetWindowsHookEx
PID:1620

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:6084

C:\Users\Admin\AppData\Local\Temp\Files\motruhjgmawes.exe
"C:\Users\Admin\AppData\Local\Temp\Files\motruhjgmawes.exe"
3⤵
- Executes dropped EXE
PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
4⤵
PID:1780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Suspicious use of SetWindowsHookEx
PID:5044

C:\Users\Admin\AppData\Local\Temp\RarSFX0\world.exe
world.exe -priverdD
5⤵
- Executes dropped EXE
PID:1876

C:\Users\Admin\AppData\Local\Temp\RarSFX1\korawe.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\korawe.exe"
6⤵
- Executes dropped EXE
PID:4980

C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2676

C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:2656

C:\Users\Admin\AppData\Local\Temp\Files\limba.exe
"C:\Users\Admin\AppData\Local\Temp\Files\limba.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1392

C:\Users\Admin\AppData\Local\Temp\Files\native.exe
"C:\Users\Admin\AppData\Local\Temp\Files\native.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5280

C:\Users\Admin\AppData\Local\Temp\Files\native.exe
"C:\Users\Admin\AppData\Local\Temp\Files\native.exe"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:9484

C:\Users\Admin\AppData\Local\Temp\Files\service.exe
"C:\Users\Admin\AppData\Local\Temp\Files\service.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:7696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Stenendes206=Get-Content 'C:\Users\Admin\AppData\Local\gannetry\Stormskadens.Dep';$Tangent=$Stenendes206.SubString(52965,3);.$Tangent($Stenendes206)"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Suspicious use of SetWindowsHookEx
PID:1916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
5⤵
PID:244

C:\Users\Admin\AppData\Local\Temp\Koordinatorer.exe
"C:\Users\Admin\AppData\Local\Temp\Koordinatorer.exe"
5⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:60260

C:\Users\Admin\AppData\Local\Temp\Files\univ.exe
"C:\Users\Admin\AppData\Local\Temp\Files\univ.exe"
3⤵
- Executes dropped EXE
PID:8164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "univ.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\Files\univ.exe" & exit
4⤵
PID:12732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Suspicious use of SetWindowsHookEx
PID:12724

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "univ.exe" /f
5⤵
- Kills process with taskkill
PID:12664

C:\Users\Admin\AppData\Local\Temp\Files\64.exe
"C:\Users\Admin\AppData\Local\Temp\Files\64.exe"
3⤵
- Executes dropped EXE
PID:28880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:28892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 0a
4⤵
PID:28932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c chcp 936
4⤵
PID:28948

C:\Windows\system32\chcp.com
chcp 936
5⤵
PID:28960

C:\Users\Admin\AppData\Local\Temp\Files\onecommander.exe
"C:\Users\Admin\AppData\Local\Temp\Files\onecommander.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:12540

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:33828

C:\Users\Admin\AppData\Local\Temp\Files\deep.exe
"C:\Users\Admin\AppData\Local\Temp\Files\deep.exe"
3⤵
- Executes dropped EXE
PID:22844

C:\Users\Admin\AppData\Local\Temp\da_protected.exe
"C:\Users\Admin\AppData\Local\Temp\da_protected.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:38040

C:\Users\Admin\AppData\Local\Temp\Files\setup222.exe
"C:\Users\Admin\AppData\Local\Temp\Files\setup222.exe"
3⤵
- Executes dropped EXE
PID:46704

C:\Users\Admin\AppData\Local\Temp\Files\SetupWizard.exe
SetupWizard.exe
4⤵
- Executes dropped EXE
PID:60240

C:\Users\Admin\AppData\Local\Temp\SetupWizard-658ddf627c9a88c2\SetupWizard.exe
"C:\Users\Admin\AppData\Local\Temp\SetupWizard-658ddf627c9a88c2\SetupWizard.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:38108

C:\Windows\system32\winsvc.exe
"C:\Windows\system32\winsvc.exe" "C:\Users\Admin\AppData\Local\Temp\SetupWizard-658ddf627c9a88c2\SetupWizard.exe"
6⤵
- Executes dropped EXE
PID:37072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\""
7⤵
- Command and Scripting Interpreter: PowerShell
PID:49240

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:16640

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"
8⤵
- Launches sc.exe
PID:9148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0"
7⤵
- Command and Scripting Interpreter: PowerShell
PID:41512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:48660

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/0
8⤵
- Launches sc.exe
PID:9804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\""
7⤵
- Command and Scripting Interpreter: PowerShell
PID:13860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:36800

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service."
8⤵
- Launches sc.exe
PID:22776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc"
7⤵
- Command and Scripting Interpreter: PowerShell
PID:47376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:26708

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" start winsvc
8⤵
- Launches sc.exe
PID:32032

C:\Users\Admin\AppData\Local\Temp\Files\0x3fg.exe
"C:\Users\Admin\AppData\Local\Temp\Files\0x3fg.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6128

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe"
4⤵
- Executes dropped EXE
PID:27940

C:\Users\Admin\AppData\Local\Temp\Files\time2time.exe
"C:\Users\Admin\AppData\Local\Temp\Files\time2time.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System policy modification
PID:49132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Suspicious use of SetWindowsHookEx
PID:20544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\time2time.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
PID:30692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Suspicious use of SetWindowsHookEx
PID:30968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
4⤵
- Drops startup file
PID:31748

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 49132 -s 1508
4⤵
PID:34132

C:\Users\Admin\AppData\Local\Temp\Files\eee01.exe
"C:\Users\Admin\AppData\Local\Temp\Files\eee01.exe"
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:42132

C:\Users\Admin\AppData\Local\Temp\Files\msa.exe
"C:\Users\Admin\AppData\Local\Temp\Files\msa.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:30136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Files\msa.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winxs.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Drops startup file
PID:33340

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:33656

C:\Users\Admin\AppData\Local\Temp\Files\msa.exe
"C:\Users\Admin\AppData\Local\Temp\Files\msa.exe"
4⤵
- Executes dropped EXE
PID:30736

C:\Users\Admin\AppData\Local\Temp\Files\%E7%9B%AE%E5%BD%95%E8%A1%A8%E6%A0%BC%E5%90%8D%E5%8D%956001.exe
"C:\Users\Admin\AppData\Local\Temp\Files\%E7%9B%AE%E5%BD%95%E8%A1%A8%E6%A0%BC%E5%90%8D%E5%8D%956001.exe"
3⤵
- Executes dropped EXE
PID:2316

C:\Users\Admin\AppData\Local\Temp\Files\27.exe
"C:\Users\Admin\AppData\Local\Temp\Files\27.exe"
3⤵
- Executes dropped EXE
PID:17364

C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe"
3⤵
- Executes dropped EXE
PID:28744

C:\Users\Admin\AppData\Local\Temp\Files\setup%E7%9B%AE%E5%BD%95%E8%A1%A8%E6%A0%BC%E5%90%8D%E5%8D%956001.exe
"C:\Users\Admin\AppData\Local\Temp\Files\setup%E7%9B%AE%E5%BD%95%E8%A1%A8%E6%A0%BC%E5%90%8D%E5%8D%956001.exe"
3⤵
- Executes dropped EXE
PID:10960

C:\Users\Admin\AppData\Local\Temp\Files\npp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\npp.exe"
3⤵
- Executes dropped EXE
PID:49140

C:\Users\Admin\AppData\Local\Temp\2252720708.exe
C:\Users\Admin\AppData\Local\Temp\2252720708.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:26652

C:\Windows\sysmablsvr.exe
C:\Windows\sysmablsvr.exe
5⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
PID:21328

C:\Users\Admin\AppData\Local\Temp\106992676.exe
C:\Users\Admin\AppData\Local\Temp\106992676.exe
6⤵
- Executes dropped EXE
PID:31280

C:\Users\Admin\AppData\Local\Temp\1001721972.exe
C:\Users\Admin\AppData\Local\Temp\1001721972.exe
6⤵
PID:58872

C:\Users\Admin\AppData\Local\Temp\Files\lumma123.exe
"C:\Users\Admin\AppData\Local\Temp\Files\lumma123.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:57856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:31428

C:\Users\Admin\AppData\Local\Temp\Files\random.exe
"C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:12112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x134,0x138,0x13c,0x110,0x140,0x7ffd1d619758,0x7ffd1d619768,0x7ffd1d619778
5⤵
PID:13124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1664,i,8785558727339141545,9691242916020814256,131072 /prefetch:2
5⤵
PID:18688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1664,i,8785558727339141545,9691242916020814256,131072 /prefetch:8
5⤵
PID:47148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 --field-trial-handle=1664,i,8785558727339141545,9691242916020814256,131072 /prefetch:8
5⤵
PID:2112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1664,i,8785558727339141545,9691242916020814256,131072 /prefetch:1
5⤵
PID:9556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2956 --field-trial-handle=1664,i,8785558727339141545,9691242916020814256,131072 /prefetch:1
5⤵
PID:54156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3668 --field-trial-handle=1664,i,8785558727339141545,9691242916020814256,131072 /prefetch:1
5⤵
PID:34656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1664,i,8785558727339141545,9691242916020814256,131072 /prefetch:8
5⤵
PID:45868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1664,i,8785558727339141545,9691242916020814256,131072 /prefetch:8
5⤵
PID:56724

C:\Users\Admin\AppData\Local\Temp\Files\main.exe
"C:\Users\Admin\AppData\Local\Temp\Files\main.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:28532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\Files\main.exe & exit
4⤵
PID:41236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Suspicious use of SetWindowsHookEx
PID:42712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\Files\main.exe
5⤵
- Command and Scripting Interpreter: PowerShell
PID:55636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
4⤵
PID:35584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Suspicious use of SetWindowsHookEx
PID:19320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
5⤵
- Command and Scripting Interpreter: PowerShell
PID:47052

C:\Users\Admin\AppData\Local\Temp\Files\luma22222.exe
"C:\Users\Admin\AppData\Local\Temp\Files\luma22222.exe"
3⤵
- Executes dropped EXE
PID:15056

C:\Users\Admin\AppData\Local\Temp\Files\1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\1.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:28024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 28024 -s 492
4⤵
- Program crash
PID:29064

C:\Users\Admin\AppData\Local\Temp\Files\upd.exe
"C:\Users\Admin\AppData\Local\Temp\Files\upd.exe"
3⤵
PID:51804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:47836

C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"
5⤵
PID:24520

C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"
5⤵
PID:59772

C:\Users\Admin\AppData\Local\Temp\Files\AAct.exe
"C:\Users\Admin\AppData\Local\Temp\Files\AAct.exe"
3⤵
PID:21916

C:\Users\Admin\AppData\Local\Temp\Files\nine.exe
"C:\Users\Admin\AppData\Local\Temp\Files\nine.exe"
3⤵
PID:38036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "nine.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\Files\nine.exe" & exit
4⤵
PID:14404

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "nine.exe" /f
5⤵
- Kills process with taskkill
PID:9172

C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe"
3⤵
PID:33192

C:\Users\Admin\AppData\Local\Temp\Files\newfile_setup.exe
"C:\Users\Admin\AppData\Local\Temp\Files\newfile_setup.exe"
3⤵
PID:26076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:9476

C:\Users\Admin\AppData\Local\Temp\Files\sky.exe
"C:\Users\Admin\AppData\Local\Temp\Files\sky.exe"
3⤵
PID:41640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\debug\sky\cmd.bat" "
4⤵
PID:15720

C:\WINDOWS\Debug\sky\svchost.exe
C:\WINDOWS\Debug\sky\svchost.exe install "Networks1" C:\WINDOWS\Debug\sky\systems.exe
5⤵
PID:40092

C:\Windows\SysWOW64\sc.exe
sc config "Networks1" DisplayName= "Networksr1"
5⤵
- Launches sc.exe
PID:53296

C:\Windows\SysWOW64\sc.exe
sc description "Networks1" "Microsoft Windows Networks"
5⤵
- Launches sc.exe
PID:18984

C:\Windows\SysWOW64\sc.exe
sc start "Networks1"
5⤵
- Launches sc.exe
PID:1636

C:\Windows\SysWOW64\attrib.exe
attrib C:\Windows\debug\sky +h +a
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:14628

C:\Windows\SysWOW64\attrib.exe
attrib C:\Windows\debug\sky\*.json +h +a +s +r
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:26828

C:\Windows\SysWOW64\attrib.exe
attrib C:\Windows\debug\sky\*.exe +h +a +s +r
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:31660

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow
5⤵
- Modifies Windows Firewall
PID:19696

C:\Users\Admin\AppData\Local\Temp\Files\newbild.exe
"C:\Users\Admin\AppData\Local\Temp\Files\newbild.exe"
3⤵
PID:48096

C:\Users\Admin\AppData\Local\Temp\Files\070.exe
"C:\Users\Admin\AppData\Local\Temp\Files\070.exe"
3⤵
PID:21064

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3200

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3816

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4044

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4820

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:4948

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2828

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:2356

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3952

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:3228

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:712

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:1300

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1844

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2404

C:\ProgramData\WindowsServices\WindowsAutHost
C:\ProgramData\WindowsServices\WindowsAutHost
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:1076

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:5044

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:788

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:4896

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:3480

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:4420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:940

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:1128

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4336

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2820

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3020

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3188

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
2⤵
PID:888

C:\Windows\system32\dialer.exe
dialer.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
1⤵
PID:1100

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:60

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:2444

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
1⤵
PID:3012

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:232

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:12628

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:9836

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
1⤵
PID:44284

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5864

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:38088

C:\Windows\system32\winsvc.exe
C:\Windows\system32\winsvc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:53648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:28752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:27656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:51740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:52552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:34732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:20100

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
3⤵
- Power Settings
PID:41660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:52316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:49788

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 0
3⤵
- Power Settings
PID:40924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
PID:12872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:45908

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 0
3⤵
- Power Settings
PID:12976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:46144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:44044

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -change hibernate-timeout-ac 0
3⤵
- Power Settings
PID:51540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:33452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:26732

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -change hibernate-timeout-dc 0
3⤵
- Power Settings
PID:12400

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "winnet.exe"
2⤵
- Kills process with taskkill
PID:6908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:17392

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "winnet.exe"
2⤵
- Kills process with taskkill
PID:35076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:13588

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "wincfg.exe"
2⤵
- Kills process with taskkill
PID:31088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:49560

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "wincfg.exe"
2⤵
- Kills process with taskkill
PID:37892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:34328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Remove-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\""
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:35120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:46972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "New-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\"" "-Program" "\"C:\Windows\system32\winnet.exe\"" "-Action" "Allow" "-Direction" "Inbound" "-EdgeTraversalPolicy" "Allow" "-Enabled" "True"
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:15896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4772

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "WINCFG.exe"
2⤵
- Kills process with taskkill
PID:4400

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "WINNET.exe"
2⤵
- Kills process with taskkill
PID:5180

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "WINCFG.exe"
2⤵
- Kills process with taskkill
PID:32816

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "WINNET.exe"
2⤵
- Kills process with taskkill
PID:45812

C:\WINDOWS\SYSTEM32\WINCFG.EXE
"C:\WINDOWS\SYSTEM32\WINCFG.EXE"
2⤵
PID:31056

C:\WINDOWS\SYSTEM32\WINNET.EXE
"C:\WINDOWS\SYSTEM32\WINNET.EXE" "--datadir=C:\Windows\system32\data" "--precomputation.elgamal=false" "--persist.profiles=false" "--persist.addressbook=false" "--cpuext.aesni" "--cpuext.avx" "--ipv4" "--ipv6" "--bandwidth=X" "--share=100" "--floodfill" "--nat" "--upnp.enabled=true" "--upnp.name=Microsoft" "--insomnia" "--nettime.enabled=true" "--nettime.ntpsyncinterval=1" "--sam.enabled=true" "--sam.singlethread=false" "--http.enabled=false" "--bob.enabled=false" "--httpproxy.enabled=false" "--socksproxy.enabled=false" "--i2cp.enabled=false" "--i2pcontrol.enabled=false" "--loglevel=none" "--log=stdout"
2⤵
PID:37208

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:19928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:57336

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:51800

C:\WINDOWS\Debug\sky\svchost.exe
C:\WINDOWS\Debug\sky\svchost.exe
1⤵
PID:39264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
539B

MD5
fd1098bf36c3c6d56b50c60c02c18fe7

SHA1
fb1757008be14bda2b6882a7a24c26af414ba100

SHA256
e6f2b7349bf15b996d574be1fe28feb08676c2979f2d783671844a726430d46b

SHA512
b9beae9eac48a327e4d9fad09794d79e9e3493a5cdde920a1b1040ced489413ecda528ecd1201de8868d7d648b55eb3ae2af690dae8ccfa906d7f593926f858e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
35ef4dda0bb25a9668b4a68d31cb025e

SHA1
e25adb7cdfbfbc7128ff2aa753c638f5939a8c5f

SHA256
49c036ac27b1feca5dd82c16ff43cbf26c7cca8596c41130c679bfbbc1d6c1c7

SHA512
324d9b13b9ba438938fd4aa9b6263e3ffae13c65cb47a8c497383c49644671faa3f302b1bf874db2f6eb34d4bdc1088ef1fcadbf80df4650b0603fb8176d5fcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
ce6db7452222afa77ad3989fade2f326

SHA1
78f26c37235de7f1c5425dfdd2f24e37d74b2630

SHA256
4281928e15447c018309a6e62d4ef5e3a1917c0c0f09a8969c47417ab696bf3f

SHA512
35ed9fbe3a4a0db48b1dcae9c29226588d3796f6b2f738808570bdeb9d549436ad72a1b2a5eb169f7a6b7d51bb3208c12eaae014d61e12715ee695b391e426d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
290KB

MD5
203e5615978372f14920f59da2696118

SHA1
eb47a810db95c507534db48cd1a4d1c2e8a35737

SHA256
01267de19a922560853b5f2f23861b38705636b956b13575ff57a66c5a402d79

SHA512
c0fbe5b0dce3f31b8b4ddca99ed6b310135f2d513142ad3038b19448f19d295dcfde5ce9ce6d29bee195b01227c30a4c8f5ecac8d1536e6242bf773f4fc0e178

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
137KB

MD5
1e2b4c3847a996bd74c6949a3b1dda0e

SHA1
1f0bd99e7adbe707e1fefdcfcfabfeed9faac3de

SHA256
6a874f565c2ebb8b141e4ea5693f5f353aeda6c3dea945ff6b14a639932e9222

SHA512
a6210a4d775ae6bf20fb92035e8c58d73e497af9fe67a924e8399d5fd7a6165e3a5e61072aca5a03563970ab824f9966ee2cdeea7596289a4f35c9f18069342a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FallbackBuffer.exe.log
Filesize
805B

MD5
381393509a7caf144cbffd96f55e0ae8

SHA1
15e2d6530fea05ca9d986535c570fcf7f8d91481

SHA256
5e8d9d066e20c07aa52b8d07d60fde4b633bb393ab1bc63a77f78d81f9512b42

SHA512
ed35defb962342f2958eb32b5b2958e2e7e70cc9420188a0364e453077e4eeb7f042eb91610d0d38e0c6137da1ac8cb2c746eab28ed1f012cc7231d8c72f5290

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3HONFD4R\setup[1].exe
Filesize
26.5MB

MD5
dd61b6c128268334d5fbe7382a24e228

SHA1
faad3463a02db031a87b689e3f73f015935ef716

SHA256
33988ff7224f130e15311e3811cd4c0d4e1162bbcf9946027a4defda52334609

SHA512
ac9e298e3aaf77c0d3612e767c0de18f25db8f5e25747ac239ab2e1963d814a48c7573dc86dc011b573eb13d1943aed5241152c78d59d14abde5eb4206014f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IOKXFE4P\advdlc[1].htm
Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P1Z2RULQ\soft[1]
Filesize
1.2MB

MD5
0151e006443174af2f2ea167eb3317fe

SHA1
4867584b2bb6a5d5b9082a5a1b5d2d571eed7ce2

SHA256
af722c86835a47bbb5913361b0cedd00288aa23edd04709460902e4cc04be497

SHA512
f8ab571eece442e2c50574420165cb5beeeced3d8561b645c7f771fd28d499fb77bede7c49be1777ee6edf57f86efb6f43614415aa69837cfc1620cca9211d7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk
Filesize
8KB

MD5
1737a1959b2a48642015fa1cb605a688

SHA1
a540586ff24dca738d530a1746bb17d1020df7f8

SHA256
f0140af0f2969bb4a21c057d31e2345f4fb956abd6177849f47f3a0455bbee3e

SHA512
c628f99941ad81d47992b9043d87c6da383788ea539ea3c65baf2c4e1fd7ec780cc1cc8aeb0e033e68b85d6fd70b37e75cabafa8a407ca0c273601437436b7a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk
Filesize
8KB

MD5
53161828fd4bf81e08bec8623688655b

SHA1
a2a8d6828b200f2ee0e0736435fd82ddc75c9c59

SHA256
7ec9b3fdbb381731a5c83f1c6670026c53f8dcfec42dca9db1bea3240f274725

SHA512
04773973b1b3edeb33da3bd1633e06be7d150d7b0ef7d58fce72e58c9295b6ca19a3eb8b5cb387c7e4c5edda6cfc0f08b0f8e88dc92e87efff23190a68e973fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
Filesize
415KB

MD5
c4aeaafc0507785736e000ff7e823f5e

SHA1
b1acdee835f02856985a822fe99921b097ed1519

SHA256
b1d5b1e480a5731caacc65609eaf069622f1129965819079aa09bc9d96dadde5

SHA512
fbaefbce3232481490bce7b859c6c1bafd87ee6d952a2be9bf7c4ed25fe8fc9aff46c2246e247aa05ce8e405831a5905ca366c5333ede0af48f9a6287479a12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3021125337.exe
Filesize
86KB

MD5
fe1e93f12cca3f7c0c897ef2084e1778

SHA1
fb588491ddad8b24ea555a6a2727e76cec1fade3

SHA256
2ebc4a92f4fdc27d4ab56e57058575a8b18adb076cbd30feea2ecdc8b7fcd41f

SHA512
36e0524c465187ae9ad207c724aee45bcd61cfd3fa66a79f9434d24fcbadc0a743834d5e808e6041f3bd88e75deb5afd34193574f005ed97e4b17c6b0388cb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
Filesize
5.4MB

MD5
a2a9c309c5300a53d2c2fc41b71b174b

SHA1
f6c26eae1925425fa8966266e87a57b688fad218

SHA256
7ccfae8644c3bc7439b88f2dc0de06bb5082de09b0bf5e143de17487ff252224

SHA512
a29eec8fa98174a74e9bd93c5902cdd95ce329ff8b7a1469901a95705dc1d7fffde58afa296399febb8559d8cd73c932945e85cce8af54e7a672d8f1618e3f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\file.exe
Filesize
1.3MB

MD5
5900dba92dda0c5c57825b576e1650fc

SHA1
bf4d681bf41c4eb28119df58cd0e320d581c0542

SHA256
46ed2e58e5b02d6e62b6863e30659fe01aae9174023628a08bb977c08a3f1087

SHA512
680fec18abfe2e78e57ae29bb419d58089f13c18c2d01f725e05c3b665e41a714fb46826ea572fbfae07309e3441d5a80b43a83900d15c0602ee9fe380c195d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\installer2.exe
Filesize
16.2MB

MD5
5aece647826a6f39a8bb8b17cd4186d6

SHA1
446ba99bb2ca06fed22c0019a5e8671e7e3f1e62

SHA256
aa212361c56bc3c307df12dd1ef574bb21c03f28a3cacc94a5a683d217b27ebc

SHA512
3997bf2eed4ebd50d7ba558bfd0c54222b53e6f1776e1499edc77de4ee8075bb0b712fde9a9a4c287f964bb86fcc3bd99f78e3012d2c7870b38810821939e9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\inte.exe
Filesize
220KB

MD5
cd0fd465ea4fd58cf58413dda8114989

SHA1
2ae37c14fa393dcbd68a57a49e3eecacf5be0b50

SHA256
a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe

SHA512
b05f3e05762a86aa672d3f4bed9dde6be4e9c946c02d18f470ee2542a1d5da1fa5eb4e6a33bffa8ba39e754e34cb53aa1accca8107aae218001c1a1110af371f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\look.exe
Filesize
668KB

MD5
14ab397c433b92d64015617db5065e44

SHA1
8bf6233d6689ef9bce781b7999e482906a288143

SHA256
a8602f61da135d8dd308b6acb0338f9b9da4024f9ff302490800af85b242eeed

SHA512
d9f36d85907e77316298a0b5db54c09285fba4de780b130c1a7a9d36f309c428a99ec294e6df2a71402ba2e1dc4b424c1810d1f403a45b8bd2b8799aa9cd121c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\monster.exe
Filesize
10.7MB

MD5
3f4f5c57433724a32b7498b6a2c91bf0

SHA1
04757ff666e1afa31679dd6bed4ed3af671332a3

SHA256
0608a7559f895fab33ae65bbfbdc5bebd21eea984f76e1b5571c80906824d665

SHA512
cf572ca616b4f4e6e472e33e8d6d90b85d5885fa64d8bca4507450d66d65057efa771f58c31ea13f394fd0e7b0ff2fcaa9d54c61f28b27b98a79c27bc964f935

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\zardsystemschange.exe
Filesize
7.9MB

MD5
414d550d9c7fed5b71913ed7e4dd967b

SHA1
54e2587ae7b0911bce614baff9c3c143eb8565b9

SHA256
8537ddcdf90cfb74ec563ce669da68cb0c48bf1e9a47461dce1f9f87d8b1468c

SHA512
df1a34db483480e946e12804d01aa1157ddb03cb784ec4d701ec90454a130326e1cff88ba81e08f656fc2c3b3e06d2341b2db77fdddc104941939ed668d32324

Download Submit
C:\Users\Admin\AppData\Local\Temp\Koordinatorer.exe
Filesize
804KB

MD5
bad91a5aebcd2049ae833089d045039f

SHA1
591f6fb8f0206ea16e976e65bc6ca2fbfbe6e209

SHA256
97457372ab60773d656c19d109cd5cbf74c91d1aad85b78374675393a3e49eee

SHA512
b42f2c197925ba06b972742def7089409300009918680205a233949c379d277b577de5b4e1707ff4d732ff711a4425661ff1fd816f609f21a7feb93b2b064807

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp5E41.tmp
Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_05jrs2lo.5rv.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp6660.tmp\ioSpecial.ini
Filesize
661B

MD5
e8409683b4c099fddb46db6122fe6c3c

SHA1
f2ac926912ebd8d2f0137173f98a70b3c7eb3914

SHA256
be1659a236a2bf257f205ab43f8cc4d694d4a85f9b9caa11080c4d4dde2ea36e

SHA512
e5aefb2e799e12f5acab086574d7ffb8767bce750c3a8ed901be3bff95f8bc26ca546edc3baccf903f60424d7a80b019f6dc4ef345808cc237b3a724cb14a18f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4468_133636643131222293\stub.exe
Filesize
18.0MB

MD5
ed9d600d2e640eaa1c915dc516da9988

SHA1
9c10629bc0255009434e64deaee5b898fc3711e2

SHA256
2b8a2a3c53a019ca674287e1513a8e0851f2181699e37f385541537801ed1d41

SHA512
9001454bfabf2d9621ad997726aad281638c4b2e8dc134994f479d391bae91c5d0aa24317e85e8e91956cc34357e1ed9d6682f2fe9a023d74b003a420325db68

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A83.tmp
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8AC5.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B35.tmp
Filesize
92KB

MD5
f0764eecc2d52e7c433725edd7f6e17a

SHA1
2b6c1165e7ca5c433b29db548ac2624037c8cb38

SHA256
6764736d2bd111036bea0eeb890cd75a5bb4114275abfffe615d9f79049f0ffc

SHA512
3cb2f0abc6925907488de7ecef46d60106efb98cec3c63e24e531bbf94dcd8c89ad57e0a88084eaa5083265f32134e6636f23808622db5cb3f5c83faaba96ef0

Download Submit
C:\Users\Admin\Pictures\2thyDGqa6SMIFOhAsbpzxLcz.exe
Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\tbtnds.dat
Filesize
4KB

MD5
c6a12fe81f17afa622880eb33f9d1cec

SHA1
429880398537a1b668f18888f05155b2559e7dda

SHA256
87dd90e102de9aee32485014511ec11f04e1cb0d1ca2e1e17d8041c505aebd29

SHA512
5b3b792926c4b112b52df963e2151b2fe47a7481988d6c311759a1205af3bcf47bff7741d6537f1cfb4f70d621e9f926ac329a91d04d2a33ff551732ccdac45c

Download Submit
C:\Windows\System32\Tasks\Hkbsse
Filesize
2KB

MD5
cf4b6c8cf90e33254dd5601d6d49c4d8

SHA1
e941273689bb51efa272e7e5b3e83296f85b6f01

SHA256
43482dc711fc5f1f2ea4ce728aee4fd077b9d5d1eebd304f7184002bc0e9aea5

SHA512
f70ddb1dd9c4e3db6e89659ddb5d4ca23891cf3c6995e4de018d91f50b54bf2bfb5d6198665a5f6d96580407dc2dbd07e8fb2a4d771081ba9e424bab19bbc001

Download Submit
C:\Windows\System32\data\router.info
Filesize
931B

MD5
03b19c10673cab82abac763499e394fa

SHA1
9920d3372549fe797521fbcf263317280cef8e7b

SHA256
206e85ea81a9b66dae48b2f7a5a3be6baa1e190fef115af37b6e01ebc6d49792

SHA512
946a6f0c6a0ab64abd6c6c9ff568779a4d761459a5a5411914511408a8bf616c83bb32ef78ff221bfc6200fef518b7228950447e8c468c52a98cedd8e3cb207b

Download Submit
C:\Windows\System32\winsvc.exe
Filesize
41.6MB

MD5
238d13dbf889e407adfb6875aa27c95c

SHA1
62454d8c236cfe8ad1e62f90cfa3e28316a89be7

SHA256
e57f7b0a1101946b2dae8d06249e9736e2093a208cd508266f41a8b2df185526

SHA512
70afaf2344e962d1bcfbb221e3139226bdd2af3d7bbe040172e70d13b6df25a2f68dac9309435fe23edaa1c7e570eaceece1cf01b36cdab39722216f1dc21514

Download Submit
C:\Windows\sysmablsvr.exe
Filesize
88KB

MD5
4505daf4c08fc8e8e1380911e98588aa

SHA1
d990eb1b2ccbb71c878944be37923b1ebd17bc72

SHA256
a2139600c569365149894405d411ea1401bafc8c7e8af1983d046cf087269c40

SHA512
bb57d11150086c3c61f9a8fdd2511e3e780a24362183a6b833f44484238451f23b74b244262009f38a8baa7254d07dfdd9d4209efcf426dfd4e651c47f2f8cec

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
f7892522ff70f44411dd60ed28638405

SHA1
ab16eb12875ff707bb10949670a2b6d6659b41c5

SHA256
32f44736ff15641ef054638c865384fcc4de2ac5bccc6bb123f19b55bd90d522

SHA512
d4e5c97a84d5202044c2c7739a6a75ab6c4ff70efaed2af4789c9fcc278ce39b064f280de93a61b638b626ab40a25b1d110253244807704601456791c1384bdc

Download Submit
\Users\Admin\AppData\Local\Temp\ONEFIL~1\_asyncio.pyd
Filesize
62KB

MD5
6eb3c9fc8c216cea8981b12fd41fbdcd

SHA1
5f3787051f20514bb9e34f9d537d78c06e7a43e6

SHA256
3b0661ef2264d6566368b677c732ba062ac4688ef40c22476992a0f9536b0010

SHA512
2027707824d0948673443dd54b4f45bc44680c05c3c4a193c7c1803a1030124ad6c8fbe685cc7aaf15668d90c4cd9bfb93de51ea8db4af5abe742c1ef2dcd08b

Download Submit
\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd
Filesize
81KB

MD5
a4b636201605067b676cc43784ae5570

SHA1
e9f49d0fc75f25743d04ce23c496eb5f89e72a9a

SHA256
f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c

SHA512
02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

Download Submit
\Users\Admin\AppData\Local\Temp\ONEFIL~1\_cffi_backend.pyd
Filesize
177KB

MD5
ebb660902937073ec9695ce08900b13d

SHA1
881537acead160e63fe6ba8f2316a2fbbb5cb311

SHA256
52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd

SHA512
19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24

Download Submit
\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd
Filesize
119KB

MD5
87596db63925dbfe4d5f0f36394d7ab0

SHA1
ad1dd48bbc078fe0a2354c28cb33f92a7e64907e

SHA256
92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4

SHA512
e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

Download Submit
\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd
Filesize
60KB

MD5
49ce7a28e1c0eb65a9a583a6ba44fa3b

SHA1
dcfbee380e7d6c88128a807f381a831b6a752f10

SHA256
1be5cfd06a782b2ae8e4629d9d035cbc487074e8f63b9773c85e317be29c0430

SHA512
cf1f96d6d61ecb2997bb541e9eda7082ef4a445d3dd411ce6fd71b0dfe672f4dfaddf36ae0fb7d5f6d1345fbd90c19961a8f35328332cdaa232f322c0bf9a1f9

Download Submit
\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd
Filesize
154KB

MD5
b5fbc034ad7c70a2ad1eb34d08b36cf8

SHA1
4efe3f21be36095673d949cceac928e11522b29c

SHA256
80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6

SHA512
e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

Download Submit
\Users\Admin\AppData\Local\Temp\ONEFIL~1\_overlapped.pyd
Filesize
47KB

MD5
7e6bd435c918e7c34336c7434404eedf

SHA1
f3a749ad1d7513ec41066ab143f97fa4d07559e1

SHA256
0606a0c5c4ab46c4a25ded5a2772e672016cac574503681841800f9059af21c4

SHA512
c8bf4b1ec6c8fa09c299a8418ee38cdccb04afa3a3c2e6d92625dbc2de41f81dd0df200fd37fcc41909c2851ac5ca936af632307115b9ac31ec020d9ed63f157

Download Submit
\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd
Filesize
75KB

MD5
e137df498c120d6ac64ea1281bcab600

SHA1
b515e09868e9023d43991a05c113b2b662183cfe

SHA256
8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a

SHA512
cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90

Download Submit
\Users\Admin\AppData\Local\Temp\ONEFIL~1\_sqlite3.pyd
Filesize
95KB

MD5
7f61eacbbba2ecf6bf4acf498fa52ce1

SHA1
3174913f971d031929c310b5e51872597d613606

SHA256
85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e

SHA512
a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

Download Submit
\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd
Filesize
155KB

MD5
35f66ad429cd636bcad858238c596828

SHA1
ad4534a266f77a9cdce7b97818531ce20364cb65

SHA256
58b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc

SHA512
1cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad

Download Submit
\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd
Filesize
6.9MB

MD5
f918173fbdc6e75c93f64784f2c17050

SHA1
163ef51d4338b01c3bc03d6729f8e90ae39d8f04

SHA256
2c7a31dec06df4eec6b068a0b4b009c8f52ef34ace785c8b584408cb29ce28fd

SHA512
5405d5995e97805e68e91e1f191dc5e7910a7f2ba31619eb64aff54877cbd1b3fa08b7a24b411d095edb21877956976777409d3db58d29da32219bf578ce4ef2

Download Submit
\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll
Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll
Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
\Users\Admin\AppData\Local\Temp\ONEFIL~1\multidict\_multidict.pyd
Filesize
45KB

MD5
ddd4c0ae1e0d166c22449e9dcdca20d7

SHA1
ff0e3d889b4e8bc43b0f13aa1154776b0df95700

SHA256
74ec52418c5d38a63add94228c6f68cf49519666ae8bcb7ac199f7d539d8612c

SHA512
c8464a77ba8b504ba9c7873f76499174095393c42dc85a9c1be2875c3661cda928851e37013e4ac95ba539eed984bf71c0fcc2cb599f3f0c4c1588d4a692bdfd

Download Submit
\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd
Filesize
28KB

MD5
adc412384b7e1254d11e62e451def8e9

SHA1
04e6dff4a65234406b9bc9d9f2dcfe8e30481829

SHA256
68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1

SHA512
f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07

Download Submit
\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll
Filesize
1.4MB

MD5
926dc90bd9faf4efe1700564aa2a1700

SHA1
763e5af4be07444395c2ab11550c70ee59284e6d

SHA256
50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0

SHA512
a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

Download Submit
\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd
Filesize
1.1MB

MD5
102bbbb1f33ce7c007aac08fe0a1a97e

SHA1
9a8601bea3e7d4c2fa6394611611cda4fc76e219

SHA256
2cf6c5dea30bb0584991b2065c052c22d258b6e15384447dcea193fdcac5f758

SHA512
a07731f314e73f7a9ea73576a89ccb8a0e55e53f9b5b82f53121b97b1814d905b17a2da9bd2eda9f9354fc3f15e3dea7a613d7c9bc98c36bba653743b24dfc32

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_4468_133636643131222293\python3.dll
Filesize
63KB

MD5
07bd9f1e651ad2409fd0b7d706be6071

SHA1
dfeb2221527474a681d6d8b16a5c378847c59d33

SHA256
5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5

SHA512
def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_4468_133636643131222293\python310.dll
Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_4468_133636643131222293\vcruntime140.dll
Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
memory/212-402-0x000001CCEA080000-0x000001CCEA139000-memory.dmp

Filesize
740KB

Download
memory/212-435-0x000001CCE9B60000-0x000001CCE9B6A000-memory.dmp

Filesize
40KB

Download
memory/212-396-0x000001CCE9B70000-0x000001CCE9B8C000-memory.dmp

Filesize
112KB

Download
memory/588-117-0x00007FFCF88C0000-0x00007FFCF88D0000-memory.dmp

Filesize
64KB

Download
memory/588-116-0x000001A931B90000-0x000001A931BBB000-memory.dmp

Filesize
172KB

Download
memory/588-115-0x000001A931B60000-0x000001A931B84000-memory.dmp

Filesize
144KB

Download
memory/648-120-0x0000024ADCB00000-0x0000024ADCB2B000-memory.dmp

Filesize
172KB

Download
memory/648-121-0x00007FFCF88C0000-0x00007FFCF88D0000-memory.dmp

Filesize
64KB

Download
memory/792-21070-0x0000000008D20000-0x0000000008DB4000-memory.dmp

Filesize
592KB

Download
memory/792-20003-0x0000000007C10000-0x0000000007C5B000-memory.dmp

Filesize
300KB

Download
memory/792-19275-0x0000000004630000-0x0000000004666000-memory.dmp

Filesize
216KB

Download
memory/792-21072-0x0000000008C80000-0x0000000008CA2000-memory.dmp

Filesize
136KB

Download
memory/792-21071-0x0000000008BA0000-0x0000000008BBA000-memory.dmp

Filesize
104KB

Download
memory/792-19565-0x00000000077B0000-0x0000000007B00000-memory.dmp

Filesize
3.3MB

Download
memory/792-19276-0x0000000006CC0000-0x00000000072E8000-memory.dmp

Filesize
6.2MB

Download
memory/792-19564-0x00000000076D0000-0x0000000007736000-memory.dmp

Filesize
408KB

Download
memory/792-20173-0x0000000007E80000-0x0000000007EF6000-memory.dmp

Filesize
472KB

Download
memory/792-20002-0x0000000007450000-0x000000000746C000-memory.dmp

Filesize
112KB

Download
memory/792-21264-0x000000000A0C0000-0x000000000A738000-memory.dmp

Filesize
6.5MB

Download
memory/792-19563-0x00000000073C0000-0x00000000073E2000-memory.dmp

Filesize
136KB

Download
memory/996-127-0x00007FFCF88C0000-0x00007FFCF88D0000-memory.dmp

Filesize
64KB

Download
memory/996-126-0x000001CA34090000-0x000001CA340BB000-memory.dmp

Filesize
172KB

Download
memory/1016-108-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1016-103-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1016-106-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1016-105-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1016-104-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1016-110-0x00007FFD36520000-0x00007FFD365CE000-memory.dmp

Filesize
696KB

Download
memory/1016-109-0x00007FFD38830000-0x00007FFD38A0B000-memory.dmp

Filesize
1.9MB

Download
memory/1016-112-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1392-4708-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1392-18012-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2020-743-0x0000000000710000-0x0000000000C88000-memory.dmp

Filesize
5.5MB

Download
memory/2020-7579-0x00000000063E0000-0x0000000006434000-memory.dmp

Filesize
336KB

Download
memory/2020-6832-0x0000000007EF0000-0x00000000082A0000-memory.dmp

Filesize
3.7MB

Download
memory/2020-6839-0x0000000006250000-0x000000000629C000-memory.dmp

Filesize
304KB

Download
memory/2020-744-0x0000000006730000-0x0000000006CA4000-memory.dmp

Filesize
5.5MB

Download
memory/2304-2-0x0000000005120000-0x00000000051BC000-memory.dmp

Filesize
624KB

Download
memory/2304-1-0x00000000008F0000-0x00000000008F8000-memory.dmp

Filesize
32KB

Download
memory/2304-0-0x000000007393E000-0x000000007393F000-memory.dmp

Filesize
4KB

Download
memory/2304-3-0x0000000073930000-0x000000007401E000-memory.dmp

Filesize
6.9MB

Download
memory/2304-4-0x000000007393E000-0x000000007393F000-memory.dmp

Filesize
4KB

Download
memory/2304-11-0x0000000073930000-0x000000007401E000-memory.dmp

Filesize
6.9MB

Download
memory/2676-17860-0x00000000065E0000-0x0000000006634000-memory.dmp

Filesize
336KB

Download
memory/3240-7680-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3240-7950-0x00000000052F0000-0x00000000052F8000-memory.dmp

Filesize
32KB

Download
memory/3560-43-0x00007FF6A0960000-0x00007FF6A11B2000-memory.dmp

Filesize
8.3MB

Download
memory/3560-45-0x00007FF6A0960000-0x00007FF6A11B2000-memory.dmp

Filesize
8.3MB

Download
memory/3560-40-0x00007FF6A0960000-0x00007FF6A11B2000-memory.dmp

Filesize
8.3MB

Download
memory/3600-44-0x0000000000F00000-0x0000000000F59000-memory.dmp

Filesize
356KB

Download
memory/3600-46-0x0000000000F00000-0x0000000000F59000-memory.dmp

Filesize
356KB

Download
memory/3688-16-0x0000000000400000-0x0000000001F82000-memory.dmp

Filesize
27.5MB

Download
memory/3688-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3688-13-0x0000000001FF0000-0x000000000201D000-memory.dmp

Filesize
180KB

Download
memory/3688-12-0x0000000002050000-0x0000000002150000-memory.dmp

Filesize
1024KB

Download
memory/3688-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3772-29-0x0000000005120000-0x000000000561E000-memory.dmp

Filesize
5.0MB

Download
memory/3772-31-0x0000000004E90000-0x0000000004E9A000-memory.dmp

Filesize
40KB

Download
memory/3772-33-0x0000000004F50000-0x0000000004F58000-memory.dmp

Filesize
32KB

Download
memory/3772-32-0x0000000004ED0000-0x0000000004F36000-memory.dmp

Filesize
408KB

Download
memory/3772-30-0x0000000004CC0000-0x0000000004D52000-memory.dmp

Filesize
584KB

Download
memory/3772-28-0x00000000003C0000-0x000000000046C000-memory.dmp

Filesize
688KB

Download
memory/3892-54-0x00007FF6A7F70000-0x00007FF6A9C0C000-memory.dmp

Filesize
28.6MB

Download
memory/3892-53-0x00007FFD38A20000-0x00007FFD38A22000-memory.dmp

Filesize
8KB

Download
memory/3892-52-0x00007FFD38A10000-0x00007FFD38A12000-memory.dmp

Filesize
8KB

Download
memory/4104-34-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4104-37-0x0000000005CF0000-0x0000000005D56000-memory.dmp

Filesize
408KB

Download
memory/4572-61-0x000001B964440000-0x000001B964462000-memory.dmp

Filesize
136KB

Download
memory/4572-64-0x000001B964770000-0x000001B9647E6000-memory.dmp

Filesize
472KB

Download
memory/5140-15639-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/5140-17864-0x0000000005350000-0x00000000053A6000-memory.dmp

Filesize
344KB

Download
memory/5140-17863-0x00000000051A0000-0x00000000051A8000-memory.dmp

Filesize
32KB

Download
memory/5140-15640-0x0000000004F80000-0x0000000005068000-memory.dmp

Filesize
928KB

Download
memory/5196-15242-0x0000000006110000-0x0000000006204000-memory.dmp

Filesize
976KB

Download
memory/5196-7679-0x0000000005210000-0x00000000054C8000-memory.dmp

Filesize
2.7MB

Download
memory/5196-7580-0x0000000000740000-0x00000000009FC000-memory.dmp

Filesize
2.7MB

Download
memory/9476-207988-0x0000000009760000-0x0000000009922000-memory.dmp

Filesize
1.8MB

Download
memory/9476-207989-0x0000000009E60000-0x000000000A38C000-memory.dmp

Filesize
5.2MB

Download
memory/9476-207951-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/12112-207349-0x00000000003D0000-0x0000000000919000-memory.dmp

Filesize
5.3MB

Download
memory/12112-208036-0x00000000003D0000-0x0000000000919000-memory.dmp

Filesize
5.3MB

Download
memory/15896-206996-0x000002054B3B0000-0x000002054B469000-memory.dmp

Filesize
740KB

Download
memory/17364-205875-0x00000000006D0000-0x00000000006FC000-memory.dmp

Filesize
176KB

Download
memory/17364-205876-0x0000000000B90000-0x0000000000BAA000-memory.dmp

Filesize
104KB

Download
memory/21916-207749-0x0000000000400000-0x00000000006AB000-memory.dmp

Filesize
2.7MB

Download
memory/21916-207740-0x0000000000400000-0x00000000006AB000-memory.dmp

Filesize
2.7MB

Download
memory/24520-207746-0x0000000000DB0000-0x0000000000E02000-memory.dmp

Filesize
328KB

Download
memory/24520-207768-0x0000000006970000-0x000000000698E000-memory.dmp

Filesize
120KB

Download
memory/24520-207774-0x0000000006E60000-0x0000000006EAB000-memory.dmp

Filesize
300KB

Download
memory/24520-207773-0x0000000006CE0000-0x0000000006D1E000-memory.dmp

Filesize
248KB

Download
memory/24520-207772-0x0000000006C80000-0x0000000006C92000-memory.dmp

Filesize
72KB

Download
memory/24520-207771-0x0000000006D50000-0x0000000006E5A000-memory.dmp

Filesize
1.0MB

Download
memory/24520-207770-0x00000000070A0000-0x00000000076A6000-memory.dmp

Filesize
6.0MB

Download
memory/24520-208144-0x0000000005880000-0x00000000058D0000-memory.dmp

Filesize
320KB

Download
memory/26076-207884-0x00000000052B0000-0x00000000052CC000-memory.dmp

Filesize
112KB

Download
memory/26076-207883-0x0000000005450000-0x00000000055A4000-memory.dmp

Filesize
1.3MB

Download
memory/26076-207882-0x00000000007E0000-0x0000000000B02000-memory.dmp

Filesize
3.1MB

Download
memory/28532-207353-0x000001D331950000-0x000001D33197E000-memory.dmp

Filesize
184KB

Download
memory/28752-206101-0x000001CFA37A0000-0x000001CFA3859000-memory.dmp

Filesize
740KB

Download
memory/30136-203263-0x0000000000100000-0x0000000000190000-memory.dmp

Filesize
576KB

Download
memory/30136-203275-0x0000000004C50000-0x0000000004CB6000-memory.dmp

Filesize
408KB

Download
memory/31748-203266-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/33340-203313-0x0000000007B50000-0x0000000007B9B000-memory.dmp

Filesize
300KB

Download
memory/35120-206852-0x000001C81CC70000-0x000001C81CC8C000-memory.dmp

Filesize
112KB

Download
memory/35120-206871-0x000001C81CA10000-0x000001C81CA1E000-memory.dmp

Filesize
56KB

Download
memory/38040-195524-0x0000000000A50000-0x00000000013A8000-memory.dmp

Filesize
9.3MB

Download
memory/38040-193294-0x0000000000A50000-0x00000000013A8000-memory.dmp

Filesize
9.3MB

Download
memory/38040-193289-0x0000000000A50000-0x00000000013A8000-memory.dmp

Filesize
9.3MB

Download
memory/38040-193163-0x0000000000A50000-0x00000000013A8000-memory.dmp

Filesize
9.3MB

Download
memory/47836-207728-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/49132-203257-0x000001A6BDBC0000-0x000001A6BDC1C000-memory.dmp

Filesize
368KB

Download
memory/49132-203256-0x000001A6A49B0000-0x000001A6A49B6000-memory.dmp

Filesize
24KB

Download
memory/49132-203169-0x000001A6A2C80000-0x000001A6A2C8A000-memory.dmp

Filesize
40KB

Download
memory/59772-207778-0x0000000000F30000-0x0000000000F9C000-memory.dmp

Filesize
432KB

Download

pid	process
4500	Conhost.exe
5044	Conhost.exe
1620	Conhost.exe
1436	Conhost.exe
1916	Conhost.exe
12724	Conhost.exe
54200	Conhost.exe
20544	Conhost.exe
30968	Conhost.exe
42712	Conhost.exe
19320	Conhost.exe