f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653

Analysis

max time kernel
110s
max time network
135s
platform
windows10_x64
resource
win10v20201028
submitted
08-11-2020 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
Size

725KB
MD5

4d3ab2e575b8e2f10d7201677d7e784b
SHA1

8b4edc54158818aa4f92f60b320c52c51600ae25
SHA256

f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653
SHA512

777c224af5045a6df1af2d2fca91b7a193cdd8425661c063f84f7cb7fccf7d030565669d1a452928984b374dfb95746ff5345039f3c4e2554e79431927ab7801

Score

10^/10

discovery evasion persistence spyware stealer

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
evasion

Disabling Security Tools
T1089

Command-Line Interface
T1059

Processes:

mpcmdrun.exe

pid process

3260 mpcmdrun.exe
Disables Task Manager via registry modification
evasion
Drops file in Drivers directory 1 IoCs

Processes:

updatewin2.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts updatewin2.exe
Executes dropped EXE 4 IoCs

Processes:

updatewin1.exeupdatewin1.exeupdatewin2.exe5.exe

pid process

3384 updatewin1.exe
1352 updatewin1.exe
2500 updatewin2.exe
2468 5.exe
Loads dropped DLL 2 IoCs

Processes:

5.exe

pid process

2468 5.exe
2468 5.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2660 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3260	mpcmdrun.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	updatewin2.exe

pid	process
3384	updatewin1.exe
1352	updatewin1.exe
2500	updatewin2.exe
2468	5.exe

pid	process
2468	5.exe
2468	5.exe

pid	process
2660	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3051c6ed-6ad9-4c28-a277-20f53e266451\\f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe\" --AutoStart"	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe

JavaScript code in executable 1 IoCs

Processes:

resource yara_rule

\ProgramData\nss3.dll js
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 api.2ip.ua
23 api.2ip.ua
36 ip-api.com
15 api.2ip.ua

resource	yara_rule
\ProgramData\nss3.dll	js

flow	ioc
16	api.2ip.ua
23	api.2ip.ua
36	ip-api.com
15	api.2ip.ua

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3968 taskkill.exe

pid	process
3968	taskkill.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exef90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518681d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b688518680400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c0000000100000004000000000800000400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518681d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exef90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exepowershell.exepowershell.exepowershell.exe5.exe

pid	process
980	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
980	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
2896	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
2896	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
3972	powershell.exe
3972	powershell.exe
3972	powershell.exe
3972	powershell.exe
188	powershell.exe
188	powershell.exe
188	powershell.exe
1796	powershell.exe
1796	powershell.exe
1796	powershell.exe
2468	5.exe
2468	5.exe
2468	5.exe
2468	5.exe
2468	5.exe
2468	5.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	188	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	3968	taskkill.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exef90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exeupdatewin1.exeupdatewin1.exepowershell.exe5.execmd.exe

description	pid	process	target process
PID 980 wrote to memory of 2660	980	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	icacls.exe
PID 980 wrote to memory of 2660	980	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	icacls.exe
PID 980 wrote to memory of 2660	980	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	icacls.exe
PID 980 wrote to memory of 2896	980	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
PID 980 wrote to memory of 2896	980	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
PID 980 wrote to memory of 2896	980	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
PID 2896 wrote to memory of 3384	2896	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	updatewin1.exe
PID 2896 wrote to memory of 3384	2896	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	updatewin1.exe
PID 2896 wrote to memory of 3384	2896	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	updatewin1.exe
PID 3384 wrote to memory of 1352	3384	updatewin1.exe	updatewin1.exe
PID 3384 wrote to memory of 1352	3384	updatewin1.exe	updatewin1.exe
PID 3384 wrote to memory of 1352	3384	updatewin1.exe	updatewin1.exe
PID 1352 wrote to memory of 3972	1352	updatewin1.exe	powershell.exe
PID 1352 wrote to memory of 3972	1352	updatewin1.exe	powershell.exe
PID 1352 wrote to memory of 3972	1352	updatewin1.exe	powershell.exe
PID 1352 wrote to memory of 188	1352	updatewin1.exe	powershell.exe
PID 1352 wrote to memory of 188	1352	updatewin1.exe	powershell.exe
PID 1352 wrote to memory of 188	1352	updatewin1.exe	powershell.exe
PID 188 wrote to memory of 1796	188	powershell.exe	powershell.exe
PID 188 wrote to memory of 1796	188	powershell.exe	powershell.exe
PID 188 wrote to memory of 1796	188	powershell.exe	powershell.exe
PID 1352 wrote to memory of 3260	1352	updatewin1.exe	mpcmdrun.exe
PID 1352 wrote to memory of 3260	1352	updatewin1.exe	mpcmdrun.exe
PID 1352 wrote to memory of 4060	1352	updatewin1.exe	cmd.exe
PID 1352 wrote to memory of 4060	1352	updatewin1.exe	cmd.exe
PID 1352 wrote to memory of 4060	1352	updatewin1.exe	cmd.exe
PID 2896 wrote to memory of 2500	2896	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	updatewin2.exe
PID 2896 wrote to memory of 2500	2896	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	updatewin2.exe
PID 2896 wrote to memory of 2500	2896	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	updatewin2.exe
PID 2896 wrote to memory of 2468	2896	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	5.exe
PID 2896 wrote to memory of 2468	2896	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	5.exe
PID 2896 wrote to memory of 2468	2896	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	5.exe
PID 2468 wrote to memory of 4072	2468	5.exe	cmd.exe
PID 2468 wrote to memory of 4072	2468	5.exe	cmd.exe
PID 2468 wrote to memory of 4072	2468	5.exe	cmd.exe
PID 4072 wrote to memory of 3968	4072	cmd.exe	taskkill.exe
PID 4072 wrote to memory of 3968	4072	cmd.exe	taskkill.exe
PID 4072 wrote to memory of 3968	4072	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
"C:\Users\Admin\AppData\Local\Temp\f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\3051c6ed-6ad9-4c28-a277-20f53e266451" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:2660

C:\Users\Admin\AppData\Local\Temp\f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
"C:\Users\Admin\AppData\Local\Temp\f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe" --Admin IsNotAutoStart IsNotTask
2⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2896

C:\Users\Admin\AppData\Local\0d0fca0a-10d2-4e50-b19d-6d5f7a61eea3\updatewin1.exe
"C:\Users\Admin\AppData\Local\0d0fca0a-10d2-4e50-b19d-6d5f7a61eea3\updatewin1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384

C:\Users\Admin\AppData\Local\0d0fca0a-10d2-4e50-b19d-6d5f7a61eea3\updatewin1.exe
"C:\Users\Admin\AppData\Local\0d0fca0a-10d2-4e50-b19d-6d5f7a61eea3\updatewin1.exe" --Admin
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Program Files\Windows Defender\mpcmdrun.exe
"C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
5⤵
- Deletes Windows Defender Definitions
PID:3260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
5⤵
PID:4060

C:\Users\Admin\AppData\Local\0d0fca0a-10d2-4e50-b19d-6d5f7a61eea3\updatewin2.exe
"C:\Users\Admin\AppData\Local\0d0fca0a-10d2-4e50-b19d-6d5f7a61eea3\updatewin2.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:2500

C:\Users\Admin\AppData\Local\0d0fca0a-10d2-4e50-b19d-6d5f7a61eea3\5.exe
"C:\Users\Admin\AppData\Local\0d0fca0a-10d2-4e50-b19d-6d5f7a61eea3\5.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\0d0fca0a-10d2-4e50-b19d-6d5f7a61eea3\5.exe & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4072

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 5.exe /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
473b867b22c45299c72e214824158bc8

SHA1
dfdce1aa6b4849b662a68d9678e1546e8f609676

SHA256
fb8ec9f410db6de1be3547e4ce7b18184a58a8828961e807809f610077db1fe4

SHA512
02d0912227b002f8b093d0a9a98a7555a81f57e87aa4d6838e32644425f9273fcfe98984eca354b4d92bd75c668fd3d0b5768fe3fb570b5531146ae3ab9bb5d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
b64094c78dd155184fb03d4e7707eaf0

SHA1
6dee5a62bc97e211968ef94318f0db174d8721f9

SHA256
b1189511c5ff7a62294d0195dcc772cfe7e6152775fb87446f573c5b18ffc8ef

SHA512
5d95b65a9f0453f6fdabe0633d994bfd46acb1533528c4b69a53da3b93228535db6e3583ec3fa2079a436e8798cebebc3e520b7791d728a1897a034c1137ef4e

Download Submit
C:\Users\Admin\AppData\Local\0d0fca0a-10d2-4e50-b19d-6d5f7a61eea3\5.exe
MD5
28994346c82a501f6198643b4c6a1f81

SHA1
d6ea2f731626402b0081504628a9ba05f4279cbf

SHA256
6b57625c531e64626de7627158f8644f9f4825357ebd01173eb3441fd84cb232

SHA512
ce4f1be36ad0730468c09d537f1e639c3f5a6aebaa0c64057b5709e83fe596d072c5e33e405d311efba41b6146581da5008489f2caf13a46778dcf62081c4138

Download Submit
C:\Users\Admin\AppData\Local\0d0fca0a-10d2-4e50-b19d-6d5f7a61eea3\5.exe
MD5
28994346c82a501f6198643b4c6a1f81

SHA1
d6ea2f731626402b0081504628a9ba05f4279cbf

SHA256
6b57625c531e64626de7627158f8644f9f4825357ebd01173eb3441fd84cb232

SHA512
ce4f1be36ad0730468c09d537f1e639c3f5a6aebaa0c64057b5709e83fe596d072c5e33e405d311efba41b6146581da5008489f2caf13a46778dcf62081c4138

Download Submit
C:\Users\Admin\AppData\Local\0d0fca0a-10d2-4e50-b19d-6d5f7a61eea3\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\0d0fca0a-10d2-4e50-b19d-6d5f7a61eea3\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\0d0fca0a-10d2-4e50-b19d-6d5f7a61eea3\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\0d0fca0a-10d2-4e50-b19d-6d5f7a61eea3\updatewin2.exe
MD5
996ba35165bb62473d2a6743a5200d45

SHA1
52169b0b5cce95c6905873b8d12a759c234bd2e0

SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

SHA512
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

Download Submit
C:\Users\Admin\AppData\Local\0d0fca0a-10d2-4e50-b19d-6d5f7a61eea3\updatewin2.exe
MD5
996ba35165bb62473d2a6743a5200d45

SHA1
52169b0b5cce95c6905873b8d12a759c234bd2e0

SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

SHA512
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

Download Submit
C:\Users\Admin\AppData\Local\3051c6ed-6ad9-4c28-a277-20f53e266451\f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
MD5
4d3ab2e575b8e2f10d7201677d7e784b

SHA1
8b4edc54158818aa4f92f60b320c52c51600ae25

SHA256
f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653

SHA512
777c224af5045a6df1af2d2fca91b7a193cdd8425661c063f84f7cb7fccf7d030565669d1a452928984b374dfb95746ff5345039f3c4e2554e79431927ab7801

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
13151583954f0def829054cc3eae25ec

SHA1
2a2b013e8d4201ddc8a80f9680931873702d0213

SHA256
eb542ae9c791940e8e74833eb50543dbbcbc8bf8485698fad82a8b079546c8a7

SHA512
3f7a6d0e5ca29de7b02f5cb993c508ce0c0df12c3d970a3ad6da95149b4cb5cc7a138e7ed6f83e910cb39120f199b3f74fc0ec1a14ca86435a52f247c2514aaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9c7c3c99f053750078d0a35c7a1fe567

SHA1
011fe9fdfe6458ad99d54bb82b50925055b7dfc3

SHA256
cd86aabb43b0753009942e5e5078d18f434d895d9a1f0e8f8b55b03f4bc81c9e

SHA512
8d4788e7c4b19cc0c59994a4194d4eaf9129216023ed97ba02f0ab524a2e8c56cbaecd8847bdb544e9040f1aa5b7ededa5bafa935bc3f4536d40e6b244eb8d94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ce5a6c903277c22e5c38681906aa0f27

SHA1
46abfd49ec7fa9c80cdf9301645509873b95c56c

SHA256
4d0b71fc8d2cca1d3d557b6d204335ddb6334f0d8ebef2bce32c91c5bbaf7039

SHA512
abf27240a770ccc595eea9f4c818e94bf88ceba84dd872d17ac818dadc55eedacee2535c8a49e32790aab987d61c535f72cf46ce593dff7bada2ab2ff8dd8f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\delself.bat
MD5
3578b17fe5f4bbff569ddcb3aeb6f7e4

SHA1
a95d91434d1a4e76390f38df1da51bb2b666ebcb

SHA256
35635a52a9a7eb945bd9712e25a6fed74a78881f7a283360bd5f4c71f346528d

SHA512
88bd103e8183ee3e5cbf61fcad209a9945c3eb73c02b2c12ed94a2df82e521bd4db7c4b722f293e354ea56852102e9a7371eadfcb4f715fa08513b5cc4cc847a

Download Submit
C:\Users\Admin\AppData\Local\script.ps1
MD5
f972c62f986b5ed49ad7713d93bf6c9f

SHA1
4e157002bdb97e9526ab97bfafbf7c67e1d1efbf

SHA256
b47f85974a7ec2fd5aa82d52f08eb0f6cea7e596a98dd29e8b85b5c37beca0a8

SHA512
2c9e2e1b8b6cb5ffe3edf5dfbc2c3b917cd15ba6a5e5264207a43b02ce7020f44f5088aca195f7b428699f0d6bd693ce557a0227d67bbb4795e350a97314e9c4

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
memory/188-43-0x0000000071E00000-0x00000000724EE000-memory.dmp

Filesize
6.9MB

Download
memory/188-56-0x0000000009610000-0x0000000009611000-memory.dmp

Filesize
4KB

Download
memory/188-57-0x0000000009C50000-0x0000000009C51000-memory.dmp

Filesize
4KB

Download
memory/188-41-0x0000000000000000-mapping.dmp

Download
memory/980-1-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/1352-16-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/1352-14-0x0000000000000000-mapping.dmp

Download
memory/1796-89-0x0000000009D80000-0x0000000009D81000-memory.dmp

Filesize
4KB

Download
memory/1796-91-0x0000000009D60000-0x0000000009D61000-memory.dmp

Filesize
4KB

Download
memory/1796-71-0x0000000008890000-0x0000000008891000-memory.dmp

Filesize
4KB

Download
memory/1796-68-0x0000000008330000-0x0000000008331000-memory.dmp

Filesize
4KB

Download
memory/1796-61-0x0000000071A50000-0x000000007213E000-memory.dmp

Filesize
6.9MB

Download
memory/1796-83-0x0000000009C00000-0x0000000009C01000-memory.dmp

Filesize
4KB

Download
memory/1796-58-0x0000000000000000-mapping.dmp

Download
memory/2468-94-0x0000000000000000-mapping.dmp

Download
memory/2468-97-0x0000000003286000-0x0000000003287000-memory.dmp

Filesize
4KB

Download
memory/2468-98-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/2500-93-0x000000000051E000-0x000000000051F000-memory.dmp

Filesize
4KB

Download
memory/2500-85-0x0000000000000000-mapping.dmp

Download
memory/2500-88-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/2660-2-0x0000000000000000-mapping.dmp

Download
memory/2896-6-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2896-4-0x0000000000000000-mapping.dmp

Download
memory/3260-59-0x0000000000000000-mapping.dmp

Download
memory/3384-9-0x0000000000000000-mapping.dmp

Download
memory/3384-12-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/3384-13-0x000000000048E000-0x000000000048F000-memory.dmp

Filesize
4KB

Download
memory/3968-102-0x0000000000000000-mapping.dmp

Download
memory/3972-18-0x0000000000000000-mapping.dmp

Download
memory/3972-26-0x0000000008230000-0x0000000008231000-memory.dmp

Filesize
4KB

Download
memory/3972-40-0x0000000009D90000-0x0000000009D91000-memory.dmp

Filesize
4KB

Download
memory/3972-39-0x0000000009DF0000-0x0000000009DF1000-memory.dmp

Filesize
4KB

Download
memory/3972-38-0x0000000009C90000-0x0000000009C91000-memory.dmp

Filesize
4KB

Download
memory/3972-37-0x00000000098B0000-0x00000000098B1000-memory.dmp

Filesize
4KB

Download
memory/3972-30-0x00000000098D0000-0x0000000009903000-memory.dmp

Filesize
204KB

Download
memory/3972-28-0x0000000008B20000-0x0000000008B21000-memory.dmp

Filesize
4KB

Download
memory/3972-27-0x0000000008D30000-0x0000000008D31000-memory.dmp

Filesize
4KB

Download
memory/3972-19-0x0000000071E00000-0x00000000724EE000-memory.dmp

Filesize
6.9MB

Download
memory/3972-25-0x0000000008430000-0x0000000008431000-memory.dmp

Filesize
4KB

Download
memory/3972-24-0x00000000083C0000-0x00000000083C1000-memory.dmp

Filesize
4KB

Download
memory/3972-23-0x0000000008250000-0x0000000008251000-memory.dmp

Filesize
4KB

Download
memory/3972-22-0x0000000007A80000-0x0000000007A81000-memory.dmp

Filesize
4KB

Download
memory/3972-21-0x0000000007B40000-0x0000000007B41000-memory.dmp

Filesize
4KB

Download
memory/3972-20-0x0000000007370000-0x0000000007371000-memory.dmp

Filesize
4KB

Download
memory/4060-60-0x0000000000000000-mapping.dmp

Download
memory/4072-101-0x0000000000000000-mapping.dmp

Download