Malware Analysis Report

2025-01-18 02:37

Sample ID 220205-p6yebabgdr
Target 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA256 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
Tags
persistence hawkeye_reborn m00nd3v_logger keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595

Threat Level: Known bad

The file 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595 was found to be: Known bad.

Malicious Activity Summary

persistence hawkeye_reborn m00nd3v_logger keylogger spyware stealer trojan

M00nd3v_Logger

HawkEye Reborn

M00nD3v Logger Payload

Executes dropped EXE

Drops startup file

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

NTFS ADS

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-05 12:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-05 12:57

Reported

2022-02-05 12:59

Platform

win7-en-20211208

Max time kernel

153s

Max time network

24s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe\:Zone.Identifier:$DATA C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\chrome.exe -boot" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 816 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 1756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe
PID 1820 wrote to memory of 1756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe
PID 1820 wrote to memory of 1756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe
PID 1820 wrote to memory of 1756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe
PID 1756 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 992 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Windows\SysWOW64\WerFault.exe
PID 1756 wrote to memory of 992 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Windows\SysWOW64\WerFault.exe
PID 1756 wrote to memory of 992 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Windows\SysWOW64\WerFault.exe
PID 1756 wrote to memory of 992 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe

"C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe:Zone.Identifier"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe:Zone.Identifier"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe:Zone.Identifier"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe:Zone.Identifier"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 888

Network

N/A

Files

memory/816-55-0x0000000000DE0000-0x0000000000ED8000-memory.dmp

memory/816-56-0x00000000002F0000-0x0000000000318000-memory.dmp

memory/816-57-0x0000000004B00000-0x0000000004B01000-memory.dmp

memory/816-58-0x00000000762C1000-0x00000000762C3000-memory.dmp

memory/816-59-0x0000000000990000-0x0000000000998000-memory.dmp

memory/816-60-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe

MD5 9cf33a9d11e1a0eddb2481e862487bb2
SHA1 4db6d3e61cd201bf855a1e50300d01496a231de7
SHA256 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA512 14e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe

MD5 9cf33a9d11e1a0eddb2481e862487bb2
SHA1 4db6d3e61cd201bf855a1e50300d01496a231de7
SHA256 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA512 14e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe

MD5 9cf33a9d11e1a0eddb2481e862487bb2
SHA1 4db6d3e61cd201bf855a1e50300d01496a231de7
SHA256 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA512 14e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec

memory/1756-64-0x0000000000D20000-0x0000000000E18000-memory.dmp

memory/1756-66-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

memory/1756-67-0x0000000000B20000-0x0000000000B2C000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe

MD5 9cf33a9d11e1a0eddb2481e862487bb2
SHA1 4db6d3e61cd201bf855a1e50300d01496a231de7
SHA256 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA512 14e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe

MD5 9cf33a9d11e1a0eddb2481e862487bb2
SHA1 4db6d3e61cd201bf855a1e50300d01496a231de7
SHA256 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA512 14e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe

MD5 9cf33a9d11e1a0eddb2481e862487bb2
SHA1 4db6d3e61cd201bf855a1e50300d01496a231de7
SHA256 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA512 14e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe

MD5 9cf33a9d11e1a0eddb2481e862487bb2
SHA1 4db6d3e61cd201bf855a1e50300d01496a231de7
SHA256 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA512 14e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe

MD5 9cf33a9d11e1a0eddb2481e862487bb2
SHA1 4db6d3e61cd201bf855a1e50300d01496a231de7
SHA256 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA512 14e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec

memory/992-74-0x00000000004D0000-0x00000000004D1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-05 12:57

Reported

2022-02-05 12:59

Platform

win10v2004-en-20220112

Max time kernel

153s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe"

Signatures

HawkEye Reborn

keylogger trojan stealer spyware hawkeye_reborn

M00nd3v_Logger

stealer spyware m00nd3v_logger

M00nD3v Logger Payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe\:Zone.Identifier:$DATA C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\chrome.exe -boot" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat C:\Windows\System32\svchost.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotifyIcon.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotifyIcon.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.111132" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4132" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132887158764067776" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" C:\Windows\System32\svchost.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 884 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 884 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 884 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 884 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 884 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 884 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 884 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 884 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 884 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 884 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 884 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 884 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe C:\Windows\SysWOW64\cmd.exe
PID 3380 wrote to memory of 3680 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe
PID 3380 wrote to memory of 3680 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe
PID 3380 wrote to memory of 3680 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe
PID 3680 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Windows\SysWOW64\cmd.exe
PID 3680 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Windows\SysWOW64\cmd.exe
PID 3680 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Windows\SysWOW64\cmd.exe
PID 3680 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Windows\SysWOW64\cmd.exe
PID 3680 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Windows\SysWOW64\cmd.exe
PID 3680 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Windows\SysWOW64\cmd.exe
PID 3680 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe
PID 3680 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe
PID 3680 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe
PID 3680 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe
PID 3680 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe
PID 3680 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe
PID 3680 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe
PID 3680 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe

"C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe"

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe:Zone.Identifier"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe:Zone.Identifier"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe:Zone.Identifier"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe:Zone.Identifier"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"

Network

Country Destination Domain Proto
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 209.197.3.8:80 tcp
US 93.184.221.240:80 tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
US 52.143.80.209:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp

Files

memory/884-130-0x0000000000390000-0x0000000000488000-memory.dmp

memory/884-131-0x0000000004E10000-0x0000000004E11000-memory.dmp

memory/884-132-0x0000000004F20000-0x0000000004F86000-memory.dmp

memory/884-133-0x0000000005160000-0x0000000005322000-memory.dmp

memory/884-134-0x00000000059A0000-0x00000000059C2000-memory.dmp

memory/884-135-0x0000000005F80000-0x0000000006524000-memory.dmp

memory/884-136-0x0000000005AC0000-0x0000000005B52000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe

MD5 9cf33a9d11e1a0eddb2481e862487bb2
SHA1 4db6d3e61cd201bf855a1e50300d01496a231de7
SHA256 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA512 14e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe

MD5 9cf33a9d11e1a0eddb2481e862487bb2
SHA1 4db6d3e61cd201bf855a1e50300d01496a231de7
SHA256 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA512 14e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec

memory/3680-139-0x0000000004B60000-0x0000000004D20000-memory.dmp

memory/3680-140-0x0000000005CC0000-0x0000000005D5C000-memory.dmp

memory/2364-141-0x0000000000400000-0x0000000000490000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe

MD5 9cf33a9d11e1a0eddb2481e862487bb2
SHA1 4db6d3e61cd201bf855a1e50300d01496a231de7
SHA256 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA512 14e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec