Malware Analysis Report

2024-09-23 04:52

Sample ID 220220-pamypscedl
Target b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6
SHA256 b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6
Tags
qulab discovery evasion ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6

Threat Level: Known bad

The file b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6 was found to be: Known bad.

Malicious Activity Summary

qulab discovery evasion ransomware spyware stealer upx

Qulab Stealer & Clipper

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Sets file to hidden

UPX packed file

Reads user/profile data of web browsers

Loads dropped DLL

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

autoit_exe

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Modifies data under HKEY_USERS

Views/modifies file attributes

NTFS ADS

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-02-20 12:07

Signatures

autoit_exe

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 12:07

Reported

2022-02-20 12:10

Platform

win7-en-20211208

Max time kernel

121s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe N/A

Sets file to hidden

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1592 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
PID 1592 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
PID 1592 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
PID 1592 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
PID 952 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe
PID 952 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe
PID 952 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe
PID 952 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe
PID 952 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe C:\Windows\SysWOW64\attrib.exe
PID 952 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe C:\Windows\SysWOW64\attrib.exe
PID 952 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe C:\Windows\SysWOW64\attrib.exe
PID 952 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe C:\Windows\SysWOW64\attrib.exe
PID 1740 wrote to memory of 1628 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
PID 1740 wrote to memory of 1628 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
PID 1740 wrote to memory of 1628 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
PID 1740 wrote to memory of 1628 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
PID 1740 wrote to memory of 1456 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
PID 1740 wrote to memory of 1456 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
PID 1740 wrote to memory of 1456 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
PID 1740 wrote to memory of 1456 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe

"C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe"

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\41646D696E565156564F414A4B57494E5F375836.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources"

C:\Windows\system32\taskeng.exe

taskeng.exe {1F897DFB-CD77-4BA9-AF47-CDFF4CC4F3AC} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipapi.co udp
US 104.26.8.44:443 ipapi.co tcp
RU 185.142.97.228:65233 tcp
RU 185.142.97.228:65233 tcp

Files

memory/1592-54-0x0000000076421000-0x0000000076423000-memory.dmp

\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.sqlite3.module.dll

MD5 71000fc34d27d2016846743d1dcce548
SHA1 f75456389b8c0dd0398bb3d58f0b4745d862e1b5
SHA256 bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03
SHA512 d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c

\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.sqlite3.module.dll

MD5 71000fc34d27d2016846743d1dcce548
SHA1 f75456389b8c0dd0398bb3d58f0b4745d862e1b5
SHA256 bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03
SHA512 d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c

\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe

MD5 965119091c292c96af5011f40dae87a5
SHA1 85708f7bab07528f1b6e9dfbf64648189a513043
SHA256 1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b
SHA512 244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe

MD5 965119091c292c96af5011f40dae87a5
SHA1 85708f7bab07528f1b6e9dfbf64648189a513043
SHA256 1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b
SHA512 244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\1\Information.txt

MD5 bbbc12cf3898f4c38a4e14e68f499e95
SHA1 55f0be744517ea5a22e5394ddbbb88c82ffc41fc
SHA256 907d2b1753848cfbd44b5ef33098c4d42c61d7dcff6fab9d2b281bd68cbd95d8
SHA512 05b459c0af6925714b147b91922e5566008be07abf15690c7b10280511594b98dddc19435c3d404c16369227fc376fe2e35adb5d44ac8aff52fd755620fd7479

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\1\Screen.jpg

MD5 d7605257a19f8820decbd81af6ea1dbf
SHA1 14ac59a9a9c89ca90ce9f7f04bba24521fcca6f2
SHA256 64fa53b94d7f95928d9610c991bb60dcf5be450934f351a1fb3616fbf89b5f6b
SHA512 730b6c12162107cf647e83316b8dfff16a6c08d1d003d2b5a763f44fbc03c3cbe3d98aca0afc0ea2b94471f279b404e94b3dba38cc6886195906135f8832dc6b

memory/952-62-0x0000000002D50000-0x0000000002D51000-memory.dmp

memory/952-63-0x0000000002D70000-0x0000000002D71000-memory.dmp

memory/952-64-0x0000000002D60000-0x0000000002D61000-memory.dmp

memory/952-65-0x0000000002D80000-0x0000000002D81000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 12:07

Reported

2022-02-20 12:10

Platform

win10v2004-en-20220112

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe N/A

Sets file to hidden

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WinSxS\pending.xml C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotifyIcon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotifyIcon.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132900088835742972" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3984" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "7.575771" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4104" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.260716" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4312" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" C:\Windows\System32\svchost.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 884 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
PID 884 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
PID 884 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
PID 3088 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe
PID 3088 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe
PID 3088 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe
PID 3088 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe C:\Windows\SysWOW64\attrib.exe
PID 3088 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe C:\Windows\SysWOW64\attrib.exe
PID 3088 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe

"C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe"

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\41646D696E524942435155485157494E5F313058.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\1\*"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources"

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe

Network

Country Destination Domain Proto
US 204.79.197.203:443 api.msn.com tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 ipapi.co udp
US 172.67.69.226:443 ipapi.co tcp
RU 185.142.97.228:65233 tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
US 20.190.9.86:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 cp801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
US 93.184.221.240:80 tcp

Files

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.sqlite3.module.dll

MD5 71000fc34d27d2016846743d1dcce548
SHA1 f75456389b8c0dd0398bb3d58f0b4745d862e1b5
SHA256 bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03
SHA512 d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.sqlite3.module.dll

MD5 71000fc34d27d2016846743d1dcce548
SHA1 f75456389b8c0dd0398bb3d58f0b4745d862e1b5
SHA256 bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03
SHA512 d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe

MD5 965119091c292c96af5011f40dae87a5
SHA1 85708f7bab07528f1b6e9dfbf64648189a513043
SHA256 1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b
SHA512 244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\1\Information.txt

MD5 1b49f42ed284fcd6520c513abb447be9
SHA1 103489c361e3c5b6a9b228b8bf65e277f406d183
SHA256 cdaf41e1445cce7c81dd4d9300c6b970c08cdca997c224fb0a477c630948e38a
SHA512 f599cb5b7104e46d77aca70e4fb46c69198af22702d0d72504394bce54de83b19a4fbce0372f601cfb3d3c103c2256a57bb0780f97c7f70178f7fc0fa57f109d

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\1\Screen.jpg

MD5 1ba7d626fef90ed0c89f7489b985002e
SHA1 770e180de4153798e373897c79c2f765dd200b27
SHA256 a8819a630064c8f30a066b19fba08b18c7e1d261a093de7fe6778acbc314cc3b
SHA512 ba80f1ed4e3a20a2ac1e6a8517f86a163d38360e596d71cee63783e834e7a826a84142ad4759e4b4679d720e7be81b1239d3508085709d01f256fc582d5e8626

memory/3088-136-0x00000000073D0000-0x00000000073D1000-memory.dmp

memory/3088-135-0x00000000073B0000-0x00000000073B1000-memory.dmp

memory/3088-137-0x00000000073C0000-0x00000000073C1000-memory.dmp

memory/3088-138-0x00000000073E0000-0x00000000073E1000-memory.dmp