Analysis Overview
SHA256
b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6
Threat Level: Known bad
The file b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6 was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Sets file to hidden
UPX packed file
Reads user/profile data of web browsers
Loads dropped DLL
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
autoit_exe
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Modifies data under HKEY_USERS
Views/modifies file attributes
NTFS ADS
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 12:07
Signatures
autoit_exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 12:07
Reported
2022-02-20 12:10
Platform
win7-en-20211208
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe | N/A |
Sets file to hidden
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe | N/A |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe
"C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe"
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\41646D696E565156564F414A4B57494E5F375836.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources"
C:\Windows\system32\taskeng.exe
taskeng.exe {1F897DFB-CD77-4BA9-AF47-CDFF4CC4F3AC} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.8.44:443 | ipapi.co | tcp |
| RU | 185.142.97.228:65233 | tcp | |
| RU | 185.142.97.228:65233 | tcp |
Files
memory/1592-54-0x0000000076421000-0x0000000076423000-memory.dmp
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.sqlite3.module.dll
| MD5 | 71000fc34d27d2016846743d1dcce548 |
| SHA1 | f75456389b8c0dd0398bb3d58f0b4745d862e1b5 |
| SHA256 | bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03 |
| SHA512 | d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c |
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.sqlite3.module.dll
| MD5 | 71000fc34d27d2016846743d1dcce548 |
| SHA1 | f75456389b8c0dd0398bb3d58f0b4745d862e1b5 |
| SHA256 | bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03 |
| SHA512 | d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c |
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe
| MD5 | 965119091c292c96af5011f40dae87a5 |
| SHA1 | 85708f7bab07528f1b6e9dfbf64648189a513043 |
| SHA256 | 1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b |
| SHA512 | 244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe
| MD5 | 965119091c292c96af5011f40dae87a5 |
| SHA1 | 85708f7bab07528f1b6e9dfbf64648189a513043 |
| SHA256 | 1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b |
| SHA512 | 244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\1\Information.txt
| MD5 | bbbc12cf3898f4c38a4e14e68f499e95 |
| SHA1 | 55f0be744517ea5a22e5394ddbbb88c82ffc41fc |
| SHA256 | 907d2b1753848cfbd44b5ef33098c4d42c61d7dcff6fab9d2b281bd68cbd95d8 |
| SHA512 | 05b459c0af6925714b147b91922e5566008be07abf15690c7b10280511594b98dddc19435c3d404c16369227fc376fe2e35adb5d44ac8aff52fd755620fd7479 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\1\Screen.jpg
| MD5 | d7605257a19f8820decbd81af6ea1dbf |
| SHA1 | 14ac59a9a9c89ca90ce9f7f04bba24521fcca6f2 |
| SHA256 | 64fa53b94d7f95928d9610c991bb60dcf5be450934f351a1fb3616fbf89b5f6b |
| SHA512 | 730b6c12162107cf647e83316b8dfff16a6c08d1d003d2b5a763f44fbc03c3cbe3d98aca0afc0ea2b94471f279b404e94b3dba38cc6886195906135f8832dc6b |
memory/952-62-0x0000000002D50000-0x0000000002D51000-memory.dmp
memory/952-63-0x0000000002D70000-0x0000000002D71000-memory.dmp
memory/952-64-0x0000000002D60000-0x0000000002D61000-memory.dmp
memory/952-65-0x0000000002D80000-0x0000000002D81000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 12:07
Reported
2022-02-20 12:10
Platform
win10v2004-en-20220112
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe | N/A |
Sets file to hidden
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\pending.xml | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\MusNotifyIcon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\MusNotifyIcon.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132900088835742972" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3984" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "7.575771" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4104" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.260716" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4312" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" | C:\Windows\System32\svchost.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe
"C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe"
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\41646D696E524942435155485157494E5F313058.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\1\*"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources"
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.203:443 | api.msn.com | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 172.67.69.226:443 | ipapi.co | tcp |
| RU | 185.142.97.228:65233 | tcp | |
| US | 8.8.8.8:53 | geo.prod.do.dsp.mp.microsoft.com | udp |
| US | 20.190.9.86:443 | geo.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | kv801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | kv801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | cp801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | tcp |
Files
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.sqlite3.module.dll
| MD5 | 71000fc34d27d2016846743d1dcce548 |
| SHA1 | f75456389b8c0dd0398bb3d58f0b4745d862e1b5 |
| SHA256 | bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03 |
| SHA512 | d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.sqlite3.module.dll
| MD5 | 71000fc34d27d2016846743d1dcce548 |
| SHA1 | f75456389b8c0dd0398bb3d58f0b4745d862e1b5 |
| SHA256 | bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03 |
| SHA512 | d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe
| MD5 | 965119091c292c96af5011f40dae87a5 |
| SHA1 | 85708f7bab07528f1b6e9dfbf64648189a513043 |
| SHA256 | 1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b |
| SHA512 | 244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\1\Information.txt
| MD5 | 1b49f42ed284fcd6520c513abb447be9 |
| SHA1 | 103489c361e3c5b6a9b228b8bf65e277f406d183 |
| SHA256 | cdaf41e1445cce7c81dd4d9300c6b970c08cdca997c224fb0a477c630948e38a |
| SHA512 | f599cb5b7104e46d77aca70e4fb46c69198af22702d0d72504394bce54de83b19a4fbce0372f601cfb3d3c103c2256a57bb0780f97c7f70178f7fc0fa57f109d |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\1\Screen.jpg
| MD5 | 1ba7d626fef90ed0c89f7489b985002e |
| SHA1 | 770e180de4153798e373897c79c2f765dd200b27 |
| SHA256 | a8819a630064c8f30a066b19fba08b18c7e1d261a093de7fe6778acbc314cc3b |
| SHA512 | ba80f1ed4e3a20a2ac1e6a8517f86a163d38360e596d71cee63783e834e7a826a84142ad4759e4b4679d720e7be81b1239d3508085709d01f256fc582d5e8626 |
memory/3088-136-0x00000000073D0000-0x00000000073D1000-memory.dmp
memory/3088-135-0x00000000073B0000-0x00000000073B1000-memory.dmp
memory/3088-137-0x00000000073C0000-0x00000000073C1000-memory.dmp
memory/3088-138-0x00000000073E0000-0x00000000073E1000-memory.dmp