Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2022, 19:30
Static task
static1
Behavioral task
behavioral1
Sample
67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe
Resource
win7-20220812-en
General
-
Target
67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe
-
Size
3.6MB
-
MD5
a4e7c52086fbf175cda3af56f9874664
-
SHA1
24ada4a9bbbe6633644a1489fd369d6914d6798a
-
SHA256
67d4d3b8f1560edaaa9dab45e4df8373ca6a82a1dfce6f11e4b4191b1b1d4eb8
-
SHA512
52230da4900cd71304e82e1e95121e6fec91b0477e433ed5b5d8cebb1254b5d6917bffc6ecc9a441b98f2e2104efbebab26c5b3a9c89a4b6b4d0d91ee52d7d8e
Malware Config
Extracted
njrat
0.7NC
NYAN CAT
4Mekey.myftp.biz:1011
7b646cd2fe5
-
reg_key
7b646cd2fe5
-
splitter
@!#&^%$
Extracted
asyncrat
0.5.7B
OWN05
4Mekey.myftp.biz:6606
4Mekey.myftp.biz:7707
4Mekey.myftp.biz:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
1.0.7
OWN05
4Mekey.myftp.biz:8848
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\OPSZXUZIgTafXTVhZ\svchost.exe = "0" Windows Security Host.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Windows Security Host.exe = "0" Windows Security Host.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths Runtime Broker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\ePfJhYNKJdKcYgdNe\svchost.exe = "0" Runtime Broker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe = "0" Runtime Broker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\KOMNbVTeabKcNgPOV\svchost.exe = "0" svchost.exe -
Async RAT payload 2 IoCs
resource yara_rule behavioral2/memory/3876-175-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/2192-196-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Executes dropped EXE 9 IoCs
pid Process 3948 Runtime Broker.exe 1352 Runtime Broker.exe 1860 svchost.exe 3876 svchost.exe 3964 Windows Security Host.exe 4396 Windows Security Host.exe 4260 Windows Security Host.exe 2192 Windows Security Host.exe 1876 Set-up.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Runtime Broker.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Windows Security Host.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\OPSZXUZIgTafXTVhZ\svchost.exe = "0" Windows Security Host.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Windows Security Host.exe = "0" Windows Security Host.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths Runtime Broker.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions Runtime Broker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\ePfJhYNKJdKcYgdNe\svchost.exe = "0" Runtime Broker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe = "0" Runtime Broker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\KOMNbVTeabKcNgPOV\svchost.exe = "0" svchost.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bUbgLLbXggXJOIgPS = "C:\\Users\\Public\\Documents\\ePfJhYNKJdKcYgdNe\\svchost.exe" Runtime Broker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dOdgYchdWbPgLRhLV = "C:\\Windows\\Microsoft.NET\\Framework\\KOMNbVTeabKcNgPOV\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dOdgYchdWbPgLRhLV = "C:\\Windows\\Microsoft.NET\\Framework\\KOMNbVTeabKcNgPOV\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aINLTZgMPVaMPYOJY = "C:\\Windows\\Cursors\\OPSZXUZIgTafXTVhZ\\svchost.exe" Windows Security Host.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aINLTZgMPVaMPYOJY = "C:\\Windows\\Cursors\\OPSZXUZIgTafXTVhZ\\svchost.exe" Windows Security Host.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bUbgLLbXggXJOIgPS = "C:\\Users\\Public\\Documents\\ePfJhYNKJdKcYgdNe\\svchost.exe" Runtime Broker.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3948 set thread context of 1352 3948 Runtime Broker.exe 85 PID 1860 set thread context of 3876 1860 svchost.exe 93 PID 3964 set thread context of 2192 3964 Windows Security Host.exe 103 -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.exe 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe File created C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.ini 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\KOMNbVTeabKcNgPOV\svchost.exe svchost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\KOMNbVTeabKcNgPOV svchost.exe File created C:\Windows\Cursors\OPSZXUZIgTafXTVhZ\svchost.exe Windows Security Host.exe File opened for modification C:\Windows\Cursors\OPSZXUZIgTafXTVhZ Windows Security Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION Set-up.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Set-up.exe = "11001" Set-up.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 Set-up.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 Set-up.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 Set-up.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 Set-up.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Set-up.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Set-up.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 Set-up.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 Set-up.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 3948 Runtime Broker.exe 3948 Runtime Broker.exe 3948 Runtime Broker.exe 3948 Runtime Broker.exe 4968 powershell.exe 4280 powershell.exe 2500 powershell.exe 3948 Runtime Broker.exe 3948 Runtime Broker.exe 3948 Runtime Broker.exe 3948 Runtime Broker.exe 4968 powershell.exe 4280 powershell.exe 2500 powershell.exe 3948 Runtime Broker.exe 3948 Runtime Broker.exe 1860 svchost.exe 1860 svchost.exe 1860 svchost.exe 1860 svchost.exe 1860 svchost.exe 1860 svchost.exe 1860 svchost.exe 1860 svchost.exe 3204 powershell.exe 2164 powershell.exe 3332 powershell.exe 3204 powershell.exe 2164 powershell.exe 3332 powershell.exe 1860 svchost.exe 1860 svchost.exe 3964 Windows Security Host.exe 3964 Windows Security Host.exe 3964 Windows Security Host.exe 3964 Windows Security Host.exe 3180 powershell.exe 3252 powershell.exe 5100 powershell.exe 3964 Windows Security Host.exe 3964 Windows Security Host.exe 3252 powershell.exe 3180 powershell.exe 3964 Windows Security Host.exe 3964 Windows Security Host.exe 3964 Windows Security Host.exe 3964 Windows Security Host.exe 3964 Windows Security Host.exe 3964 Windows Security Host.exe 5100 powershell.exe 3964 Windows Security Host.exe 3964 Windows Security Host.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 3948 Runtime Broker.exe Token: SeDebugPrivilege 2500 powershell.exe Token: SeDebugPrivilege 4280 powershell.exe Token: SeDebugPrivilege 4968 powershell.exe Token: SeDebugPrivilege 1860 svchost.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 3204 powershell.exe Token: SeDebugPrivilege 3332 powershell.exe Token: SeDebugPrivilege 1352 Runtime Broker.exe Token: 33 1352 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1352 Runtime Broker.exe Token: SeDebugPrivilege 3876 svchost.exe Token: SeDebugPrivilege 3964 Windows Security Host.exe Token: SeDebugPrivilege 3180 powershell.exe Token: SeDebugPrivilege 3252 powershell.exe Token: SeDebugPrivilege 5100 powershell.exe Token: SeDebugPrivilege 2192 Windows Security Host.exe Token: 33 1352 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1352 Runtime Broker.exe Token: 33 1352 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1352 Runtime Broker.exe Token: 33 1352 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1352 Runtime Broker.exe Token: 33 1352 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1352 Runtime Broker.exe Token: 33 1352 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1352 Runtime Broker.exe Token: 33 1352 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1352 Runtime Broker.exe Token: 33 1352 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1352 Runtime Broker.exe Token: 33 1352 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1352 Runtime Broker.exe Token: 33 1352 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1352 Runtime Broker.exe Token: 33 1352 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1352 Runtime Broker.exe Token: 33 1352 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1352 Runtime Broker.exe Token: 33 1352 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1352 Runtime Broker.exe Token: 33 1352 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1352 Runtime Broker.exe Token: 33 1352 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1352 Runtime Broker.exe Token: 33 1352 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1352 Runtime Broker.exe Token: 33 1352 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1352 Runtime Broker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1684 wrote to memory of 3948 1684 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe 77 PID 1684 wrote to memory of 3948 1684 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe 77 PID 1684 wrote to memory of 3948 1684 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe 77 PID 3948 wrote to memory of 4280 3948 Runtime Broker.exe 79 PID 3948 wrote to memory of 4280 3948 Runtime Broker.exe 79 PID 3948 wrote to memory of 4280 3948 Runtime Broker.exe 79 PID 3948 wrote to memory of 4968 3948 Runtime Broker.exe 80 PID 3948 wrote to memory of 4968 3948 Runtime Broker.exe 80 PID 3948 wrote to memory of 4968 3948 Runtime Broker.exe 80 PID 3948 wrote to memory of 2500 3948 Runtime Broker.exe 83 PID 3948 wrote to memory of 2500 3948 Runtime Broker.exe 83 PID 3948 wrote to memory of 2500 3948 Runtime Broker.exe 83 PID 3948 wrote to memory of 1352 3948 Runtime Broker.exe 85 PID 3948 wrote to memory of 1352 3948 Runtime Broker.exe 85 PID 3948 wrote to memory of 1352 3948 Runtime Broker.exe 85 PID 3948 wrote to memory of 1352 3948 Runtime Broker.exe 85 PID 3948 wrote to memory of 1352 3948 Runtime Broker.exe 85 PID 3948 wrote to memory of 1352 3948 Runtime Broker.exe 85 PID 3948 wrote to memory of 1352 3948 Runtime Broker.exe 85 PID 3948 wrote to memory of 1352 3948 Runtime Broker.exe 85 PID 1684 wrote to memory of 1860 1684 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe 86 PID 1684 wrote to memory of 1860 1684 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe 86 PID 1684 wrote to memory of 1860 1684 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe 86 PID 1860 wrote to memory of 2164 1860 svchost.exe 87 PID 1860 wrote to memory of 2164 1860 svchost.exe 87 PID 1860 wrote to memory of 2164 1860 svchost.exe 87 PID 1860 wrote to memory of 3204 1860 svchost.exe 89 PID 1860 wrote to memory of 3204 1860 svchost.exe 89 PID 1860 wrote to memory of 3204 1860 svchost.exe 89 PID 1860 wrote to memory of 3332 1860 svchost.exe 91 PID 1860 wrote to memory of 3332 1860 svchost.exe 91 PID 1860 wrote to memory of 3332 1860 svchost.exe 91 PID 1860 wrote to memory of 3876 1860 svchost.exe 93 PID 1860 wrote to memory of 3876 1860 svchost.exe 93 PID 1860 wrote to memory of 3876 1860 svchost.exe 93 PID 1860 wrote to memory of 3876 1860 svchost.exe 93 PID 1860 wrote to memory of 3876 1860 svchost.exe 93 PID 1860 wrote to memory of 3876 1860 svchost.exe 93 PID 1860 wrote to memory of 3876 1860 svchost.exe 93 PID 1860 wrote to memory of 3876 1860 svchost.exe 93 PID 1684 wrote to memory of 3964 1684 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe 94 PID 1684 wrote to memory of 3964 1684 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe 94 PID 1684 wrote to memory of 3964 1684 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe 94 PID 3964 wrote to memory of 3180 3964 Windows Security Host.exe 95 PID 3964 wrote to memory of 3180 3964 Windows Security Host.exe 95 PID 3964 wrote to memory of 3180 3964 Windows Security Host.exe 95 PID 3964 wrote to memory of 3252 3964 Windows Security Host.exe 97 PID 3964 wrote to memory of 3252 3964 Windows Security Host.exe 97 PID 3964 wrote to memory of 3252 3964 Windows Security Host.exe 97 PID 3964 wrote to memory of 5100 3964 Windows Security Host.exe 99 PID 3964 wrote to memory of 5100 3964 Windows Security Host.exe 99 PID 3964 wrote to memory of 5100 3964 Windows Security Host.exe 99 PID 3964 wrote to memory of 4396 3964 Windows Security Host.exe 101 PID 3964 wrote to memory of 4396 3964 Windows Security Host.exe 101 PID 3964 wrote to memory of 4396 3964 Windows Security Host.exe 101 PID 3964 wrote to memory of 4260 3964 Windows Security Host.exe 102 PID 3964 wrote to memory of 4260 3964 Windows Security Host.exe 102 PID 3964 wrote to memory of 4260 3964 Windows Security Host.exe 102 PID 3964 wrote to memory of 2192 3964 Windows Security Host.exe 103 PID 3964 wrote to memory of 2192 3964 Windows Security Host.exe 103 PID 3964 wrote to memory of 2192 3964 Windows Security Host.exe 103 PID 3964 wrote to memory of 2192 3964 Windows Security Host.exe 103 PID 3964 wrote to memory of 2192 3964 Windows Security Host.exe 103 PID 3964 wrote to memory of 2192 3964 Windows Security Host.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe"C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"2⤵
- Windows security bypass
- Executes dropped EXE
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\ePfJhYNKJdKcYgdNe\svchost.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\ePfJhYNKJdKcYgdNe\svchost.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Windows security bypass
- Executes dropped EXE
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\KOMNbVTeabKcNgPOV\svchost.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\KOMNbVTeabKcNgPOV\svchost.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3204
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\svchost.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3332
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3876
-
-
-
C:\Users\Admin\AppData\Roaming\Windows Security Host.exe"C:\Users\Admin\AppData\Roaming\Windows Security Host.exe"2⤵
- Windows security bypass
- Executes dropped EXE
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\OPSZXUZIgTafXTVhZ\svchost.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\OPSZXUZIgTafXTVhZ\svchost.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3252
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Windows Security Host.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
C:\Users\Admin\AppData\Roaming\Windows Security Host.exe"C:\Users\Admin\AppData\Roaming\Windows Security Host.exe"3⤵
- Executes dropped EXE
PID:4396
-
-
C:\Users\Admin\AppData\Roaming\Windows Security Host.exe"C:\Users\Admin\AppData\Roaming\Windows Security Host.exe"3⤵
- Executes dropped EXE
PID:4260
-
-
C:\Users\Admin\AppData\Roaming\Windows Security Host.exe"C:\Users\Admin\AppData\Roaming\Windows Security Host.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
-
C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe"C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
PID:1876
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.3MB
MD508c3094ab3b3f48e26b6298c5b536fc0
SHA1eb3354a84b4df057d129db893e7da073ce966d9c
SHA256604bd340ee3bc601d213da08287ead8eef11ac30305ac55f2efcc56e611a58e3
SHA512c1af72099f60df1cc1674a978674f95ab7298dfbd4219ef08387b7306c5fdca8287666992552b08b6d51788c62523f13f17e4cc76e44d5fd0ce649e6ae44d656
-
Filesize
7.3MB
MD508c3094ab3b3f48e26b6298c5b536fc0
SHA1eb3354a84b4df057d129db893e7da073ce966d9c
SHA256604bd340ee3bc601d213da08287ead8eef11ac30305ac55f2efcc56e611a58e3
SHA512c1af72099f60df1cc1674a978674f95ab7298dfbd4219ef08387b7306c5fdca8287666992552b08b6d51788c62523f13f17e4cc76e44d5fd0ce649e6ae44d656
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5ce7628577f459b34d4bc5b2a580202d9
SHA1d451433443db205c9acc801edbdf62cfe5ace0c4
SHA2561d49949e0d2560ced4d68fd7ec8013b6b46119f4c9784cb42750a9a02b7b2c00
SHA5122041d53f1ba6fb8469579dd3371812d527a68b46323968b1a258b3eb75b14987f6bc4c9dc7591210639934dffc18d032f10d47189dd3e4851abeeb3ef121aed7
-
Filesize
18KB
MD5ce7628577f459b34d4bc5b2a580202d9
SHA1d451433443db205c9acc801edbdf62cfe5ace0c4
SHA2561d49949e0d2560ced4d68fd7ec8013b6b46119f4c9784cb42750a9a02b7b2c00
SHA5122041d53f1ba6fb8469579dd3371812d527a68b46323968b1a258b3eb75b14987f6bc4c9dc7591210639934dffc18d032f10d47189dd3e4851abeeb3ef121aed7
-
Filesize
18KB
MD5ce7628577f459b34d4bc5b2a580202d9
SHA1d451433443db205c9acc801edbdf62cfe5ace0c4
SHA2561d49949e0d2560ced4d68fd7ec8013b6b46119f4c9784cb42750a9a02b7b2c00
SHA5122041d53f1ba6fb8469579dd3371812d527a68b46323968b1a258b3eb75b14987f6bc4c9dc7591210639934dffc18d032f10d47189dd3e4851abeeb3ef121aed7
-
Filesize
18KB
MD5c82cf1c6aa26d40abdeeadbb40ee274f
SHA1ba84ebbfb299a025fdf72b870ade6ca8f92d4d7e
SHA256eaf94aad23b2ae56eaaa92f70af26a18e65bfae7557816bbaf31d088b40e4774
SHA5123375627bd362023c4b4f3e5921f84d09acc19039cae40bc571cd047f3b754676fca7924f7086d58df619aaa544eed27bc9eb2e198925c001fbc2a1aa37bd8331
-
Filesize
18KB
MD5645b77bae91e157f44a6125e63f17621
SHA13de7404d827ec5f76a7743a58a818e0d11d42839
SHA25690f5e018d2c2dd966909518503616a8561bcb3ce2363f76c0b1d7027b738c99c
SHA51206d289e410eb2daf3f850263e02f5ca87a21c5ecba1fb89324ae626286445a9c28909e88a6ee47ae827a255fb06972af38bd866b6ba1f1cceb23f80a3a1ba495
-
Filesize
18KB
MD5645b77bae91e157f44a6125e63f17621
SHA13de7404d827ec5f76a7743a58a818e0d11d42839
SHA25690f5e018d2c2dd966909518503616a8561bcb3ce2363f76c0b1d7027b738c99c
SHA51206d289e410eb2daf3f850263e02f5ca87a21c5ecba1fb89324ae626286445a9c28909e88a6ee47ae827a255fb06972af38bd866b6ba1f1cceb23f80a3a1ba495
-
Filesize
18KB
MD504d7c019f2a21d6a052315c67ae92b73
SHA109fabcc020d869b88c33e4cbd9a2481a678c2149
SHA256374fad38ab27622163272b1394fe89af17ba0abfdd60adda00948799099a1d69
SHA5123a2925593ff5835638d78a598468fb36a539af56367d21775f6a5153d260e0938b233824d1887415730f1f300e6ef4a52628d0f99dd9c37f472be6bed7e1f7b9
-
Filesize
18KB
MD52de185be84dd06c83d961d95773bddd5
SHA10f22342d56c7a24b5b976dd423711678157cc659
SHA2567409fcd778c5258bb100fc2e4b57801326699e8fdc9a571bbd0b7c347c697ce2
SHA5122aa19ffbccdd0ba50ccbde7f836e8f9e13298d8c2465beae70118eaad9df2a2446632a3c2ff3d09e305d3ac9acc4b01fb436862fff5db446b9f3b1cc2dc03214
-
Filesize
399KB
MD575233a6594888de3589ac556a04d36d8
SHA1490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b
-
Filesize
399KB
MD575233a6594888de3589ac556a04d36d8
SHA1490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b
-
Filesize
399KB
MD575233a6594888de3589ac556a04d36d8
SHA1490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b
-
Filesize
403KB
MD545c7bb96cf62c09ce2a2f8c141e2e3cc
SHA1321e2b8e15dd6713163da84b775d5f7ccf68a067
SHA256250e21a581ab1a303458c385ad8188c4954930abeeb790d82962b328d1412214
SHA5123640d49d6fd41d5474ea2c7f8754eeb2994c7c05e0bcbb74c84be178747497ac4ea7c8a3c458d9f179e8fe3ed8070c6a255821a3a0ffd072c430c4758f70b371
-
Filesize
403KB
MD545c7bb96cf62c09ce2a2f8c141e2e3cc
SHA1321e2b8e15dd6713163da84b775d5f7ccf68a067
SHA256250e21a581ab1a303458c385ad8188c4954930abeeb790d82962b328d1412214
SHA5123640d49d6fd41d5474ea2c7f8754eeb2994c7c05e0bcbb74c84be178747497ac4ea7c8a3c458d9f179e8fe3ed8070c6a255821a3a0ffd072c430c4758f70b371
-
Filesize
403KB
MD545c7bb96cf62c09ce2a2f8c141e2e3cc
SHA1321e2b8e15dd6713163da84b775d5f7ccf68a067
SHA256250e21a581ab1a303458c385ad8188c4954930abeeb790d82962b328d1412214
SHA5123640d49d6fd41d5474ea2c7f8754eeb2994c7c05e0bcbb74c84be178747497ac4ea7c8a3c458d9f179e8fe3ed8070c6a255821a3a0ffd072c430c4758f70b371
-
Filesize
471KB
MD5fd4064ae04a7f4f8636454fcd7f77b00
SHA13934ea72fd6ecbd94cc28dcfbfe42aefd375abb2
SHA256b6c4ee1924cb2e180c8525343c7933a88c3787f9043db340450dea0ca02f3aa5
SHA51260aa0e8cfc4340830f25d93e41112289a120064d23cc1b419af9832588ac6c209139b64e2aac8227221e2e310dcab2c86a69a5362ff90a563cdf2e9d058f05bc
-
Filesize
471KB
MD5fd4064ae04a7f4f8636454fcd7f77b00
SHA13934ea72fd6ecbd94cc28dcfbfe42aefd375abb2
SHA256b6c4ee1924cb2e180c8525343c7933a88c3787f9043db340450dea0ca02f3aa5
SHA51260aa0e8cfc4340830f25d93e41112289a120064d23cc1b419af9832588ac6c209139b64e2aac8227221e2e310dcab2c86a69a5362ff90a563cdf2e9d058f05bc
-
Filesize
471KB
MD5fd4064ae04a7f4f8636454fcd7f77b00
SHA13934ea72fd6ecbd94cc28dcfbfe42aefd375abb2
SHA256b6c4ee1924cb2e180c8525343c7933a88c3787f9043db340450dea0ca02f3aa5
SHA51260aa0e8cfc4340830f25d93e41112289a120064d23cc1b419af9832588ac6c209139b64e2aac8227221e2e310dcab2c86a69a5362ff90a563cdf2e9d058f05bc
-
Filesize
471KB
MD5fd4064ae04a7f4f8636454fcd7f77b00
SHA13934ea72fd6ecbd94cc28dcfbfe42aefd375abb2
SHA256b6c4ee1924cb2e180c8525343c7933a88c3787f9043db340450dea0ca02f3aa5
SHA51260aa0e8cfc4340830f25d93e41112289a120064d23cc1b419af9832588ac6c209139b64e2aac8227221e2e310dcab2c86a69a5362ff90a563cdf2e9d058f05bc
-
Filesize
471KB
MD5fd4064ae04a7f4f8636454fcd7f77b00
SHA13934ea72fd6ecbd94cc28dcfbfe42aefd375abb2
SHA256b6c4ee1924cb2e180c8525343c7933a88c3787f9043db340450dea0ca02f3aa5
SHA51260aa0e8cfc4340830f25d93e41112289a120064d23cc1b419af9832588ac6c209139b64e2aac8227221e2e310dcab2c86a69a5362ff90a563cdf2e9d058f05bc