Analysis
-
max time kernel
91s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 13:14
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
General
-
Target
file.exe
-
Size
7.2MB
-
MD5
fca5b5a89605e55f49094e21f933f902
-
SHA1
e3075d5365edd4e3ad46d0c314e4861edb61d702
-
SHA256
c3605f44c32f4ef1d51e44e6546350c03d2d0a16531fd3b5b17e3ec97ca1b648
-
SHA512
1f9597de3b1c12af02e562e04a5083eafc9d6fccedc20f1f5f8dd02db34e25b29fca886035a74b4ab673ed5bed12b2e49c88cb592441eb9b9af0039118e2c86c
-
SSDEEP
196608:91OZ6xaxnguA9CVhUX7teutpSpRZZ86giA2gUA7MdN:3OZleiVhU4Lp3WZl2gHaN
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 58 3512 rundll32.exe 59 3512 rundll32.exe 61 3512 rundll32.exe -
Executes dropped EXE 4 IoCs
Processes:
Install.exeInstall.exeYlRKEUb.execxocWeC.exepid process 4252 Install.exe 3092 Install.exe 3696 YlRKEUb.exe 3480 cxocWeC.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Install.execxocWeC.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cxocWeC.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3512 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 3 IoCs
Processes:
cxocWeC.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json cxocWeC.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\meejmcfbiapijdfaadackoblffmidlig\1.0.0.0\manifest.json cxocWeC.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\goiejopegncpjmocklmfiipofdbkhpic\1.0.0.0\manifest.json cxocWeC.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
cxocWeC.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini cxocWeC.exe -
Drops file in System32 directory 31 IoCs
Processes:
cxocWeC.exepowershell.exeYlRKEUb.exepowershell.exeInstall.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 cxocWeC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 cxocWeC.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol cxocWeC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3 cxocWeC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE cxocWeC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA cxocWeC.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft cxocWeC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA cxocWeC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1 cxocWeC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData cxocWeC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content cxocWeC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 cxocWeC.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini YlRKEUb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies cxocWeC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48F3BB146086CEF37D471FBE460215C9 cxocWeC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA cxocWeC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1 cxocWeC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol YlRKEUb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 cxocWeC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48F3BB146086CEF37D471FBE460215C9 cxocWeC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9 cxocWeC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9 cxocWeC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3 cxocWeC.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 cxocWeC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache cxocWeC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 cxocWeC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA cxocWeC.exe -
Drops file in Program Files directory 14 IoCs
Processes:
cxocWeC.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja cxocWeC.exe File created C:\Program Files (x86)\YnFPtusxCOTU2\TWyrtvA.xml cxocWeC.exe File created C:\Program Files (x86)\LCSurMlfClMRC\rtkznqp.dll cxocWeC.exe File created C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\oFlCEad.dll cxocWeC.exe File created C:\Program Files (x86)\LCSurMlfClMRC\fxjrBNb.xml cxocWeC.exe File created C:\Program Files (x86)\CXdyuXxQU\ayGBnh.dll cxocWeC.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi cxocWeC.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak cxocWeC.exe File created C:\Program Files (x86)\CXdyuXxQU\MbvSYsj.xml cxocWeC.exe File created C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\EOrbCNY.xml cxocWeC.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi cxocWeC.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak cxocWeC.exe File created C:\Program Files (x86)\YnFPtusxCOTU2\daZyXGtBznCha.dll cxocWeC.exe File created C:\Program Files (x86)\bOFQhydRtxUn\CuHckTq.dll cxocWeC.exe -
Drops file in Windows directory 4 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\beNJzxXkYGhzSCmkZn.job schtasks.exe File created C:\Windows\Tasks\GrrjjXtPjBVPFNmZQ.job schtasks.exe File created C:\Windows\Tasks\ErhcMqZyPKQzNnH.job schtasks.exe File created C:\Windows\Tasks\NSdDFfEujjmGqHjBl.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4140 schtasks.exe 560 schtasks.exe 4108 schtasks.exe 5108 schtasks.exe 4888 schtasks.exe 3528 schtasks.exe 2152 schtasks.exe 1004 schtasks.exe 404 schtasks.exe 4860 schtasks.exe 3624 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
Install.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.execxocWeC.exerundll32.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer cxocWeC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume cxocWeC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" cxocWeC.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2fb4ccdc-0000-0000-0000-d01200000000}\MaxCapacity = "15140" cxocWeC.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" cxocWeC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing cxocWeC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ cxocWeC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" cxocWeC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
powershell.EXEpowershell.exepowershell.exepowershell.EXEcxocWeC.exepid process 3116 powershell.EXE 3116 powershell.EXE 4940 powershell.exe 4940 powershell.exe 4516 powershell.exe 4516 powershell.exe 4808 powershell.EXE 4808 powershell.EXE 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe 3480 cxocWeC.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.EXEpowershell.exepowershell.exepowershell.EXEdescription pid process Token: SeDebugPrivilege 3116 powershell.EXE Token: SeDebugPrivilege 4940 powershell.exe Token: SeDebugPrivilege 4516 powershell.exe Token: SeDebugPrivilege 4808 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exepowershell.EXEYlRKEUb.exepowershell.execmd.exedescription pid process target process PID 1748 wrote to memory of 4252 1748 file.exe Install.exe PID 1748 wrote to memory of 4252 1748 file.exe Install.exe PID 1748 wrote to memory of 4252 1748 file.exe Install.exe PID 4252 wrote to memory of 3092 4252 Install.exe Install.exe PID 4252 wrote to memory of 3092 4252 Install.exe Install.exe PID 4252 wrote to memory of 3092 4252 Install.exe Install.exe PID 3092 wrote to memory of 760 3092 Install.exe forfiles.exe PID 3092 wrote to memory of 760 3092 Install.exe forfiles.exe PID 3092 wrote to memory of 760 3092 Install.exe forfiles.exe PID 3092 wrote to memory of 1244 3092 Install.exe forfiles.exe PID 3092 wrote to memory of 1244 3092 Install.exe forfiles.exe PID 3092 wrote to memory of 1244 3092 Install.exe forfiles.exe PID 760 wrote to memory of 4716 760 forfiles.exe cmd.exe PID 760 wrote to memory of 4716 760 forfiles.exe cmd.exe PID 760 wrote to memory of 4716 760 forfiles.exe cmd.exe PID 1244 wrote to memory of 3824 1244 forfiles.exe cmd.exe PID 1244 wrote to memory of 3824 1244 forfiles.exe cmd.exe PID 1244 wrote to memory of 3824 1244 forfiles.exe cmd.exe PID 4716 wrote to memory of 1252 4716 cmd.exe reg.exe PID 4716 wrote to memory of 1252 4716 cmd.exe reg.exe PID 4716 wrote to memory of 1252 4716 cmd.exe reg.exe PID 3824 wrote to memory of 1564 3824 cmd.exe reg.exe PID 3824 wrote to memory of 1564 3824 cmd.exe reg.exe PID 3824 wrote to memory of 1564 3824 cmd.exe reg.exe PID 4716 wrote to memory of 3480 4716 cmd.exe reg.exe PID 4716 wrote to memory of 3480 4716 cmd.exe reg.exe PID 4716 wrote to memory of 3480 4716 cmd.exe reg.exe PID 3824 wrote to memory of 308 3824 cmd.exe reg.exe PID 3824 wrote to memory of 308 3824 cmd.exe reg.exe PID 3824 wrote to memory of 308 3824 cmd.exe reg.exe PID 3092 wrote to memory of 3528 3092 Install.exe schtasks.exe PID 3092 wrote to memory of 3528 3092 Install.exe schtasks.exe PID 3092 wrote to memory of 3528 3092 Install.exe schtasks.exe PID 3092 wrote to memory of 3964 3092 Install.exe schtasks.exe PID 3092 wrote to memory of 3964 3092 Install.exe schtasks.exe PID 3092 wrote to memory of 3964 3092 Install.exe schtasks.exe PID 3116 wrote to memory of 1552 3116 powershell.EXE gpupdate.exe PID 3116 wrote to memory of 1552 3116 powershell.EXE gpupdate.exe PID 3092 wrote to memory of 2540 3092 Install.exe schtasks.exe PID 3092 wrote to memory of 2540 3092 Install.exe schtasks.exe PID 3092 wrote to memory of 2540 3092 Install.exe schtasks.exe PID 3092 wrote to memory of 2152 3092 Install.exe schtasks.exe PID 3092 wrote to memory of 2152 3092 Install.exe schtasks.exe PID 3092 wrote to memory of 2152 3092 Install.exe schtasks.exe PID 3696 wrote to memory of 4940 3696 YlRKEUb.exe powershell.exe PID 3696 wrote to memory of 4940 3696 YlRKEUb.exe powershell.exe PID 3696 wrote to memory of 4940 3696 YlRKEUb.exe powershell.exe PID 4940 wrote to memory of 4284 4940 powershell.exe cmd.exe PID 4940 wrote to memory of 4284 4940 powershell.exe cmd.exe PID 4940 wrote to memory of 4284 4940 powershell.exe cmd.exe PID 4284 wrote to memory of 4488 4284 cmd.exe reg.exe PID 4284 wrote to memory of 4488 4284 cmd.exe reg.exe PID 4284 wrote to memory of 4488 4284 cmd.exe reg.exe PID 4940 wrote to memory of 3440 4940 powershell.exe reg.exe PID 4940 wrote to memory of 3440 4940 powershell.exe reg.exe PID 4940 wrote to memory of 3440 4940 powershell.exe reg.exe PID 4940 wrote to memory of 1440 4940 powershell.exe reg.exe PID 4940 wrote to memory of 1440 4940 powershell.exe reg.exe PID 4940 wrote to memory of 1440 4940 powershell.exe reg.exe PID 4940 wrote to memory of 820 4940 powershell.exe reg.exe PID 4940 wrote to memory of 820 4940 powershell.exe reg.exe PID 4940 wrote to memory of 820 4940 powershell.exe reg.exe PID 4940 wrote to memory of 2016 4940 powershell.exe reg.exe PID 4940 wrote to memory of 2016 4940 powershell.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS646C.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS68A2.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gIYLtyjAi" /SC once /ST 03:56:42 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gIYLtyjAi"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gIYLtyjAi"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "beNJzxXkYGhzSCmkZn" /SC once /ST 15:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\YlRKEUb.exe\" Qf /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\YlRKEUb.exeC:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\YlRKEUb.exe Qf /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CXdyuXxQU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CXdyuXxQU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCSurMlfClMRC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCSurMlfClMRC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YnFPtusxCOTU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YnFPtusxCOTU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bOFQhydRtxUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bOFQhydRtxUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\RIEoyfpemMjlUPVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\RIEoyfpemMjlUPVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\MNBTbrbBidagOXts\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\MNBTbrbBidagOXts\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CXdyuXxQU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CXdyuXxQU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CXdyuXxQU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCSurMlfClMRC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCSurMlfClMRC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YnFPtusxCOTU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YnFPtusxCOTU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bOFQhydRtxUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bOFQhydRtxUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\RIEoyfpemMjlUPVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\RIEoyfpemMjlUPVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\MNBTbrbBidagOXts /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\MNBTbrbBidagOXts /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gUTTZStSq" /SC once /ST 08:31:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gUTTZStSq"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gUTTZStSq"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GrrjjXtPjBVPFNmZQ" /SC once /ST 01:50:05 /RU "SYSTEM" /TR "\"C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\cxocWeC.exe\" 76 /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "GrrjjXtPjBVPFNmZQ"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\cxocWeC.exeC:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\cxocWeC.exe 76 /site_id 525403 /S1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "beNJzxXkYGhzSCmkZn"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\CXdyuXxQU\ayGBnh.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ErhcMqZyPKQzNnH" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ErhcMqZyPKQzNnH2" /F /xml "C:\Program Files (x86)\CXdyuXxQU\MbvSYsj.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ErhcMqZyPKQzNnH"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ErhcMqZyPKQzNnH"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "TzHNCgqXVcbCsT" /F /xml "C:\Program Files (x86)\YnFPtusxCOTU2\TWyrtvA.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "UfarzoSChLufz2" /F /xml "C:\ProgramData\RIEoyfpemMjlUPVB\WRjMHQp.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iQozJLGfyohvxjpyN2" /F /xml "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\EOrbCNY.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ASXvXFEBgQcQQTYguNW2" /F /xml "C:\Program Files (x86)\LCSurMlfClMRC\fxjrBNb.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NSdDFfEujjmGqHjBl" /SC once /ST 13:19:51 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\MNBTbrbBidagOXts\jtNqBlMn\WnkPQIJ.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "NSdDFfEujjmGqHjBl"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "GrrjjXtPjBVPFNmZQ"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MNBTbrbBidagOXts\jtNqBlMn\WnkPQIJ.dll",#1 /site_id 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MNBTbrbBidagOXts\jtNqBlMn\WnkPQIJ.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "NSdDFfEujjmGqHjBl"3⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:641⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\CXdyuXxQU\MbvSYsj.xmlFilesize
2KB
MD513edf488cac2173e217b352799e1e1c3
SHA15de87c5457eae457996ff8f5c9d4d304e6dccde2
SHA2560317fd722627821f8646f63d16a8e3c69afa4060a5f173bdfaff2373c238c189
SHA5124d8006b3145bf726681ee068b91eac7bd4f9bafae87ea63ab9fbac6ac75ab53d33e1c8b468502a63a5f6d016b33d7560c9eb4df85f98a4c1235c93b6f5a5e593
-
C:\Program Files (x86)\LCSurMlfClMRC\fxjrBNb.xmlFilesize
2KB
MD5f3bda1af8dee0ec1dcaf2b4a4a35489a
SHA1e24e9f32f17dc792699900e9ed2049b4b0bd5b70
SHA25606f86acc37576541c2f360b3abd791a3e4622b1e78f1d3b336979efb1ec5230a
SHA51221c1ce70d69e12c2be9854636c59a2aace96e72e05cc01b3f2a8eb6919b82bb5a67e49302aa2085338859b4fed4287329de0d3163f3b33357771fe8befbba30c
-
C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\EOrbCNY.xmlFilesize
2KB
MD57dcac75561cf4687581486698e1b2fb6
SHA1077896e2c561cf642af5c6ee9d6d3c76a7576818
SHA2560f1ae9c515d0bd92537c7aa982c38c417413dde119f7c19395f4378f83db7f1e
SHA5120d7c49994281ebbfe1fa6796f9ea75018787ace97a32b4ba63fb155f622c9edad682e2edb5c147f7aa09ed17feb1302b1ef958ec755e5c35b071b45f3ef2e0ba
-
C:\Program Files (x86)\YnFPtusxCOTU2\TWyrtvA.xmlFilesize
2KB
MD56b00675bd5675142684731a4441941c9
SHA18b589954b467231f91e0206c3f8a34ff27eb018a
SHA256eaf13427cf836101c91af3b33661f5e993349f6c17926f060a8d3682ab9b3dad
SHA51257d3f3cd09b52fa62f4067c971907fd1b62103577f3bc5733c8358a23c5c21d26bf114c357da026e9218afd242559c50aee63991ac64c6549d93009a5d6adc41
-
C:\ProgramData\RIEoyfpemMjlUPVB\WRjMHQp.xmlFilesize
2KB
MD5443a084db4c854317273c3f4d890895c
SHA11e41ec3f9c4a739ef3dc292021bb6ff83f5ce577
SHA256f872efb1f0c7b5e14bf3f85edcd65f2b4881685f5e447bcdd65ac78fe9fd6624
SHA5123c001991721b339ed96ba088979d8fe6fa3b8f6f1016d51c1c880d4247cafc56c6773c3c2cdbc3c81011921793e9d5fe7c9ca210aa483ba9e110de95a22c25c5
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
C:\Users\Admin\AppData\Local\Temp\7zS646C.tmp\Install.exeFilesize
6.4MB
MD5609d1f39dfaac7980aa59ab1850f5d57
SHA14b5505a28dfcc6fd4b5d4643947c5b285d2ff0b0
SHA256f89f8654885faf63becba577cc214bae0201a09dd3583da40ca39efc37c6e865
SHA512184b6a5cb73a87f7dffeaa53f755976c4808ea90112bb546b87ae15ef7cb2f20762007231d90746fa3b1e0cc0a9948a4ab2ce5d329b20d8564f2c16fdf8f938c
-
C:\Users\Admin\AppData\Local\Temp\7zS646C.tmp\Install.exeFilesize
6.4MB
MD5609d1f39dfaac7980aa59ab1850f5d57
SHA14b5505a28dfcc6fd4b5d4643947c5b285d2ff0b0
SHA256f89f8654885faf63becba577cc214bae0201a09dd3583da40ca39efc37c6e865
SHA512184b6a5cb73a87f7dffeaa53f755976c4808ea90112bb546b87ae15ef7cb2f20762007231d90746fa3b1e0cc0a9948a4ab2ce5d329b20d8564f2c16fdf8f938c
-
C:\Users\Admin\AppData\Local\Temp\7zS68A2.tmp\Install.exeFilesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
C:\Users\Admin\AppData\Local\Temp\7zS68A2.tmp\Install.exeFilesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\YlRKEUb.exeFilesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\YlRKEUb.exeFilesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48F3BB146086CEF37D471FBE460215C9Filesize
503B
MD5c10060ddb8b33344d5d2619c32f1629c
SHA16e869f5b2d13977c4ab4014094959c861b57790f
SHA256728725273cc21072ccc206e0819b521944200dc11a3ae29c806a8962ffc9e8dd
SHA512fcdd3b11eca2b97bc5f18f947f77c6425854c1d74a884ef3ba59fb794b7946ccd6d95d46a81a14785eb122bdcf8ad1714e34e9fc01e9abc3f3b83c11ffd2dd8f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD5825ef7cdb9aee9b8a1af80eccb970fb7
SHA1b481153653a4703c1baac5e17b0ef8b38d01abf3
SHA256dcce6d91814a411dcd4261c3262ad7fe24742b5541cde5c238d9588decf8b140
SHA51275005f99f12f4187424336427b5a614c4c4385d810a083660058c75dbd128319b0f47d3dc8433b20b751967a9d29755f908e5d3a178e520269ca43651d7f20ee
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48F3BB146086CEF37D471FBE460215C9Filesize
560B
MD5aacac8121a2e7e7fc555e2bda1b6129a
SHA1bc03a51b6405ce551f29dca91e60746aacecb223
SHA25616afa25759d4d5fcc4d010813cc067017ae850ffcd332e9742ada33288f4fef0
SHA5123fd4a32fa96c0d40f1a42220b4238c5d45a90ab512e8e599ba698e344817db08743cb4515d55eac31c5b3cd6fa61b112269c577f0a23e5dc992f6ed4900bf530
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD580d2cdddb56022af1c48b40992c7e945
SHA180c87116bce9a4273832ca198b846cb2384e43d8
SHA2569de5ece81cfd7c224299f5ed737888926c74eacfb5b99b6d10f3cfd99b84473a
SHA51255ac19c7ecdf780f46580878a5a20bd1c59e824e4641348cb60f2b4126fd4797b3c08cf1740c754a5152cf1514adac8e7e9e1c8458606fd03919c161eef32cec
-
C:\Windows\Temp\MNBTbrbBidagOXts\jtNqBlMn\WnkPQIJ.dllFilesize
6.2MB
MD512dc3865ebd30712526e9c0d9d503212
SHA12a5e8f3c4b4cf288c6dcbd46c3211415e68064e7
SHA256bac25acf25dcc8c5f404e61d0abb9b808555dbf136a2b010a4c457a3245f92ee
SHA512c76bd014affefb7a2f3fbe89ff5175b90078238de55844caecfae210ee1847ad3481913f94361d4d425a882a3b81636f252e8f682a3d14895073922eb89275bf
-
C:\Windows\Temp\MNBTbrbBidagOXts\jtNqBlMn\WnkPQIJ.dllFilesize
6.2MB
MD512dc3865ebd30712526e9c0d9d503212
SHA12a5e8f3c4b4cf288c6dcbd46c3211415e68064e7
SHA256bac25acf25dcc8c5f404e61d0abb9b808555dbf136a2b010a4c457a3245f92ee
SHA512c76bd014affefb7a2f3fbe89ff5175b90078238de55844caecfae210ee1847ad3481913f94361d4d425a882a3b81636f252e8f682a3d14895073922eb89275bf
-
C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\cxocWeC.exeFilesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\cxocWeC.exeFilesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
4KB
MD5a6f315a184f2b1353e6c434790333bce
SHA114af82999ca588e61aeed6279391a509552aa1d3
SHA256a6ac59399c65bfdfee8c791f07c64f67c3253ae9e6c9cb0e939a4b30add9dad8
SHA5124c55c095b21a96cc58dae0ffae03c41f9778f0a438731c04c8f3ff1adc5a14f34a0fd4dc0be02131f2294c8f9de5c5bf698b2ae88854f9062ef51ea36f554f86
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/100-177-0x0000000000000000-mapping.dmp
-
memory/308-148-0x0000000000000000-mapping.dmp
-
memory/344-183-0x0000000000000000-mapping.dmp
-
memory/760-141-0x0000000000000000-mapping.dmp
-
memory/820-172-0x0000000000000000-mapping.dmp
-
memory/1004-214-0x0000000000000000-mapping.dmp
-
memory/1108-189-0x0000000000000000-mapping.dmp
-
memory/1244-142-0x0000000000000000-mapping.dmp
-
memory/1252-145-0x0000000000000000-mapping.dmp
-
memory/1284-197-0x0000000000000000-mapping.dmp
-
memory/1324-206-0x0000000000000000-mapping.dmp
-
memory/1344-199-0x0000000000000000-mapping.dmp
-
memory/1392-219-0x0000000000000000-mapping.dmp
-
memory/1440-171-0x0000000000000000-mapping.dmp
-
memory/1552-152-0x0000000000000000-mapping.dmp
-
memory/1564-146-0x0000000000000000-mapping.dmp
-
memory/1696-191-0x0000000000000000-mapping.dmp
-
memory/1724-196-0x0000000000000000-mapping.dmp
-
memory/1820-211-0x0000000000000000-mapping.dmp
-
memory/1832-210-0x0000000000000000-mapping.dmp
-
memory/1844-188-0x0000000000000000-mapping.dmp
-
memory/2000-186-0x0000000000000000-mapping.dmp
-
memory/2016-173-0x0000000000000000-mapping.dmp
-
memory/2152-155-0x0000000000000000-mapping.dmp
-
memory/2176-185-0x0000000000000000-mapping.dmp
-
memory/2340-212-0x0000000000000000-mapping.dmp
-
memory/2480-181-0x0000000000000000-mapping.dmp
-
memory/2540-154-0x0000000000000000-mapping.dmp
-
memory/2656-192-0x0000000000000000-mapping.dmp
-
memory/2828-187-0x0000000000000000-mapping.dmp
-
memory/3044-204-0x0000000000000000-mapping.dmp
-
memory/3092-138-0x0000000010000000-0x0000000011000000-memory.dmpFilesize
16.0MB
-
memory/3092-135-0x0000000000000000-mapping.dmp
-
memory/3108-202-0x0000000000000000-mapping.dmp
-
memory/3116-151-0x0000023A704A0000-0x0000023A704C2000-memory.dmpFilesize
136KB
-
memory/3116-153-0x00007FFFCE4F0000-0x00007FFFCEFB1000-memory.dmpFilesize
10.8MB
-
memory/3328-184-0x0000000000000000-mapping.dmp
-
memory/3440-170-0x0000000000000000-mapping.dmp
-
memory/3476-175-0x0000000000000000-mapping.dmp
-
memory/3480-176-0x0000000000000000-mapping.dmp
-
memory/3480-246-0x0000000006310000-0x00000000063C6000-memory.dmpFilesize
728KB
-
memory/3480-228-0x0000000005110000-0x0000000005195000-memory.dmpFilesize
532KB
-
memory/3480-232-0x0000000005760000-0x00000000057C7000-memory.dmpFilesize
412KB
-
memory/3480-242-0x00000000060D0000-0x000000000614C000-memory.dmpFilesize
496KB
-
memory/3480-147-0x0000000000000000-mapping.dmp
-
memory/3512-249-0x0000000001310000-0x0000000002310000-memory.dmpFilesize
16.0MB
-
memory/3528-149-0x0000000000000000-mapping.dmp
-
memory/3616-203-0x0000000000000000-mapping.dmp
-
memory/3768-198-0x0000000000000000-mapping.dmp
-
memory/3796-201-0x0000000000000000-mapping.dmp
-
memory/3824-144-0x0000000000000000-mapping.dmp
-
memory/3964-150-0x0000000000000000-mapping.dmp
-
memory/4108-205-0x0000000000000000-mapping.dmp
-
memory/4140-222-0x0000000000000000-mapping.dmp
-
memory/4144-182-0x0000000000000000-mapping.dmp
-
memory/4156-180-0x0000000000000000-mapping.dmp
-
memory/4236-200-0x0000000000000000-mapping.dmp
-
memory/4252-132-0x0000000000000000-mapping.dmp
-
memory/4284-168-0x0000000000000000-mapping.dmp
-
memory/4292-190-0x0000000000000000-mapping.dmp
-
memory/4344-207-0x0000000000000000-mapping.dmp
-
memory/4488-169-0x0000000000000000-mapping.dmp
-
memory/4500-178-0x0000000000000000-mapping.dmp
-
memory/4516-193-0x0000000000000000-mapping.dmp
-
memory/4520-221-0x0000000000000000-mapping.dmp
-
memory/4560-179-0x0000000000000000-mapping.dmp
-
memory/4716-143-0x0000000000000000-mapping.dmp
-
memory/4808-220-0x0000015114BC0000-0x0000015115681000-memory.dmpFilesize
10.8MB
-
memory/4808-218-0x0000015114BC0000-0x0000015115681000-memory.dmpFilesize
10.8MB
-
memory/4868-208-0x0000000000000000-mapping.dmp
-
memory/4884-174-0x0000000000000000-mapping.dmp
-
memory/4908-209-0x0000000000000000-mapping.dmp
-
memory/4912-215-0x0000000000000000-mapping.dmp
-
memory/4940-166-0x0000000004C30000-0x0000000004C96000-memory.dmpFilesize
408KB
-
memory/4940-161-0x0000000000000000-mapping.dmp
-
memory/4940-167-0x0000000005250000-0x000000000526E000-memory.dmpFilesize
120KB
-
memory/4940-162-0x0000000003C80000-0x0000000003CB6000-memory.dmpFilesize
216KB
-
memory/4940-163-0x00000000043C0000-0x00000000049E8000-memory.dmpFilesize
6.2MB
-
memory/4940-164-0x00000000049F0000-0x0000000004A12000-memory.dmpFilesize
136KB
-
memory/4940-165-0x0000000004A90000-0x0000000004AF6000-memory.dmpFilesize
408KB