Malware Analysis Report

2024-10-18 21:24

Sample ID 240320-ehe8qaga95
Target d7d26e52666b2a4633daf1255b15f967
SHA256 b5783b1d56cb32dfd50a16fd41c70c72cef40ff6c3389242ff4e5bb4a2905413
Tags
stormkitty zgrat rat spyware stealer evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b5783b1d56cb32dfd50a16fd41c70c72cef40ff6c3389242ff4e5bb4a2905413

Threat Level: Known bad

The file d7d26e52666b2a4633daf1255b15f967 was found to be: Known bad.

Malicious Activity Summary

stormkitty zgrat rat spyware stealer evasion

StormKitty payload

ZGRat

StormKitty

Detect ZGRat V1

Nirsoft

Stops running service(s)

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Drops desktop.ini file(s)

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-20 03:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-20 03:56

Reported

2024-03-20 03:58

Platform

win7-20240221-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\4509b3832af23bba71ee674759eb84b7\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\4509b3832af23bba71ee674759eb84b7\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
File created C:\Users\Admin\AppData\Local\4509b3832af23bba71ee674759eb84b7\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
File created C:\Users\Admin\AppData\Local\4509b3832af23bba71ee674759eb84b7\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
File created C:\Users\Admin\AppData\Local\4509b3832af23bba71ee674759eb84b7\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\4509b3832af23bba71ee674759eb84b7\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2352 set thread context of 2376 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
PID 2352 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
PID 2352 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
PID 2352 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
PID 672 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
PID 672 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
PID 672 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
PID 672 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
PID 2352 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
PID 2352 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
PID 2352 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
PID 2352 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
PID 2196 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
PID 2196 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
PID 2196 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
PID 2196 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
PID 2352 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe
PID 2352 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe
PID 2352 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe
PID 2352 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe
PID 2352 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe
PID 2352 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe
PID 2352 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe
PID 2352 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe

"C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 672

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 2196

C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe

C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bing.com udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 google.com udp

Files

memory/2352-0-0x00000000011C0000-0x0000000001244000-memory.dmp

memory/2352-1-0x0000000074DC0000-0x00000000754AE000-memory.dmp

memory/2352-2-0x0000000004CE0000-0x0000000004D20000-memory.dmp

memory/1160-7-0x0000000001D30000-0x0000000001D70000-memory.dmp

memory/1160-6-0x0000000070010000-0x00000000705BB000-memory.dmp

memory/1160-5-0x0000000070010000-0x00000000705BB000-memory.dmp

memory/1160-8-0x0000000070010000-0x00000000705BB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 1a9d77294b1c58e9335205f7dead8147
SHA1 620954efbebc1a3b828ab50679ce87efa46be977
SHA256 007b02864686c5ebb03b1bfd7554e5497fc87b637a04cf2fd74c3245481359c3
SHA512 73c7e1b3de300744ce7d32b8a5dbfdaaa7222639f5201c10eca6d4b80e1f1d3196fb23b1efc275aa139172d8ec8c732b07e9c971ce4ea32a8a8a82f3c33a7f13

memory/2756-14-0x000000006FD60000-0x000000007030B000-memory.dmp

memory/2756-15-0x0000000002740000-0x0000000002780000-memory.dmp

memory/2756-16-0x000000006FD60000-0x000000007030B000-memory.dmp

memory/2756-17-0x0000000002740000-0x0000000002780000-memory.dmp

memory/2756-18-0x0000000002740000-0x0000000002780000-memory.dmp

memory/2352-19-0x0000000074DC0000-0x00000000754AE000-memory.dmp

memory/2756-20-0x000000006FD60000-0x000000007030B000-memory.dmp

memory/2552-26-0x000000006FFE0000-0x000000007058B000-memory.dmp

memory/2552-27-0x000000006FFE0000-0x000000007058B000-memory.dmp

memory/2552-28-0x0000000002B60000-0x0000000002BA0000-memory.dmp

memory/2552-29-0x0000000002B60000-0x0000000002BA0000-memory.dmp

memory/2352-30-0x0000000004CE0000-0x0000000004D20000-memory.dmp

memory/2552-31-0x000000006FFE0000-0x000000007058B000-memory.dmp

memory/2952-38-0x0000000002AC0000-0x0000000002B00000-memory.dmp

memory/2952-37-0x000000006FD60000-0x000000007030B000-memory.dmp

memory/2952-39-0x000000006FD60000-0x000000007030B000-memory.dmp

memory/2952-40-0x0000000002AC0000-0x0000000002B00000-memory.dmp

memory/2952-41-0x000000006FD60000-0x000000007030B000-memory.dmp

memory/2644-47-0x000000006FFE0000-0x000000007058B000-memory.dmp

memory/2644-48-0x000000006FFE0000-0x000000007058B000-memory.dmp

memory/2644-49-0x0000000001E10000-0x0000000001E50000-memory.dmp

memory/2644-50-0x000000006FFE0000-0x000000007058B000-memory.dmp

memory/1420-56-0x000000006FD60000-0x000000007030B000-memory.dmp

memory/1420-57-0x0000000001EE0000-0x0000000001F20000-memory.dmp

memory/1420-58-0x000000006FD60000-0x000000007030B000-memory.dmp

memory/1420-59-0x000000006FD60000-0x000000007030B000-memory.dmp

memory/2328-65-0x000000006FFE0000-0x000000007058B000-memory.dmp

memory/2328-66-0x000000006FFE0000-0x000000007058B000-memory.dmp

memory/2328-67-0x0000000002B20000-0x0000000002B60000-memory.dmp

memory/2328-68-0x0000000002B20000-0x0000000002B60000-memory.dmp

memory/2328-69-0x000000006FFE0000-0x000000007058B000-memory.dmp

memory/1468-75-0x000000006FD60000-0x000000007030B000-memory.dmp

memory/1468-76-0x000000006FD60000-0x000000007030B000-memory.dmp

memory/1468-77-0x0000000002AC0000-0x0000000002B00000-memory.dmp

memory/1468-78-0x000000006FD60000-0x000000007030B000-memory.dmp

memory/2388-84-0x000000006FFE0000-0x000000007058B000-memory.dmp

memory/2388-85-0x0000000002800000-0x0000000002840000-memory.dmp

memory/2388-86-0x000000006FFE0000-0x000000007058B000-memory.dmp

memory/2388-87-0x0000000002800000-0x0000000002840000-memory.dmp

memory/2388-88-0x000000006FFE0000-0x000000007058B000-memory.dmp

memory/1344-94-0x000000006FD60000-0x000000007030B000-memory.dmp

memory/1344-95-0x0000000002A10000-0x0000000002A50000-memory.dmp

memory/1344-96-0x000000006FD60000-0x000000007030B000-memory.dmp

memory/1344-97-0x000000006FD60000-0x000000007030B000-memory.dmp

memory/2352-98-0x0000000004FA0000-0x0000000005014000-memory.dmp

memory/2352-99-0x0000000007FB0000-0x000000000801E000-memory.dmp

memory/2352-100-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-101-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-103-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-105-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-107-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-109-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-111-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-113-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-115-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-117-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-119-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-121-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-123-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-125-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-127-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-129-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-131-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-133-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-135-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-137-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-139-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-145-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-147-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-149-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-143-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-141-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-151-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-153-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-161-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-163-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-159-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-157-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-155-0x0000000007FB0000-0x0000000008019000-memory.dmp

memory/2352-2286-0x0000000000C50000-0x0000000000C60000-memory.dmp

\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5 17fc12902f4769af3a9271eb4e2dacce
SHA1 9a4a1581cc3971579574f837e110f3bd6d529dab
SHA256 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512 036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

memory/2352-2317-0x0000000074DC0000-0x00000000754AE000-memory.dmp

memory/2376-2322-0x0000000074D40000-0x000000007542E000-memory.dmp

memory/2376-2323-0x0000000004C60000-0x0000000004CA0000-memory.dmp

memory/2376-2321-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2376-2391-0x0000000004C60000-0x0000000004CA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabCEAE.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\TarCFED.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a720437bb7c6811d7102713ed50a4fc3
SHA1 74d4fe110b75df7c2f913088b783a6bad24fab9f
SHA256 b32e8a0c340acce4df648555c9a080f73ab0088a5e968d53e5521f34d73e35dc
SHA512 0b7964e5f7ebe92632e2df9f5eebc2b4b20635b2d7f008342bdb42f6d3738f04df564b2e4ff207ef29a9ba23e99a48d882af965ce837beede7461366effe3671

C:\Users\Admin\AppData\Local\84af7c45178a2c3f8a76aef1b1036565\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2376-2466-0x0000000074D40000-0x000000007542E000-memory.dmp

memory/2376-2467-0x0000000004C60000-0x0000000004CA0000-memory.dmp

memory/2376-2468-0x0000000004C60000-0x0000000004CA0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-20 03:56

Reported

2024-03-20 03:58

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\4eb0e7c05f265bbe8dfb2c61977a599c\Admin@QMWIRSIY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\4eb0e7c05f265bbe8dfb2c61977a599c\Admin@QMWIRSIY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
File created C:\Users\Admin\AppData\Local\4eb0e7c05f265bbe8dfb2c61977a599c\Admin@QMWIRSIY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
File created C:\Users\Admin\AppData\Local\4eb0e7c05f265bbe8dfb2c61977a599c\Admin@QMWIRSIY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
File created C:\Users\Admin\AppData\Local\4eb0e7c05f265bbe8dfb2c61977a599c\Admin@QMWIRSIY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
File created C:\Users\Admin\AppData\Local\4eb0e7c05f265bbe8dfb2c61977a599c\Admin@QMWIRSIY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
File created C:\Users\Admin\AppData\Local\4eb0e7c05f265bbe8dfb2c61977a599c\Admin@QMWIRSIY_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\4eb0e7c05f265bbe8dfb2c61977a599c\Admin@QMWIRSIY_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 916 set thread context of 1696 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 916 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
PID 916 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
PID 916 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
PID 916 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
PID 916 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
PID 916 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
PID 916 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe
PID 916 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe
PID 916 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe
PID 916 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe
PID 916 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe
PID 916 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe
PID 916 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe
PID 916 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe
PID 1696 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2956 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2956 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2956 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2956 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2956 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2956 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2956 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2956 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1696 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4504 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4504 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4504 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4504 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe

"C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run

C:\Windows\System32\sc.exe

"C:\Windows\System32\sc.exe" stop WinDefend

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse

C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe

C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 bing.com udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 168.253.116.51.in-addr.arpa udp

Files

memory/916-1-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/916-0-0x00000000003C0000-0x0000000000444000-memory.dmp

memory/916-2-0x0000000005490000-0x0000000005A34000-memory.dmp

memory/916-3-0x0000000004E10000-0x0000000004EA2000-memory.dmp

memory/916-4-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

memory/916-5-0x0000000004FF0000-0x0000000004FFA000-memory.dmp

memory/2864-7-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/2864-6-0x0000000002960000-0x0000000002996000-memory.dmp

memory/2864-8-0x00000000029D0000-0x00000000029E0000-memory.dmp

memory/2864-10-0x0000000005480000-0x0000000005AA8000-memory.dmp

memory/2864-9-0x00000000029D0000-0x00000000029E0000-memory.dmp

memory/2864-11-0x00000000053C0000-0x00000000053E2000-memory.dmp

memory/2864-17-0x0000000005AB0000-0x0000000005B16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bybxkviq.2ap.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2864-18-0x0000000005C10000-0x0000000005C76000-memory.dmp

memory/2864-23-0x0000000005EB0000-0x0000000006204000-memory.dmp

memory/2864-24-0x0000000006240000-0x000000000625E000-memory.dmp

memory/2864-25-0x0000000006290000-0x00000000062DC000-memory.dmp

memory/2864-26-0x0000000007200000-0x0000000007296000-memory.dmp

memory/2864-27-0x0000000006760000-0x000000000677A000-memory.dmp

memory/2864-28-0x00000000067B0000-0x00000000067D2000-memory.dmp

memory/2864-29-0x00000000086F0000-0x0000000008D6A000-memory.dmp

memory/2864-32-0x0000000074530000-0x0000000074CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 6832ae680e8ddacc9752c84ff4ee94d5
SHA1 eba38e3a46f6a27ec29c567c6766ba57fe7954ba
SHA256 19c4f3bc855b449022b1baf50569236e2d844e3f323453291495de125f76e632
SHA512 9cea7dcd3b0bf6bb6c1fd15aea43312cb52926e2e61455fcb26a6dd82323e352b9960f4afe412891be2aba54230ef354772e5397df8c6100e5aab875247fa1ef

memory/3232-34-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/3232-35-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

memory/3232-36-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ae6933dd36f2e12239e9156075075711
SHA1 168204c33aa0c5db190636fd2a6f0139caa359f6
SHA256 656b2f068c8a92fb5472b8db98d56f0b75bc5268da19d948adf844a4ee3500d5
SHA512 762482b7741f1bad0b2b2bf945b411cbfed350142b12f6512e1cc99bc6daf696a13713c216a99d57fbd869f3028675a9f670d3b8c951eb5da848efa8a6ee51a2

memory/3232-48-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/5116-49-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/5116-51-0x00000000024D0000-0x00000000024E0000-memory.dmp

memory/5116-50-0x00000000024D0000-0x00000000024E0000-memory.dmp

memory/916-52-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/5116-62-0x00000000057F0000-0x0000000005B44000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c9e739980cbbe02111adb4730cd87604
SHA1 b070e12f91016bcd3ab8c365f10857a7248fff05
SHA256 49a7ad33a7abe9571889555749fd4dcbcbffb7e554b012df5028d49381d694c2
SHA512 8686e119ad5abc260f69135b3b109a64e79bbffba3e1dfba0b3efe12c46341df4b9b88e70b5f11d26afa5836eae2e73f0b56609a59cf2d41a686f55a3c418e2c

memory/5116-65-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/916-67-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

memory/3752-66-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/3752-68-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bb9443b3374bae20db239c4a3d6b9844
SHA1 a025a25b27bc0f48674e6adcbce9531fd5f8ef2d
SHA256 102411ccfa52b3cd62ceecb6998f83e3aa590248c47701b236a306c8faf24322
SHA512 e37a72693f6bccfdbf26da11acd23b715757b7887a560ce05055c3481e78afda468931063026336ab589b77f412c62bdcf80eb89c40fe3f2690930394b665025

memory/3752-80-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/3600-82-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

memory/3600-81-0x0000000074530000-0x0000000074CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 33edf2fc026eb6b691dffc6de8b63f8b
SHA1 19be8dc36c38d9326de36294e4958d6cc627b5d2
SHA256 da56a8d0ad153c6f9074d04d8378343ae6002a5a917e41f98ff0ef07bbb02ae3
SHA512 daff2714ac4f33b683af4b7bd919b72a1f62843b882ff12b2cf31fe58cbcd890bace0b77b9a3f1708251856e1c830ea3d59f7a68cf0fe79bfc752b341a8d538c

memory/3600-94-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/3964-95-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/3964-96-0x0000000005110000-0x0000000005120000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 87ae313e10cb53a28b6e926040896504
SHA1 65d8ea8795de5f2554bde32982c4645cafce2975
SHA256 e65d941cc97de01c223a44d8ed55b046fed49afa8d319fac6a4acafd1550efc1
SHA512 5b21e0862f976a6df9c2e16713cfb0eae2278ae6b5a6ebf73d2ebe72203cf6fdd1ff4130f3994ca5a62625d952caac045b1de738e47821c555f16a06b864556e

memory/3964-108-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/1904-109-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/1904-110-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/1904-111-0x00000000052B0000-0x00000000052C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d036a8f3e69e7efa81aecf2d11bee4a9
SHA1 7c91619a1cb5ec2b2f94baf617c195833881d8cb
SHA256 c7bb4c2e9f1f5df7dc77996ed1b9a2f42de3a5bf6824c0dbaffae35da6da7044
SHA512 70f8f4ba06a1303cebd4bbb5e7cf4e2c6ac244bd937851c0b04bd1276d9856cbf7bdfce14cff3f541458833f044dc54bb0fe4ad2f84df48b687b92f50496e323

memory/1904-123-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/2492-124-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/2492-125-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/2492-126-0x0000000004C20000-0x0000000004C30000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 96e9dc63612cd6ad6c2fe1ef4631eeeb
SHA1 302a9e81eb032b53d3c945785647e052b2aea127
SHA256 5c3f8d8e4189378d0c1ebb20d8e2fcf6dc4bb1efc0e35496c8dd14652381d14d
SHA512 0cecd406713a43f3a33914457c79dcdae2ced6e5c6f3d12b6f923554e7c5a6c0d6cc16b7360c8428c2d9c4da0fac7ad0bb892fd08bf2bb7f1dfc411488f55d4b

memory/2492-138-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/2072-139-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/2072-140-0x0000000000FF0000-0x0000000001000000-memory.dmp

memory/2072-141-0x0000000000FF0000-0x0000000001000000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb2cda4a7f5b4237155e1db715789180
SHA1 445362eaa2ad11aa615fe3f6898c5aca362a88d7
SHA256 509a00e7606051c00a624850069d975200fe665748a4b6ec2e26578ec6390a68
SHA512 9dedc5c65117965decb89d74d93ee4451f10f397d75d42702d90de6d821a307fa0d01a5617c19512aeb6d3605f0a0d7c6a8f7af260f9f6f7f44a940e5cb4cc91

memory/2072-153-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/3952-154-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/3952-155-0x0000000004990000-0x00000000049A0000-memory.dmp

memory/3952-156-0x0000000004990000-0x00000000049A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 28d6b8d8c5b9cf39b1012d3efd7dfe1e
SHA1 90f095e15c89480de7986f47b34e29063e2d41fd
SHA256 aefbd92d5afdf140a5d165ea90153f2df5a1c0107e6b0cc4bb84fb6946d5e5ad
SHA512 3c806b4bdb68747f43cab8745409445b88d70a9e8e05898c0b2b01c84b72fb1f3d6c277b59fbd5c49434735ebad99d6b0f742fcf1e86bf10900f0ff66a150808

memory/3952-168-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/916-169-0x00000000060C0000-0x0000000006136000-memory.dmp

memory/916-171-0x0000000006070000-0x000000000608E000-memory.dmp

memory/916-170-0x0000000006150000-0x00000000061C4000-memory.dmp

memory/916-172-0x0000000006330000-0x000000000639E000-memory.dmp

memory/916-173-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-174-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-176-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-178-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-182-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-180-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-184-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-188-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-186-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-190-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-192-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-194-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-196-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-198-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-200-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-202-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-204-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-206-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-208-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-210-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-212-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-214-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-216-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-218-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-220-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-222-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-224-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-226-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-228-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-230-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-232-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-234-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-236-0x0000000006330000-0x0000000006399000-memory.dmp

memory/916-2359-0x0000000000810000-0x0000000000820000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5 17fc12902f4769af3a9271eb4e2dacce
SHA1 9a4a1581cc3971579574f837e110f3bd6d529dab
SHA256 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512 036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

memory/3712-2374-0x00000179EB710000-0x00000179EB732000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d7d26e52666b2a4633daf1255b15f967.exe.log

MD5 b5291f3dcf2c13784e09a057f2e43d13
SHA1 fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e
SHA256 ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce
SHA512 11c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4

C:\Users\Admin\AppData\Local\4eb0e7c05f265bbe8dfb2c61977a599c\Admin@QMWIRSIY_en-US\System\Process.txt

MD5 b54f543664a9c3f4a1e1a2bee6c85e40
SHA1 517ef002b279e78517e202c654887f565c3541a2
SHA256 2165f3d3f696bcd6168a5c72a51e861f35443a191bf430f69d1cbdfa25c23a34
SHA512 bc788520eab0634811db9fc5768e708d853f09521f876e836114811c1eea7e8574a7eef78f46ba01aaeaf8071a8e0c4b04bbb0e2bdb4ea4fe142eb03ed1b0354

C:\Users\Admin\AppData\Local\bbea729f163e8efac8d5cd98f6dc2908\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99