Malware Analysis Report

2025-01-22 08:14

Sample ID 241026-e5ssbszdme
Target ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea
SHA256 ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea

Threat Level: Known bad

The file ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

Modifies WinLogon for persistence

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (73) files with added filename extension

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 04:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 04:31

Reported

2024-10-26 04:34

Platform

win7-20241010-en

Max time kernel

29s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\HUEMcIcA\\zggwcAAA.exe," C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\HUEMcIcA\\zggwcAAA.exe," C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (73) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\xEIwAkIc\AqIwccEc.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\vMoUIQwk\BkocQcwc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\AqIwccEc.exe = "C:\\Users\\Admin\\xEIwAkIc\\AqIwccEc.exe" C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zggwcAAA.exe = "C:\\ProgramData\\HUEMcIcA\\zggwcAAA.exe" C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zggwcAAA.exe = "C:\\ProgramData\\HUEMcIcA\\zggwcAAA.exe" C:\ProgramData\vMoUIQwk\BkocQcwc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zggwcAAA.exe = "C:\\ProgramData\\HUEMcIcA\\zggwcAAA.exe" C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\AqIwccEc.exe = "C:\\Users\\Admin\\xEIwAkIc\\AqIwccEc.exe" C:\Users\Admin\xEIwAkIc\AqIwccEc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\xEIwAkIc\AqIwccEc C:\ProgramData\vMoUIQwk\BkocQcwc.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\xEIwAkIc C:\ProgramData\vMoUIQwk\BkocQcwc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\xEIwAkIc\AqIwccEc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A
N/A N/A C:\ProgramData\HUEMcIcA\zggwcAAA.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 752 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Users\Admin\xEIwAkIc\AqIwccEc.exe
PID 752 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Users\Admin\xEIwAkIc\AqIwccEc.exe
PID 752 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Users\Admin\xEIwAkIc\AqIwccEc.exe
PID 752 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Users\Admin\xEIwAkIc\AqIwccEc.exe
PID 752 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\ProgramData\HUEMcIcA\zggwcAAA.exe
PID 752 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\ProgramData\HUEMcIcA\zggwcAAA.exe
PID 752 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\ProgramData\HUEMcIcA\zggwcAAA.exe
PID 752 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\ProgramData\HUEMcIcA\zggwcAAA.exe
PID 752 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\cmd.exe
PID 752 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\cmd.exe
PID 752 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\cmd.exe
PID 752 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\cmd.exe
PID 752 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 752 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 752 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 752 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 752 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 752 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 752 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 752 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 752 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 752 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 752 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 752 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 2784 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe
PID 2784 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe
PID 2784 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe
PID 2784 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe
PID 2884 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe
PID 1508 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe
PID 1508 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe
PID 1508 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe
PID 2884 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 2568 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe
PID 2568 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe
PID 2568 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe
PID 2568 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe
PID 1956 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe

"C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe"

C:\Users\Admin\xEIwAkIc\AqIwccEc.exe

"C:\Users\Admin\xEIwAkIc\AqIwccEc.exe"

C:\ProgramData\HUEMcIcA\zggwcAAA.exe

"C:\ProgramData\HUEMcIcA\zggwcAAA.exe"

C:\ProgramData\vMoUIQwk\BkocQcwc.exe

C:\ProgramData\vMoUIQwk\BkocQcwc.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe

C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea"

C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe

C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe

C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea"

C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe

C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe

C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea"

C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe

C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 api.bitcoincharts.com udp
DE 144.76.195.253:443 api.bitcoincharts.com tcp
DE 144.76.195.253:443 api.bitcoincharts.com tcp
DE 144.76.195.253:443 api.bitcoincharts.com tcp
US 8.8.8.8:53 maps.google.com udp
GB 142.250.178.14:443 maps.google.com tcp
GB 142.250.178.14:443 maps.google.com tcp
GB 142.250.178.14:443 maps.google.com tcp
GB 142.250.178.14:443 maps.google.com tcp
GB 142.250.178.14:443 maps.google.com tcp
GB 142.250.178.14:443 maps.google.com tcp
GB 142.250.178.14:443 maps.google.com tcp
GB 142.250.178.14:443 maps.google.com tcp
GB 142.250.178.14:443 maps.google.com tcp

Files

memory/752-0-0x00000000001B0000-0x00000000001C5000-memory.dmp

memory/752-1-0x000000000040C000-0x000000000049C000-memory.dmp

\Users\Admin\xEIwAkIc\AqIwccEc.exe

MD5 d248dc26d732608bd47afb57df7437c5
SHA1 a379bdba2c9d636e15ca3ddd8415a052aaca836d
SHA256 281054cc23db4f221a6e78bdb8f20d9f61f779c0008dab854ed7f79889b299ff
SHA512 5aa38847122411037fbdc6ca7ea20aa29be8dffab4f81d95497b635d987a8f1f5edd33ef47ad96a44a5f69ee3f5760dd8231c17a19f49046b090d48e50e77ac9

C:\ProgramData\HUEMcIcA\zggwcAAA.exe

MD5 4b90c83ad7285345cddfca05efc9411a
SHA1 bc668e9df9410f21d4d312363c1e37618ac77156
SHA256 f6b4cbfdb720624663ab2415f5ba1e9c03b66be7a44d99ea837fb36787eae054
SHA512 a3d28628b730631c6e92d50ee1433cfe060ff5434a421a8ca56f2c9cc1039ddd720f2e469fb3c222f1c04c057186b6762f927a617539d2f0f50086cd6d230a6f

C:\ProgramData\vMoUIQwk\BkocQcwc.exe

MD5 dedc0423ebf227c6f240a5eb7b1c8606
SHA1 456dc88c22798b051525ad0ec8230a21ccd8dbba
SHA256 0964512489d1b86a966a0feffc44f7ca8c9ceed6ef408257a275cb70236280bf
SHA512 cf7f97d98352462f4400ac8d9552290831a1ef69ff0cebed792af01ffce533a9f8e58623acd03a95f166d08c88378e69f1dadb6e5f7d1dce5ca5d6392683c905

C:\Users\Admin\AppData\Local\Temp\NUMkkAMk.bat

MD5 5c4473079612d8260589dfbee110b830
SHA1 93176084f035929e09233f92bbb4f92468f746f8
SHA256 9ae43dc1fffd22c8028a68a76bfb5934bd59680a83af5180d8d62b797b360e90
SHA512 3470cfd5d02fb441b1c85d9823ca451bf559b6a60eb1c5d037e1fd0e6b9bbe641ae430c9355a5ede52e8fe6af26184f6065f15c5e3f851c2fbfeb5aa94419552

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

MD5 a41e524f8d45f0074fd07805ff0c9b12
SHA1 948deacf95a60c3fdf17e0e4db1931a6f3fc5d38
SHA256 082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7
SHA512 91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\hOAgYIEc.bat

MD5 383e7c730a3de9cc46c0d046c5d7a4bf
SHA1 9b9f0dc2ecb9e8d4bc838cb1a4be3cf149ea91c7
SHA256 d22a38f7fedc9cca49ec65a7359efc99daa62d7534a53df005ed00176be731ff
SHA512 2efe5f0d78ca55c6e134ca471d6975cdc26096021ee8141d6cc848519391f3ae39e5ace91a99f639befdb5352063ac37929ba31aac4072aba4a55b7032b560fb

C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea

MD5 96b5a5aa81cddc217e02a83da419a8ea
SHA1 2f005ac25837210b71780fbf0d44b1b1da873749
SHA256 50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c
SHA512 bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 1191ba2a9908ee79c0220221233e850a
SHA1 f2acd26b864b38821ba3637f8f701b8ba19c434f
SHA256 4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d
SHA512 da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 a9993e4a107abf84e456b796c65a9899
SHA1 5852b1acacd33118bce4c46348ee6c5aa7ad12eb
SHA256 dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc
SHA512 d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 3cfb3ae4a227ece66ce051e42cc2df00
SHA1 0a2bb202c5ce2aa8f5cda30676aece9a489fd725
SHA256 54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf
SHA512 60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 6503c081f51457300e9bdef49253b867
SHA1 9313190893fdb4b732a5890845bd2337ea05366e
SHA256 5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea
SHA512 4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 2b48f69517044d82e1ee675b1690c08b
SHA1 83ca22c8a8e9355d2b184c516e58b5400d8343e0
SHA256 507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496
SHA512 97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 e9e67cfb6c0c74912d3743176879fc44
SHA1 c6b6791a900020abf046e0950b12939d5854c988
SHA256 bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c
SHA512 9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

C:\Users\Admin\AppData\Local\Temp\KGQAMYgk.bat

MD5 9ce232bf22bbeef34bc9ea6c1798bb84
SHA1 f0e30e323f472caa6c7556c6e7ab16578e32a7f2
SHA256 d9f137150896461fe225a2fc52cd8b7d1437e40f001636574306a9f774df4d6c
SHA512 a5dc98c2698e8cd7c5dc7b3c2923e12282df1a0c5710ded53eec919d8b0cb3cae24013ee9ced3afcce78507291a799714e36239048a0dfe2dae703845a6a4474

memory/752-417-0x00000000001B0000-0x00000000001C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WsAYcMoE.bat

MD5 d617f8206a37d6da8d22898f0e8c7cc5
SHA1 6f32875c9c249cffa0c97406448cfe74fcf7a916
SHA256 d0ef9fcbbefec80d0d20bc273d9e11a43960245722faee3183e8cfc69a8b3073
SHA512 ff05cd41282bc9f678d18bf4420b587ff429d0cae2395401cbf49fea5eee91d59aa85b7a3cb59c6ee8516922af5d5491a175b90921d679561edea8199d505f08

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 3e3ba6aa47a8ec7990a83e759423cfee
SHA1 ea97149066bbb5a16968b25149d932c475b59e3c
SHA256 951606e73b54a092a1c1732b7cf0bb163125ce97750f67b04f413aaf0b33051b
SHA512 507d53f5df5a8b77acf034a9b93d948fb3e2b097dcfe77ebacce3afd8104d03b90168b440dc8ec837a971f52bc70c715e48ab326987e5e2ea57ed52d21872599

memory/752-634-0x000000000040C000-0x000000000049C000-memory.dmp

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 bac166969acaa5bac8438262b186d312
SHA1 c64d559d58475d25d3093ca6ef8b957d9efb8d4c
SHA256 cf97866e7dbe4f77f459e7158e0b6189a90ae3703642aca8ed2a6a3c07418f5e
SHA512 074295a2fe8c2d82aed54e1aa67bcf46fa632ee92a71e22349b6b2708089c8d598e6a88d5e1e241db9030b53a7eececbaf765f32e99a7468fedf17a05393f9bc

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 18d3b702261d54779309151b61eaa504
SHA1 2e677eba7f1220756d554893d1e1295db5ee396c
SHA256 1b3c14db5625aba2ec965c7bd59e2c426bcd656ece10e364442544fa0f3d42d3
SHA512 6959dad400356a2063c5a29b15a3344e9087a93629b01452b90abb85e5ddd40bcf598a04b20e79a017123f385fb7794dae26d75662fea632075eac9e5ee8f1ee

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 9613ebe90ddace7c5205452691509d11
SHA1 c4ca241bd84b1aa3e822df945d63c265aebce96f
SHA256 38230e36744f7059cab45270f92492cb5effbeb163da7fa3b6ea0ce180796d10
SHA512 00219b37b79f09a5fd1614d9cf5978c4a49e65ba91f2cf20af28bef525f9062c0f27d9068d4467db62a13e447cb5de51213198d074a19cad9ab8dbef05a5f24b

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 8da0bc4093dee3a31c28ecd7dafd6969
SHA1 635720c9b34d0e53bd0360ddace897006b04c925
SHA256 c6bdd64dd70604dc0f692ba6a80eaf109cbe2e33c634406a1c8a2d6bc6e08722
SHA512 f4226a31d69824a2bd0f3f8f7b311b4259ec5447696d47440ba82537499f42bdac05cdf57ae9e5599650dc0375b1ab83f1662630b958d74d4906dbc99678c743

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 6bcfb2a5ca7d6c87ff6e1be2229c296c
SHA1 586631225ea7ff9afab675e003550a97dfb98607
SHA256 dcf350ab488259c6a720452dbf8794954496224add8cc0b865f4f63aa8fa54fc
SHA512 d7cff739741771657369161acb981ed6704be5b09a081c2969272a915d156784bb1d4b7a4283bf50e740c26742da0f118fc81ccfd1dac39849077be6f545a462

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 442159ab3128cc27cc99a9a4325b9075
SHA1 4b06618af329562d8d3f44459bcef9040eaf09e0
SHA256 b0c4d91683a3070b863a8bfa02e0aa21d2351486bcb2709a1c7941bb032119c7
SHA512 30ad1ebbd8bbc2d235dfc3c4e2acd4973b41db06e20098bb216c10813564fe248f687e852d963ea0c9485e58cd252bbc571e4f0391f96bd29f2759a06befda82

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 3c45213fed8d0a2fd7a48fedade83aa3
SHA1 10ac21415eca2adfd8c34a66e3e9942b320f34a9
SHA256 a5e0c846dfb8698526dfdac32a266e145980588df6ca241e75692f17bae52025
SHA512 7832bfef1b18c521d8a81ef50f323d1a4b58e444aec02c1849bc25ed333e1e2541d6b3c4ef3970c3306ca9138d339b94e01616fdfa3c34154d541b7fc88865f6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 bcbd35832b8dbbd302478130ca18441e
SHA1 616cc613e8b6c2f19fce9b5085ab9cf2d8f53c12
SHA256 e2134c43a53c1068575099bc5bfbef1964efece6fd106bb87061814a5b2846e9
SHA512 bed2669db1ea102d7fc011229830bb07a21d06ccbcc4ded80f04422835922ab3bf4390a65c519b908a90833a9831d04b460cbf1df2e475d32d682e66d5d700d4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 bbadc5fb326a6ea0cd50ba7e36840860
SHA1 cc8fe72fdf45e8c1554e14d453766b23012a062a
SHA256 c4642bb6fb94a5e733f42aed69ba703ad19ada636ebfe178e89ee657f2a8bd6d
SHA512 e9ec397d6cfc8b9a4feae58b859064fb70101e2fffd852d43a5af59d606ff210b91b330d7919d158a2beb218bc04f1dce517956c258dfbedc00cefbfc0eb8dd0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 98da8f2da750dda223b6908acf2cc6aa
SHA1 553099e86f2448aa52ac2de8c51e8a497b559834
SHA256 691f74fc089761bb6e9143c3b2a4074d7d535ac9a7490d2d0833fb6316172560
SHA512 fb70cf361b31da04558f4c729d385a17a95a77057938dbec2bf68ea43c79497d3ad209196d107f4564e312c9c5fb536b77dc0404cb0f7a155a5f53d6ff0e02ee

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 99aa0b531de8c21b17673f9626cd3ea6
SHA1 aae3231f2264e5b9951590f4a86bfa0b69f743b0
SHA256 19db1cb5a9a6813b091a44f7f5ff60e18c08cdd8ae5adda5eb67e94ad9dedbcd
SHA512 0f9ad7c86151ba7dd040cddf7773a7c8966e09067e99f21476180bb77537323aee9a94465ce13e4065830a767154d08c36c9fb2df0e6e9a2125656c6a574860d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 44a70a3f74148c8e5a45aa607fa00e1f
SHA1 d774a74eb54cf9c6e4677276480530e6dc3bff7d
SHA256 5ecb853b8c2a70414c11fc4b198931310d884ee7e4a33bd2622567d1d8a511c6
SHA512 f9fa67c46e9c2f177bef33ae3529acb3f7d7c37531d8e27ea1489e84eb68ec94f0515b2cd4dd9ec6683ad6ba20fc03bf08f4704819334939d3a3f25dc594dca9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 22d4f1f3794e21fd35b6ad5e858b69f7
SHA1 3fffd531d289029f018f8dcaaf1bc5e2b521c852
SHA256 58b2c585c7d30443486643fda194c66a3192449dd1938b7641f5b892905a04d2
SHA512 dcc5ba006a2aca2d05685483a88f45c691612431d906c681606a8fae36f39d2bb82621b955652d907dfee600047656240d5e93358c042e5092ca6eb48fdb71aa

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 2f9745c43ce123ffb715668828848c9c
SHA1 5aec790111fb7ddbff155473b025d505fd9111dc
SHA256 b557a4383bc983eaba19e503a5029b83b8227918c4ff937518cb3849dd455a04
SHA512 ebff38fb1253a75e89f11090424a59a5900f38b6ba1adf88d8843e7b3e9c0cbc8b1b77618b7a159a94e9239d654438b95c79e13a05b98211d577fd070957fb37

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 b692489d50463a6c48c49135e24d945d
SHA1 71a998b632b5577937a84de8037d159e818554bb
SHA256 56e8752b0961a3e4b9a9d3acd7e6f0ac82264e4cbef7938564c7fbb475e8f9d0
SHA512 a46a8c861c680e990d9cd8264875fd1c88bb458d3127b7985c529cdd6e208aa7244430e6f0d50055602547ecff9ef13d981a9e21949cabddcc2e57139217db4c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 1ae92013439671a3622433bc95c28c40
SHA1 7bdbe8ff313081043133b510ef1b6064424b39f0
SHA256 fd989b96abe373be0d6208d329d87e41f73504a7bc481ed94a9a5cc0c719f188
SHA512 e1c9c5c64314652da597c10db42bd0817ced4b32c07e377940cabc802aaf801565dd2b6f70fe94059a1df20966d249ce35cb9dfe407156a4030bb0195e801a70

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 896108c7bdddee1d11ca99ce4e8435da
SHA1 371018c95b315c98ae7bf50e6f29b915e18f1d87
SHA256 3cff97a677260ee89fe6a89101d2abdc403ebd829c159a76df9a319726d2048b
SHA512 95d8ef3debb417b32a1eda7e789bae4924e786989ab253f0e8a804ac43dfa2326eef5d68d36a29f695d9846f98a1f351dbdcd6ddddc3731533b43be2cbc48fc1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 5f08d54e1a2c111906f18194f2130a1b
SHA1 3bdef8508325c37c46b04b3660f6eca1c37cd54b
SHA256 4f235ae9562fab981f5aa1c024e0e5e4da8d0c05b0eacc8ad76ce66eba38f45d
SHA512 403bdd03d40a3e9352059360a514207af23123c45be7fef243d3826138b5914572bf183197e38158d17faafe17bfc2c39ff1f93eec8cb44ff8868d8da78efb87

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 056379f804dedc09800be27dc8f5939a
SHA1 7d1e9c1e6afd1f4e5ed2fa82446b77f157b4047f
SHA256 73d19d4df7dc967772201e868b9602f7541e6ec32390089721fab18fcda1aef9
SHA512 522228e3ffb2811d4b915eba60f83c40548b17123c4a3d01653fff3a73e40af89cde0e016e6b8826731f5a50989932603c06e92dd581ae8a7d2b467716ad9d4d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 7f8ff621695f7bc537f1d262f7b61525
SHA1 582a1c5ed43604dd295da925b3027c980c016ff3
SHA256 f0561f9cf3de74cb99078ccd5f615cf358700bde029b8c4cdcf07e4c3a4f15b3
SHA512 9fe6a09e6a8e95a7b8693fdd4ee579a42d0f602f2c66553a29c261961abfbf8ce2961fea80805927c1597b972f669c8de57774e162b6b8344652016b5b9e86ed

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 afaf77e2c069399c8d10f5195388631f
SHA1 bdf4c2ee7f8f65ab407ea696e9880c8d19643995
SHA256 6761320855d5fabe972226719a0f67cd0cb913004ffef849572ea3c24984ffde
SHA512 5c79c5a145e08c244a4937cba3038f46372e25f1e28c8aec792f168fac372f9fd8a9aed6029df0b3d85b4c535503377b8ab0da861468898ce183999f0ccf2b54

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 02fec97d343178bf1e68e3665a53e9e6
SHA1 289bef740868586fbf003f4a6b17747c3fe33b2e
SHA256 6fc78616f67928efde8408b05447cfa5361fb4b8b0e3677b70e5e6f03f943a74
SHA512 3c37c96e64fadd54bfbcca6cae9b2a4c7213104747dd4af539c79a6a0f5ebc485d17495a31759ae386c79671cb8113c28414579d2332470ffa402fc0c95a2af6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 afc5afa9c96fbd56c77acb3a80416265
SHA1 01952f2bf4af2c30342910d27798b473fbc765d1
SHA256 20046b054700a2d546d8592aeccb8aafd9d556ff4565966dc02ed9af9dc31c19
SHA512 6487ac425ea957a7180ba5fcf33cc4007ff31b8cc5281b7536cf3234ec8b5bfb5e35621a49a0a91e930c3cf0b7a031fb84020fd93676c7a00dd31f1b763f47e6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 ceb4b71fcaf0ee5a80ea4c6b42a2c66b
SHA1 1dd6ea5adc955e309e995bcdbe69cacddbbbb19c
SHA256 784e122d320e2463bd9cb3c2775c96860d72df1b35539460d9231f774b917091
SHA512 57f2271bcad368e1f551881da392fd1f6111bbaf18666ebdfbf345e7cfdba8f4e3c5aa8dbee16ff338b211c6adb49846a36fc6a9af386efa0c21cf50fb5ba9a6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 724884c19db0786049761f1d4718b986
SHA1 48c1f16a8a3189a2306d4d47d51cbffdf6b3a36a
SHA256 34588738a6341d9b0810eee80131ea6d4eb9a1472a57c732a8e2261dbdb9efde
SHA512 7a6799170e3d2181784223968d2c0fa11b0b2d23c64ab4c10436d6d4911aba910cd60d15ffc97652a5f21f84c083a97bf9b94c9264984e64234260ea9b06bf39

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 a830d1ca182d0ee11fc38246057fd099
SHA1 2b9ea232905716efd36f67cb10f82be4c6ee2fd5
SHA256 85f6504ac57dbdc9332761c73a809c136d7961c8b4533b0ed1971a8184da443c
SHA512 6c2f7c54c48205b3224bb639b49c0816882a5438e738ea6ed244b840e47fe7e12a5f169bf2d800654d820dab032c1f9c6f3409e1c6ce374f6b08c8633a4a2f6d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 bb68d86c2742d1b3cfd4f0eee1e17b73
SHA1 ae3cdbf9f82099ddf2a0e98aa17bc4befb5e2cfb
SHA256 c260d8c865467c03b42f93573d1d07f7909df070f8b0702b5d34ceb198a7dfb6
SHA512 220dc58cbbdcb55e6a42819601ecfe3f91dcbda03bbad776aca0c7a75c63fe3016b2ea55682f153594f012117f33b284889878d009bf5d92f1556290bd9f31b5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 7e5aa0592d89accf6d77678abba5716c
SHA1 864b44e358e0096d2a4ab7127a49194bb02a33ef
SHA256 2e107e0c7bedee99db786aeb4523a7a37c8aff89d36bc818cba562433d5ff1d5
SHA512 e8072aaa84a110d3238f42c9112853812579ca30c93ee0f22014c3a2a425a16267adf04d0cbf41e1d920cacb2fe92eb1ae7c613250d09a7c9f7ee6dd1f553a63

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 b5d60eaa25256523bbc186de6b06625c
SHA1 cba78a66792cd9362204e0c5223d585e4eaf9f00
SHA256 0ab91cdb11e26adf936f6169cdc7f92306cec00e4717af6b159ac05aac465fe3
SHA512 a46e5443a9e08c5823461c39f83619aa50df11bd81572584fbe5c1662ce18fee65391d4d7ed7a9d6b924720228b09434813053655376b90a264f936df0d3deb2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 35b612725fe608c9fdebcf56c7069b17
SHA1 fc7bbce75517f087005c4d02cc58dee243511a85
SHA256 e5ee35533464eead72c1646827ca1c39133c0874c12a2100f1efd60f245eea4b
SHA512 3601ccdecfa51d913e657d2b9b6bcef7835445edc54eec7ece64d6cb07947fb86f2064b4aa9613a08c6773798058cb4cbffde2e6166070b46c3076ad309bda8c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 27a01825b43c14e330419282161227b6
SHA1 910b78990f8d432bae9e6ebc59863a266551c805
SHA256 e9c7071e43db375eca6e252df2b1ee53528d004d73a45d5d56436b7d8a22773e
SHA512 f996a0117bb57629fcd8f63bbcd47aab4cc495730b12a9c3eb0000a2756e2709e1211b3b53270932beaf49544f442fd96a3777b17083f106a84b1a4ddb691989

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 bd45541bf0348b54c8c7046bd33d8576
SHA1 4b8e9bc6157f949fee25ae7d1c167a097e40375f
SHA256 1a70663090f88e5f71b47762e564741ea7b9f992dc2edfb09ae6ad188297dc37
SHA512 c7ac6647e5d853cf66e2423ffd622364ae94dfd50d14b392513a0d0ff167d88ff5bcd20d8971845810b9d18548fa4c16805b3827c1386c70178167245732c679

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 4bc6dc2aa6f541b230e586deede1392b
SHA1 bca9bedf7c31b4600e588b6ad1e861c8b19af615
SHA256 b6946de17e46ed7f8909e1f83cce39d18cb9a970484e370bb3eacdcf0fc6bf40
SHA512 e4341914afd203800feaa5924d513e5c7428a9a7e6bf000df0d4b6c454fee5ab697f4ad5bcdab83cfa23bf0e11445b7d69d70820cfe2872059c2c1da9d2f2adc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 1379b6842cbdb2cca40966825be6c490
SHA1 6b7537962b0b1f7dee1dbd5517ad37131eabf921
SHA256 be0c590a4d415fbf3b70130733a0a81ea06f62dd70899c0618755e4bc2513c95
SHA512 6e3498ed95dcf2cb907a2c7d7a10398286525eea357d3c028f52d5c054a5dd02062dc3fe058a482078eee4299271b94bbeb5937627943ffbcc976ab8d97ce8ca

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 3188c3103d6b1791c2deb9cc883c8021
SHA1 fd98604e261ee66d01da7f2bb8b674f28666d31f
SHA256 27955d05780dd577727781e54d58b1337c14a4c46dc384d58af86e75ddbf04b2
SHA512 dae3a5d97c63cd3d3247719a609ef0032f593bffd67fa0f24a02d2926403f92871a66c8144e8bf5cfd73588f8e0226b28403ab59748d195c894982c7d19f4513

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 215d08b2edbaa413e4fa30f0fee5c330
SHA1 1bb64dc4bcfa186c2114674f970784078c90100f
SHA256 bc8f87741a575d7457a9fed77432635cc3f9fb0dd40c0bfbc7d7d9125a43f29b
SHA512 dd626beb7dbdb302c99c542f819bbedce98bd0daeca90fec25762cbb5eb5078444e962bca3bc668274cb16cd5d1a93205385ebc6cb4e546fec6fd3ae802c1966

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 4c0563e2a15c70ba18828c5a43d55a56
SHA1 be826dfa231d179a77eca27693ee7a477ffe40f5
SHA256 9ab688a9c5c3cc546ff60676435b5adfb20a369f8a072401a7299563e7ebf6a4
SHA512 956fa60c4e8b5e8bfcfa3c48c552e51afbc1d10998c14bcb45f97be755e65b10d8ee24906947b5e3657222b57998d21be546061603faaa9dc025fb01ebe8a0db

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 5b94c95878d8641ef3331e5bd8b37d72
SHA1 afdc205590b1f1cbacbed05577eab2c7a4f4ee58
SHA256 e4245f134bd0e066f11891818af4a7775ae1bba4dcc57966f505349dca4f51ca
SHA512 63d59b63c5369b8cced099cc37f5050a82c4a7684b61bc1cbc4effe21531a1b1245d82093b7fcaaff9484622a1e9a8afa0a604d0bc92d58065269fdaaa607c24

C:\Users\Admin\AppData\Local\Temp\nEQoIQgI.bat

MD5 7633c5a574425a1416f92c3aa499c23a
SHA1 90a3e8ae92f8021114f9b6489e9d53394e79b5c2
SHA256 21de7d3332b76ea6c149a80d576ef23073df05fa8b65419670db2eeec9c08f24
SHA512 3e9e17cd5a3e3c2e20f2a66ee3459aa6e6c6dc51fc064d3a55b095b79884e26aeeeb7030849cf4a8ab38502bead6725551dd142fbc237722ae323dad265501f3

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 b0d6d98b797b24e8929cf89c7ba476db
SHA1 10332ad7659fb9f6ff14c3469deea195387ebcbd
SHA256 931eede106ed124bd9995cb53a02bb570a9079a6532e8c3ff7e04e82b23f7c09
SHA512 66dbabf2e508075f26ba282a2fe63229efbf8dbf94657fa03528844040c76b461675703150af057c1203227b527105cd0d8675f7d2a19f7b2c61e104b22311d5

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 2e9e96987a74de4e025fd57b91f2943c
SHA1 39e774fc7c7eddfcdc6e2b185914029f28b77e51
SHA256 e5391437b011bc6d35d6d06f068302eb08581d97069937b3402dacea8d13e45f
SHA512 749b39d4d5983f2e0323268347a85eb9217b4cf5480495f490efe077955596f649d3763877f3c01e18f31e7ba9d96642b9ce5cd93abee65129154c2457e594c7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 69deeb2a828e7483657c80a95a42eec1
SHA1 4ea493cef0c3f2a244f87856c6dd55f822e1c896
SHA256 05686d5f4c23fc7127917b89b35c005afd6c657a0fcb42d2290f96ba2c488aff
SHA512 72652fb3523de8cd3dc0a3cb3340d985c1e60ef0298c4f8277f984fd8118e62896467be22203462c26d93655edbacaf873d1125f71d7eea2289f2148120385e4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 32fda4b4e44ebcbb0bc6ae2220c1d0d5
SHA1 aa5221184cf20cb6f181d2e4ca61109e2bbc74d3
SHA256 91a44707f3d9bf76f2e277a97c42eda962f03bc82c4c4b8ac23ab782f485ef9a
SHA512 cc7da624cdef8536b93d3e7453b904edc7f8bb9462c9b7a4aceeefce56d907c47431276ac3576de98c1d1d10be7ea71811c24904fb60237a8239f1fc24fa9182

C:\Users\Admin\AppData\Local\Temp\LUkkcQUo.bat

MD5 03fff50bc78523a1ce6d0744f6e07eb7
SHA1 6e06e40da07fe6d4f8e852796143672cfd92476e
SHA256 420f306e18969851b71861e94c37704cdd5f11ec12a95a9ff6ad6f2bf784db50
SHA512 49656053ac42a96283bb2d7f199dc36769d49a6f1d97d6d8b42042902d0a47672badb67a06d3ae390aacb099322ebf9de7a7450df5e9fd8a967a1a22066ebb72

C:\Users\Admin\AppData\Local\Temp\CIswowAs.bat

MD5 23086d2225e732cbed69df19799a589a
SHA1 085a2193f8fe7eee98a4594993353e0ef9cc2a8d
SHA256 b8bc84911e98be4cc9bcadef7621a45081581062b7c8a2b7eea799474e8e1e22
SHA512 8f1f6dfa5ec6a4cf408456c08abe94ca3931cb5b80c0c31f02f0ee388acc037acaad0bc7ca5eaf5fa0d14f442099e31e519c30b782db070e07f0105bd48ed179

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 04:31

Reported

2024-10-26 04:34

Platform

win10v2004-20241007-en

Max time kernel

79s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\DMwcoMkM\\xkwwIYsA.exe," C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\DMwcoMkM\\xkwwIYsA.exe," C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\QokAIcAs\IwEAYUcE.exe N/A
N/A N/A C:\ProgramData\DMwcoMkM\xkwwIYsA.exe N/A
N/A N/A C:\ProgramData\PEYckUYM\aSAgswcQ.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IwEAYUcE.exe = "C:\\Users\\Admin\\QokAIcAs\\IwEAYUcE.exe" C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xkwwIYsA.exe = "C:\\ProgramData\\DMwcoMkM\\xkwwIYsA.exe" C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\PEYckUYM\aSAgswcQ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\QokAIcAs\IwEAYUcE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\DMwcoMkM\xkwwIYsA.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2724 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Users\Admin\QokAIcAs\IwEAYUcE.exe
PID 2724 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Users\Admin\QokAIcAs\IwEAYUcE.exe
PID 2724 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Users\Admin\QokAIcAs\IwEAYUcE.exe
PID 2724 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\ProgramData\DMwcoMkM\xkwwIYsA.exe
PID 2724 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\ProgramData\DMwcoMkM\xkwwIYsA.exe
PID 2724 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\ProgramData\DMwcoMkM\xkwwIYsA.exe
PID 2724 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 2724 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 2724 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 2724 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 2724 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 2724 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 2724 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 2724 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 2724 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe C:\Windows\SysWOW64\reg.exe
PID 2596 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe
PID 2596 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe
PID 2596 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe

"C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe"

C:\Users\Admin\QokAIcAs\IwEAYUcE.exe

"C:\Users\Admin\QokAIcAs\IwEAYUcE.exe"

C:\ProgramData\DMwcoMkM\xkwwIYsA.exe

"C:\ProgramData\DMwcoMkM\xkwwIYsA.exe"

C:\ProgramData\PEYckUYM\aSAgswcQ.exe

C:\ProgramData\PEYckUYM\aSAgswcQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe

C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2724-0-0x0000000002300000-0x0000000002315000-memory.dmp

memory/2724-1-0x0000000002300000-0x0000000002315000-memory.dmp

memory/2724-2-0x000000000040C000-0x000000000049C000-memory.dmp

C:\Users\Admin\QokAIcAs\IwEAYUcE.exe

MD5 4c4e0863cef0cd5ed2f5f11e1067a9fe
SHA1 329bebd908657c8e1909c9a43cfe3bb5742a7d75
SHA256 deefb545aa281b0b4028fa53eec619acfa49793a3b8b19aa39d6593c7c7958f4
SHA512 9dd38de57706daabd4c7bcf52084523f21b935f23fad445b77fce6aec21d4a1cf1ca1266d642b191138df1c22c535908add830665ebc779d467c79f6735f8e2a

C:\ProgramData\DMwcoMkM\xkwwIYsA.exe

MD5 6b1492b9b98a4c4fa51ac89c9eb951d7
SHA1 71496af1bf817b196fbaf962402c151bf28bff29
SHA256 105056aa51a762722a11dadc25c30db4c0e656bec8e86e7116785782740504c2
SHA512 9a7751b9a6c97b6cc98de3816c76c3e0b4f80699c6da305083e85b15c3ba7e1704ebda410b597475a7155595ba005b209872a3b44fb3856e7871468f11a8b9fd

C:\ProgramData\PEYckUYM\aSAgswcQ.exe

MD5 cf4db1787c480813c5183e9909726a1b
SHA1 1fcb2640626c823a01ac9bdb1ba47a746ebf8298
SHA256 e8557a355470c57ff1138c07990679916d5b45ec7d2a44cb8ff8b0b258876497
SHA512 4b15549e6b94e3e044470b514cd6b2760972168cd63d44a5e6c89094a9ae7ba4723149d47a21d5e2ee46cb4536a5b0ed5721966351fe367951a7590d1d5f3b9c

memory/2724-14-0x000000000040C000-0x000000000049C000-memory.dmp