Analysis Overview
SHA256
4a8e933462209a204f87c02e41e88e99541ccb85964a22d9762f443cf19af409
Threat Level: Known bad
The file 1.zip was found to be: Known bad.
Malicious Activity Summary
Async RAT payload
Asyncrat family
Suspicious use of NtCreateUserProcessOtherParentProcess
Glupteba Payload
MetaSploit
xmrig
AsyncRat
RedLine Payload
RedLine
Glupteba
Modifies visiblity of hidden/system files in Explorer
Echelon
Executes dropped EXE
Modifies Windows Firewall
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Looks up external IP address via web service
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-07-08 07:06
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Analysis: behavioral16
Detonation Overview
Submitted
2021-07-08 07:06
Reported
2021-07-08 07:09
Platform
win10v20210410
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Services32.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\services32.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\resources\themes\explorer.exe | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| File opened for modification | \??\c:\windows\resources\spoolsv.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\resources\svchost.exe | \??\c:\windows\resources\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Resources\Themes\icsys.icn.exe | C:\Users\Admin\AppData\Local\Temp\Services32.exe | N/A |
| File opened for modification | C:\Windows\Resources\tjud.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\Resources\Themes\icsys.icn.exe | C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
"C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe"
\??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM" & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM"
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
C:\Users\Admin\AppData\Local\Temp\Services32.exe
"C:\Users\Admin\AppData\Local\Temp\Services32.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry'
\??\c:\users\admin\appdata\local\temp\services32.exe
c:\users\admin\appdata\local\temp\services32.exe
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM" & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM"
Network
Files
memory/1404-117-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
| MD5 | 5552f88a40afa2e2fef5acbd590ac812 |
| SHA1 | 5afef5451811830c1ec3108cd7ee66a0418a6186 |
| SHA256 | 9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f |
| SHA512 | 6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde |
\??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
| MD5 | 5552f88a40afa2e2fef5acbd590ac812 |
| SHA1 | 5afef5451811830c1ec3108cd7ee66a0418a6186 |
| SHA256 | 9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f |
| SHA512 | 6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde |
memory/1404-120-0x0000000000570000-0x0000000000571000-memory.dmp
memory/2152-122-0x0000000000000000-mapping.dmp
memory/2496-123-0x0000000000000000-mapping.dmp
memory/2496-128-0x000001E6AF260000-0x000001E6AF261000-memory.dmp
memory/2496-132-0x000001E6C7AB0000-0x000001E6C7AB1000-memory.dmp
memory/2496-152-0x000001E6AD800000-0x000001E6AD802000-memory.dmp
memory/2496-153-0x000001E6AD803000-0x000001E6AD805000-memory.dmp
memory/2496-154-0x000001E6AD806000-0x000001E6AD808000-memory.dmp
memory/3680-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1e1c8f4ed558ffc8b479cce11ed3c8e2 |
| SHA1 | 37cf5d103fa8465467517e345cc8fbbcc4835933 |
| SHA256 | 5f0c871466028fd9f52eeed68748be6a0d17f24e78fbd2642f66619564726732 |
| SHA512 | 0e8e629d5074568021d87da89776bbcd929385771f4b9aa1c0dcf12c9482996855c7eff465ca34810b11991b664cda7e59eccca14191a266fa6fddbea59f9ad1 |
memory/3680-172-0x000002E39AB10000-0x000002E39AB12000-memory.dmp
memory/3680-174-0x000002E39AB13000-0x000002E39AB15000-memory.dmp
memory/2496-170-0x000001E6AD808000-0x000001E6AD809000-memory.dmp
memory/404-192-0x0000000000000000-mapping.dmp
memory/3680-194-0x000002E39AB16000-0x000002E39AB18000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7c1532f9ede6c767ac7199fd70b42eaf |
| SHA1 | c56b395f50026b752112a384e5a4a18059208f59 |
| SHA256 | 084e30202b9584447cf3a1bfb62327c09e6de0767d3382e81e91ee27a2ba0ca6 |
| SHA512 | 2eb24c33b7ba04c700c33913a435d4a444a96bb01560ab11ad5530190cdbc93c34a3776ebbbf847d5dff78872bab6200ea0de9cc9cda6cef4c7fe2eb2c7b0737 |
memory/404-196-0x0000016EB8F20000-0x0000016EB8F22000-memory.dmp
memory/3680-195-0x000002E39AB18000-0x000002E39AB19000-memory.dmp
memory/404-197-0x0000016EB8F23000-0x0000016EB8F25000-memory.dmp
memory/3052-198-0x0000000000000000-mapping.dmp
memory/404-199-0x0000016EB8F26000-0x0000016EB8F28000-memory.dmp
memory/3052-201-0x0000025EA8F00000-0x0000025EA8F02000-memory.dmp
memory/404-200-0x0000016EB8F28000-0x0000016EB8F29000-memory.dmp
memory/3052-202-0x0000025EA8F03000-0x0000025EA8F05000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 26d9025cd2f398aa93206c09c5c57349 |
| SHA1 | 4b6bb3337f49c87075bf6b5f4387cb07d0f83108 |
| SHA256 | 1804b8978794439e91a2641edc987af0c99bcae704878ce10d76b32926f6afb4 |
| SHA512 | 079f1ea53e053cec86ed06e70e1b92b0c0347da77269dc0eb7f81cab10f41c0f9fdbb4c02220eb2f1b0e1ad49760b04fd95551ca4df37a14224abb711141795d |
memory/3052-205-0x0000025EA8F08000-0x0000025EA8F09000-memory.dmp
memory/3052-204-0x0000025EA8F06000-0x0000025EA8F08000-memory.dmp
memory/3940-206-0x0000000000000000-mapping.dmp
C:\Windows\Resources\Themes\icsys.icn.exe
| MD5 | f2667d617c1c5156004ea365bc759c1c |
| SHA1 | 10592eb1cd290802867f1fa13470717fa5643f59 |
| SHA256 | e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792 |
| SHA512 | 1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803 |
C:\Windows\Resources\Themes\icsys.icn.exe
| MD5 | f2667d617c1c5156004ea365bc759c1c |
| SHA1 | 10592eb1cd290802867f1fa13470717fa5643f59 |
| SHA256 | e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792 |
| SHA512 | 1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803 |
memory/1776-209-0x0000000000000000-mapping.dmp
C:\Windows\Resources\Themes\explorer.exe
| MD5 | 8c8438cf2ec0e6ea7435c2618b656a62 |
| SHA1 | 268c7d79daa1b2442f660e18d444075684c498bd |
| SHA256 | bf49d5c2e0a1a32d4227cb7c2b1f0a35c0fe88c4db79d68ac30c0434f74b4c3d |
| SHA512 | 26344174d508cab5be5315133ca721eb0b57ccaa9ff894744d8c3af3b9821822b03d0f7c2ee9bd3f4246b1bc98fbf4a7ecf2f64c2ecbd827ef565e91d474dab4 |
\??\c:\windows\resources\themes\explorer.exe
| MD5 | 8c8438cf2ec0e6ea7435c2618b656a62 |
| SHA1 | 268c7d79daa1b2442f660e18d444075684c498bd |
| SHA256 | bf49d5c2e0a1a32d4227cb7c2b1f0a35c0fe88c4db79d68ac30c0434f74b4c3d |
| SHA512 | 26344174d508cab5be5315133ca721eb0b57ccaa9ff894744d8c3af3b9821822b03d0f7c2ee9bd3f4246b1bc98fbf4a7ecf2f64c2ecbd827ef565e91d474dab4 |
memory/3016-212-0x0000000000000000-mapping.dmp
\??\c:\windows\resources\spoolsv.exe
| MD5 | 028df5bfcc82c179f9b1688a19e4d317 |
| SHA1 | 64a183b9387a553e882da758157ed30bd60bd780 |
| SHA256 | 5cae94b5e3c460a80022de232d0c2dfc5fbb22975c28e119dd0f46735126be3b |
| SHA512 | 11d3e360bd99af00029ab5d8655a5bfad28565ba12723e0aea72861fcc6f570e8e2648c99bd44bdd020daf91dea81c6e0def5da8c167b4a9cff81829affa2bb1 |
C:\Windows\Resources\spoolsv.exe
| MD5 | 028df5bfcc82c179f9b1688a19e4d317 |
| SHA1 | 64a183b9387a553e882da758157ed30bd60bd780 |
| SHA256 | 5cae94b5e3c460a80022de232d0c2dfc5fbb22975c28e119dd0f46735126be3b |
| SHA512 | 11d3e360bd99af00029ab5d8655a5bfad28565ba12723e0aea72861fcc6f570e8e2648c99bd44bdd020daf91dea81c6e0def5da8c167b4a9cff81829affa2bb1 |
memory/3604-215-0x0000000000000000-mapping.dmp
C:\Windows\Resources\svchost.exe
| MD5 | 099b18a50e7a607d5d5e54cc6c5b4b1d |
| SHA1 | 36f44282c93d1ef39ae1bab0021c7f668852e5d3 |
| SHA256 | d5f3e5dce09fb66311d6edfef19dc6053b2fa79a9256dfdde1b914b39f2e88f2 |
| SHA512 | a8e9bec3d4d8bfb6f8a2592283ce20e10684784ac9101dd54ff92dc78ab5c20068984343416cf62df381701468a01fc894825bda8a74329c60e9591bdc403e24 |
\??\c:\windows\resources\svchost.exe
| MD5 | 099b18a50e7a607d5d5e54cc6c5b4b1d |
| SHA1 | 36f44282c93d1ef39ae1bab0021c7f668852e5d3 |
| SHA256 | d5f3e5dce09fb66311d6edfef19dc6053b2fa79a9256dfdde1b914b39f2e88f2 |
| SHA512 | a8e9bec3d4d8bfb6f8a2592283ce20e10684784ac9101dd54ff92dc78ab5c20068984343416cf62df381701468a01fc894825bda8a74329c60e9591bdc403e24 |
memory/4012-218-0x0000000000000000-mapping.dmp
C:\Windows\Resources\spoolsv.exe
| MD5 | 028df5bfcc82c179f9b1688a19e4d317 |
| SHA1 | 64a183b9387a553e882da758157ed30bd60bd780 |
| SHA256 | 5cae94b5e3c460a80022de232d0c2dfc5fbb22975c28e119dd0f46735126be3b |
| SHA512 | 11d3e360bd99af00029ab5d8655a5bfad28565ba12723e0aea72861fcc6f570e8e2648c99bd44bdd020daf91dea81c6e0def5da8c167b4a9cff81829affa2bb1 |
memory/1404-220-0x000000001C9C0000-0x000000001C9C2000-memory.dmp
memory/740-221-0x0000000000000000-mapping.dmp
memory/1724-222-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
| MD5 | d1f4a92a1672d7d22a90e2567523d03e |
| SHA1 | a1683621e2103e1df1ce22def923e4ef62ddcd11 |
| SHA256 | 48fd7864ad054ee98f30a32006af85dce9f47cc5fccf065e7da41624cf14f94b |
| SHA512 | 2e6e4dd8ed996ca9c95e7bf225f5b7b567f2a99ae13f637f23b2c959857f9e5ba5833e279b901c0a215cf5692dc6f3e28c47106cd386756e51f5f6f1298f247a |
memory/2388-223-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
| MD5 | d1f4a92a1672d7d22a90e2567523d03e |
| SHA1 | a1683621e2103e1df1ce22def923e4ef62ddcd11 |
| SHA256 | 48fd7864ad054ee98f30a32006af85dce9f47cc5fccf065e7da41624cf14f94b |
| SHA512 | 2e6e4dd8ed996ca9c95e7bf225f5b7b567f2a99ae13f637f23b2c959857f9e5ba5833e279b901c0a215cf5692dc6f3e28c47106cd386756e51f5f6f1298f247a |
memory/3968-227-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Services32.exe
| MD5 | 70c771952bc897446d3ddad90541a1e6 |
| SHA1 | b00b50a893e4552651c4a5c38cf4bb9aed7a101e |
| SHA256 | aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337 |
| SHA512 | 33d402397289c1a828079dfdaaf3966c4b9720ffb070eeba0d5c23f4a3c6c448e4a3fd3cba2f82c712252ce03d726daabd2c66e97f950a122ffb3d5799bae56d |
C:\Users\Admin\AppData\Local\Temp\Services32.exe
| MD5 | 70c771952bc897446d3ddad90541a1e6 |
| SHA1 | b00b50a893e4552651c4a5c38cf4bb9aed7a101e |
| SHA256 | aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337 |
| SHA512 | 33d402397289c1a828079dfdaaf3966c4b9720ffb070eeba0d5c23f4a3c6c448e4a3fd3cba2f82c712252ce03d726daabd2c66e97f950a122ffb3d5799bae56d |
memory/2232-226-0x0000000000000000-mapping.dmp
memory/576-230-0x0000000000000000-mapping.dmp
memory/2164-231-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\services32.exe
| MD5 | 5552f88a40afa2e2fef5acbd590ac812 |
| SHA1 | 5afef5451811830c1ec3108cd7ee66a0418a6186 |
| SHA256 | 9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f |
| SHA512 | 6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde |
\??\c:\users\admin\appdata\local\temp\services32.exe
| MD5 | 5552f88a40afa2e2fef5acbd590ac812 |
| SHA1 | 5afef5451811830c1ec3108cd7ee66a0418a6186 |
| SHA256 | 9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f |
| SHA512 | 6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde |
memory/2424-234-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fa704b7db8cf07dbb9e0b17a53bbc4e5 |
| SHA1 | f74e668e9b89d62ffb1464271aba4a675a9d357f |
| SHA256 | c97b89ce970dfb0761e0b690be2950cfff4c34c254c472e13556ce3863ccbdb7 |
| SHA512 | 7e58504658aefcc3bb122d03f5e19c5ca860f1fbdd3ca276cfade4c523d8ac1982d5cf0fc3e1e47b088050637f580f255206486aa6162ece8f82d5cfb36cec61 |
memory/576-237-0x0000012878BB0000-0x0000012878BB2000-memory.dmp
memory/576-238-0x0000012878BB3000-0x0000012878BB5000-memory.dmp
memory/648-236-0x0000000000000000-mapping.dmp
memory/648-239-0x00000292F6DF0000-0x00000292F6DF2000-memory.dmp
memory/648-240-0x00000292F6DF3000-0x00000292F6DF5000-memory.dmp
memory/348-241-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 51ba6bed5b573b201974d4edc76ffe8d |
| SHA1 | a6f6dd957338717ea9385f7aef2c1aeb250322fc |
| SHA256 | 497be848da48076dce041f961e120e79541f554f8ef0e927f0e25594170ea3b9 |
| SHA512 | 640b6084944c67358984f34ff2b6504f73e54ea221ed697ef7703b6013a8192959a62d1e20516155802c18b20ac8a4812f2192ceaa4b40582d2df9efbcf00622 |
memory/2152-243-0x0000000000000000-mapping.dmp
memory/576-244-0x0000012878BB6000-0x0000012878BB8000-memory.dmp
memory/648-245-0x00000292F6DF6000-0x00000292F6DF8000-memory.dmp
memory/576-246-0x0000012878BB8000-0x0000012878BB9000-memory.dmp
memory/348-247-0x000002D36C110000-0x000002D36C112000-memory.dmp
memory/348-248-0x000002D36C113000-0x000002D36C115000-memory.dmp
memory/648-249-0x00000292F6DF8000-0x00000292F6DF9000-memory.dmp
memory/2152-252-0x000002B1A46B0000-0x000002B1A46B2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f2b69ffd60cc6e42514f2d6380e08771 |
| SHA1 | 7d45cb8247c01a1cb1c5d48f12318823a72331f9 |
| SHA256 | 4194bf9e10cc331cfdb2625bd0c0a22c7e46975797ebe2c7f155e92941431f84 |
| SHA512 | fcd37ea57654c0eb1dfcc777ae9f66a0cb322da9bc7bcbb8a8e6e2ebf5bceafefbffa41eb277e430ee44712a7233709138503d51e3e8618bd0e95a8e321d370f |
memory/2152-253-0x000002B1A46B3000-0x000002B1A46B5000-memory.dmp
memory/348-250-0x000002D36C116000-0x000002D36C118000-memory.dmp
memory/4012-254-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8b64e8a76227430c2295a4530f2091df |
| SHA1 | aa60958291be00727dc3d38e869eb9eae4434482 |
| SHA256 | 50edab164b713502876a21af92297c768b8a14671b2fe119a119788aec4ca20d |
| SHA512 | addd2dce133719b8e19224f533b2f4ec48bd51d0508796e6bc681f4f63c55bdd43da7aec5aa56da305f17362c7aa9ad708a426430d5531df63b5a6c350717d16 |
memory/3728-256-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7ecbde2e98a22aacba0d18e3729f668a |
| SHA1 | c4a99ac958d5f01944cb5fe90bcebdb136155f2f |
| SHA256 | a93bd244f711d641dd2d0969460d3f53bb166f484d558fd34e30895732840cbe |
| SHA512 | 7783624627818b8c36771c03dd5fb141380e90ceade194f2e7394862895c173b1e667721b726acc8e501e7e9aaf8e53a1aca94e41f4dd45fef3733abeaa1bcfc |
memory/2152-258-0x000002B1A46B6000-0x000002B1A46B8000-memory.dmp
memory/4012-260-0x0000020768090000-0x0000020768092000-memory.dmp
memory/348-259-0x000002D36C118000-0x000002D36C119000-memory.dmp
memory/4012-261-0x0000020768093000-0x0000020768095000-memory.dmp
memory/4012-263-0x0000020768096000-0x0000020768098000-memory.dmp
memory/2152-262-0x000002B1A46B8000-0x000002B1A46B9000-memory.dmp
memory/3728-264-0x000001E7B49C0000-0x000001E7B49C2000-memory.dmp
memory/3728-265-0x000001E7B49C3000-0x000001E7B49C5000-memory.dmp
memory/956-266-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 31216586aa0b3d3e0fd86175e8f8d8d2 |
| SHA1 | 64710bad30ccca835a45875fdd6a669cb253a206 |
| SHA256 | ea6e656c7d3f23cae36e4b17276d96724d39b10da526af426dd1fcfd2df3d694 |
| SHA512 | 544ab93598da507bceee8a31e087232a816d14c9b35d531aedc1b119a808634b2cd11d996fd78f7a8876fa4de8fe18d96ca72f378c42dbbfb3cdef641776721c |
memory/2636-268-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 33d7d3d68d5d35984eea73d0aaaed7eb |
| SHA1 | 965e66f8a3e098fd291c7c02b71eb8623162674c |
| SHA256 | 76f8eb458f16482d03f7d10d340696781aa6ac42e7a366530739675dc3451baf |
| SHA512 | 7d81ededb6965fddcc81c44bf538890638517139afbbfb15a1cf86caec3eeea82499d61f23d2a9593cd7f5c9a0027b179f3178e5a48e086f764de85331f277c6 |
memory/3728-270-0x000001E7B49C6000-0x000001E7B49C8000-memory.dmp
memory/4012-271-0x0000020768098000-0x0000020768099000-memory.dmp
memory/956-272-0x000001FD228F0000-0x000001FD228F2000-memory.dmp
memory/956-273-0x000001FD228F8000-0x000001FD228F9000-memory.dmp
memory/956-274-0x000001FD228F3000-0x000001FD228F5000-memory.dmp
memory/3728-275-0x000001E7B49C8000-0x000001E7B49C9000-memory.dmp
memory/956-276-0x000001FD228F6000-0x000001FD228F8000-memory.dmp
memory/2636-278-0x000001A4AE7D3000-0x000001A4AE7D5000-memory.dmp
memory/2636-279-0x000001A4AE7D6000-0x000001A4AE7D8000-memory.dmp
memory/2636-277-0x000001A4AE7D0000-0x000001A4AE7D2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 291ebcf65c502bf17368d64ce32bb818 |
| SHA1 | 97543eb41c5a7c5e1ec626fb397c03356a9c92f8 |
| SHA256 | 8a41006fc58d8e56aeabbf52af497f8e7f4f407406f4e287a7618af151e65e3d |
| SHA512 | 626408b49b9e43e0bdfc97d35bc0cdc98ef5be96250d863395e020562c0ca1d824f2be8fc6c0ae813ec605c5555995a7a5a434adf0bbc810845696f73ed4d473 |
memory/2636-281-0x000001A4AE7D8000-0x000001A4AE7D9000-memory.dmp
memory/2632-282-0x0000000000000000-mapping.dmp
C:\Windows\Resources\Themes\icsys.icn.exe
| MD5 | f2667d617c1c5156004ea365bc759c1c |
| SHA1 | 10592eb1cd290802867f1fa13470717fa5643f59 |
| SHA256 | e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792 |
| SHA512 | 1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803 |
\??\c:\windows\resources\themes\icsys.icn.exe
| MD5 | f2667d617c1c5156004ea365bc759c1c |
| SHA1 | 10592eb1cd290802867f1fa13470717fa5643f59 |
| SHA256 | e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792 |
| SHA512 | 1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803 |
memory/2056-285-0x0000000000000000-mapping.dmp
C:\Windows\Resources\Themes\explorer.exe
| MD5 | 8c8438cf2ec0e6ea7435c2618b656a62 |
| SHA1 | 268c7d79daa1b2442f660e18d444075684c498bd |
| SHA256 | bf49d5c2e0a1a32d4227cb7c2b1f0a35c0fe88c4db79d68ac30c0434f74b4c3d |
| SHA512 | 26344174d508cab5be5315133ca721eb0b57ccaa9ff894744d8c3af3b9821822b03d0f7c2ee9bd3f4246b1bc98fbf4a7ecf2f64c2ecbd827ef565e91d474dab4 |
memory/2164-287-0x0000000001450000-0x0000000001452000-memory.dmp
memory/1600-288-0x0000000000000000-mapping.dmp
memory/2696-289-0x0000000000000000-mapping.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2021-07-08 07:06
Reported
2021-07-08 07:09
Platform
win7v20210410
Max time kernel
50s
Max time network
54s
Command Line
Signatures
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 484 set thread context of 1500 | N/A | C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe | C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
"C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dktqSaBDU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAF81.tmp"
C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| N/A | 152.228.150.198:11188 | 152.228.150.198 | tcp |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
Files
memory/484-60-0x0000000000920000-0x0000000000921000-memory.dmp
memory/484-62-0x0000000002210000-0x0000000002211000-memory.dmp
memory/484-63-0x0000000000310000-0x0000000000312000-memory.dmp
memory/484-64-0x0000000007DD0000-0x0000000007E42000-memory.dmp
memory/484-65-0x0000000000700000-0x0000000000726000-memory.dmp
memory/316-66-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpAF81.tmp
| MD5 | 5e5087ddf1c00524a7acc9f9732ee255 |
| SHA1 | 7756bfa000e98c0cb34d8fce74b3f8b9083be29b |
| SHA256 | 9113a1825fabda651473ca62c811cee3e9f57edac7cda30b0a7196906034ce42 |
| SHA512 | 15ef15485bc88e44c41281309dbc93df96157bf561fe1b0bec1a1823939831eaec07d1a1edfceb3d10b4015354fea21603a4793b58694c7ed45c993aef98bb00 |
memory/1500-68-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1500-69-0x0000000000417EB6-mapping.dmp
memory/1500-70-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1500-72-0x00000000008C0000-0x00000000008C1000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2021-07-08 07:06
Reported
2021-07-08 07:09
Platform
win10v20210408
Max time kernel
56s
Max time network
73s
Command Line
Signatures
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 652 set thread context of 3488 | N/A | C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe | C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
"C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dktqSaBDU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFCF3.tmp"
C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| N/A | 152.228.150.198:11188 | 152.228.150.198 | tcp |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
Files
memory/652-114-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/652-116-0x0000000005240000-0x0000000005241000-memory.dmp
memory/652-117-0x0000000004C80000-0x0000000004C81000-memory.dmp
memory/652-118-0x0000000004D40000-0x000000000523E000-memory.dmp
memory/652-119-0x0000000004C70000-0x0000000004C71000-memory.dmp
memory/652-120-0x0000000008400000-0x0000000008401000-memory.dmp
memory/652-121-0x0000000005220000-0x0000000005222000-memory.dmp
memory/652-122-0x0000000006880000-0x00000000068F2000-memory.dmp
memory/652-123-0x0000000006A50000-0x0000000006A76000-memory.dmp
memory/1416-124-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpFCF3.tmp
| MD5 | 64fdfac90fc4b8507a615754fc21e2b7 |
| SHA1 | 568a0b2eed35375c9213d9f364d1c15e1babff90 |
| SHA256 | 0060c1f70ee90fba524ebd55636308647943f46a50bbca109924505e2c642c9f |
| SHA512 | 5c9282502ff39c421ef6bd633177d7e560569146f2be0eebd6e0623dc47d8671aca861833d3ebae4f9b9d54093d1df221c4dfefb970e9edd713a5b666e254a02 |
memory/3488-126-0x0000000000400000-0x000000000041E000-memory.dmp
memory/3488-127-0x0000000000417EB6-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe.log
| MD5 | 0c2899d7c6746f42d5bbe088c777f94c |
| SHA1 | 622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1 |
| SHA256 | 5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458 |
| SHA512 | ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078 |
memory/3488-131-0x0000000005B10000-0x0000000005B11000-memory.dmp
memory/3488-132-0x0000000005520000-0x0000000005521000-memory.dmp
memory/3488-133-0x0000000005580000-0x0000000005581000-memory.dmp
memory/3488-134-0x00000000055C0000-0x00000000055C1000-memory.dmp
memory/3488-135-0x0000000005500000-0x0000000005B06000-memory.dmp
memory/3488-136-0x0000000005830000-0x0000000005831000-memory.dmp
memory/3488-137-0x0000000006AB0000-0x0000000006AB1000-memory.dmp
memory/3488-138-0x00000000071B0000-0x00000000071B1000-memory.dmp
memory/3488-141-0x0000000007A70000-0x0000000007A71000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2021-07-08 07:06
Reported
2021-07-08 07:10
Platform
win7v20210410
Max time kernel
15s
Max time network
63s
Command Line
Signatures
Glupteba
Glupteba Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MetaSploit
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-581 = "North Asia East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-162 = "Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-551 = "North Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-522 = "N. Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
"C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe"
C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
"C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | iceanedy.com | udp |
| N/A | 172.67.214.126:443 | iceanedy.com | tcp |
Files
memory/1632-59-0x0000000002B50000-0x0000000003476000-memory.dmp
memory/1632-60-0x0000000000400000-0x0000000000D41000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2021-07-08 07:06
Reported
2021-07-08 07:10
Platform
win7v20210408
Max time kernel
150s
Max time network
200s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Checker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe | N/A |
Modifies Windows Firewall
Loads dropped DLL
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe
"C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe"
C:\Users\Admin\AppData\Local\Temp\Checker.exe
"C:\Users\Admin\AppData\Local\Temp\Checker.exe"
C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe
"C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe" "SA_Checker.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| N/A | 13.59.15.185:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 13.59.15.185:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 13.59.15.185:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 13.59.15.185:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 13.59.15.185:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 13.59.15.185:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 13.59.15.185:17971 | 2.tcp.ngrok.io | tcp |
Files
memory/520-59-0x0000000075891000-0x0000000075893000-memory.dmp
\Users\Admin\AppData\Local\Temp\Checker.exe
| MD5 | 970dbe61f878ffef5c98df482a33b93a |
| SHA1 | 2f8e4f7dd06cc67da661f7a33e6a6f79182bc957 |
| SHA256 | bda3eaba6bd0015d68a261b9f8afd2431f702524b7a333fca3b3514058aaff48 |
| SHA512 | f1c9b203e1770e3327217998b4a002a3494e61b8883b2ad4cb6439d3105b65c8cf807d77c029331b678df15dfc89bdff52bd93124b78c67d6f342fc48e2c8621 |
memory/1456-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Checker.exe
| MD5 | 970dbe61f878ffef5c98df482a33b93a |
| SHA1 | 2f8e4f7dd06cc67da661f7a33e6a6f79182bc957 |
| SHA256 | bda3eaba6bd0015d68a261b9f8afd2431f702524b7a333fca3b3514058aaff48 |
| SHA512 | f1c9b203e1770e3327217998b4a002a3494e61b8883b2ad4cb6439d3105b65c8cf807d77c029331b678df15dfc89bdff52bd93124b78c67d6f342fc48e2c8621 |
\Users\Admin\AppData\Local\Temp\SA_Checker.exe
| MD5 | 88949354d6430e1c6fd4ee0e0d987070 |
| SHA1 | 10d1014f00cd173449f1d3ea2b698a5443688584 |
| SHA256 | d08373a237b6f58a7b1215926fac0faefcdddbf7967b4226f84cbdb275a261f0 |
| SHA512 | 8a18883b2f89bc87449d9fde1ef835fba2186c494ffa3b2adcded7b86103ddd0154856dd5fa9b2e565b6bedd50b80975a8a07ac56560bc725c84c5d7d90abe29 |
\Users\Admin\AppData\Local\Temp\SA_Checker.exe
| MD5 | 88949354d6430e1c6fd4ee0e0d987070 |
| SHA1 | 10d1014f00cd173449f1d3ea2b698a5443688584 |
| SHA256 | d08373a237b6f58a7b1215926fac0faefcdddbf7967b4226f84cbdb275a261f0 |
| SHA512 | 8a18883b2f89bc87449d9fde1ef835fba2186c494ffa3b2adcded7b86103ddd0154856dd5fa9b2e565b6bedd50b80975a8a07ac56560bc725c84c5d7d90abe29 |
memory/580-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe
| MD5 | 88949354d6430e1c6fd4ee0e0d987070 |
| SHA1 | 10d1014f00cd173449f1d3ea2b698a5443688584 |
| SHA256 | d08373a237b6f58a7b1215926fac0faefcdddbf7967b4226f84cbdb275a261f0 |
| SHA512 | 8a18883b2f89bc87449d9fde1ef835fba2186c494ffa3b2adcded7b86103ddd0154856dd5fa9b2e565b6bedd50b80975a8a07ac56560bc725c84c5d7d90abe29 |
C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe
| MD5 | 88949354d6430e1c6fd4ee0e0d987070 |
| SHA1 | 10d1014f00cd173449f1d3ea2b698a5443688584 |
| SHA256 | d08373a237b6f58a7b1215926fac0faefcdddbf7967b4226f84cbdb275a261f0 |
| SHA512 | 8a18883b2f89bc87449d9fde1ef835fba2186c494ffa3b2adcded7b86103ddd0154856dd5fa9b2e565b6bedd50b80975a8a07ac56560bc725c84c5d7d90abe29 |
memory/580-69-0x0000000000390000-0x0000000000391000-memory.dmp
memory/1488-70-0x0000000000000000-mapping.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2021-07-08 07:06
Reported
2021-07-08 07:09
Platform
win10v20210410
Max time kernel
148s
Max time network
161s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Checker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe | N/A |
Modifies Windows Firewall
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Checker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Checker.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe
"C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe"
C:\Users\Admin\AppData\Local\Temp\Checker.exe
"C:\Users\Admin\AppData\Local\Temp\Checker.exe"
C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe
"C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe" "SA_Checker.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:17971 | 2.tcp.ngrok.io | tcp |
Files
memory/1896-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Checker.exe
| MD5 | 970dbe61f878ffef5c98df482a33b93a |
| SHA1 | 2f8e4f7dd06cc67da661f7a33e6a6f79182bc957 |
| SHA256 | bda3eaba6bd0015d68a261b9f8afd2431f702524b7a333fca3b3514058aaff48 |
| SHA512 | f1c9b203e1770e3327217998b4a002a3494e61b8883b2ad4cb6439d3105b65c8cf807d77c029331b678df15dfc89bdff52bd93124b78c67d6f342fc48e2c8621 |
memory/2356-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe
| MD5 | 88949354d6430e1c6fd4ee0e0d987070 |
| SHA1 | 10d1014f00cd173449f1d3ea2b698a5443688584 |
| SHA256 | d08373a237b6f58a7b1215926fac0faefcdddbf7967b4226f84cbdb275a261f0 |
| SHA512 | 8a18883b2f89bc87449d9fde1ef835fba2186c494ffa3b2adcded7b86103ddd0154856dd5fa9b2e565b6bedd50b80975a8a07ac56560bc725c84c5d7d90abe29 |
C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe
| MD5 | 88949354d6430e1c6fd4ee0e0d987070 |
| SHA1 | 10d1014f00cd173449f1d3ea2b698a5443688584 |
| SHA256 | d08373a237b6f58a7b1215926fac0faefcdddbf7967b4226f84cbdb275a261f0 |
| SHA512 | 8a18883b2f89bc87449d9fde1ef835fba2186c494ffa3b2adcded7b86103ddd0154856dd5fa9b2e565b6bedd50b80975a8a07ac56560bc725c84c5d7d90abe29 |
memory/2356-119-0x0000000002B50000-0x0000000002B51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Checker.exe
| MD5 | 970dbe61f878ffef5c98df482a33b93a |
| SHA1 | 2f8e4f7dd06cc67da661f7a33e6a6f79182bc957 |
| SHA256 | bda3eaba6bd0015d68a261b9f8afd2431f702524b7a333fca3b3514058aaff48 |
| SHA512 | f1c9b203e1770e3327217998b4a002a3494e61b8883b2ad4cb6439d3105b65c8cf807d77c029331b678df15dfc89bdff52bd93124b78c67d6f342fc48e2c8621 |
memory/2920-121-0x0000000000000000-mapping.dmp
memory/2208-122-0x0000000000000000-mapping.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2021-07-08 07:06
Reported
2021-07-08 07:10
Platform
win7v20210408
Max time kernel
151s
Max time network
49s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Services32.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\services32.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Services32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Services32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Resources\Themes\icsys.icn.exe | C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe | N/A |
| File opened for modification | \??\c:\windows\resources\themes\explorer.exe | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| File opened for modification | \??\c:\windows\resources\spoolsv.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\resources\svchost.exe | \??\c:\windows\resources\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Resources\Themes\icsys.icn.exe | C:\Users\Admin\AppData\Local\Temp\Services32.exe | N/A |
| File opened for modification | C:\Windows\Resources\tjud.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
"C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe"
\??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:06 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM" & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM"
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
C:\Users\Admin\AppData\Local\Temp\Services32.exe
"C:\Users\Admin\AppData\Local\Temp\Services32.exe"
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
\??\c:\users\admin\appdata\local\temp\services32.exe
c:\users\admin\appdata\local\temp\services32.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM" & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:07 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:08 /f
Network
Files
\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
| MD5 | 5552f88a40afa2e2fef5acbd590ac812 |
| SHA1 | 5afef5451811830c1ec3108cd7ee66a0418a6186 |
| SHA256 | 9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f |
| SHA512 | 6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde |
memory/1448-64-0x0000000000000000-mapping.dmp
\??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
| MD5 | 5552f88a40afa2e2fef5acbd590ac812 |
| SHA1 | 5afef5451811830c1ec3108cd7ee66a0418a6186 |
| SHA256 | 9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f |
| SHA512 | 6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde |
C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
| MD5 | 5552f88a40afa2e2fef5acbd590ac812 |
| SHA1 | 5afef5451811830c1ec3108cd7ee66a0418a6186 |
| SHA256 | 9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f |
| SHA512 | 6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde |
memory/1448-67-0x000000013FBC0000-0x000000013FBC1000-memory.dmp
memory/1672-69-0x0000000000000000-mapping.dmp
memory/1608-70-0x0000000000000000-mapping.dmp
memory/1608-71-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmp
memory/1608-72-0x0000000002080000-0x0000000002081000-memory.dmp
memory/1608-73-0x000000001AA30000-0x000000001AA31000-memory.dmp
memory/1608-74-0x000000001A760000-0x000000001A761000-memory.dmp
memory/1608-75-0x000000001A990000-0x000000001A991000-memory.dmp
memory/1608-76-0x000000001A9B0000-0x000000001A9B2000-memory.dmp
memory/1608-77-0x000000001A9B4000-0x000000001A9B6000-memory.dmp
memory/1608-78-0x000000001B3C0000-0x000000001B3C1000-memory.dmp
memory/1608-81-0x000000001B3F0000-0x000000001B3F1000-memory.dmp
memory/1608-93-0x000000001B450000-0x000000001B451000-memory.dmp
memory/1608-94-0x000000001B460000-0x000000001B461000-memory.dmp
memory/1292-95-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 54d6cc008e989cf18fd62e341eba0274 |
| SHA1 | cefd027fac1c5bc86bd6ea8cb1e7cb234384864f |
| SHA256 | a497743b7fc76e901e2ddb1b03fbad6311022ed6dc46676e5e2601bc6e1df8b8 |
| SHA512 | bb574760900f59e8bb35362664f284428d3d31328a1660546950cb7df7177f19d6e6de47da7c6286488c375a7779ea11c90d35eb3a2d6fa255bbc28430a433e2 |
memory/1292-98-0x00000000024A0000-0x00000000024A1000-memory.dmp
memory/1292-99-0x000000001AC00000-0x000000001AC01000-memory.dmp
memory/1292-100-0x0000000002550000-0x0000000002551000-memory.dmp
memory/1292-102-0x000000001AB84000-0x000000001AB86000-memory.dmp
memory/1292-101-0x000000001AB80000-0x000000001AB82000-memory.dmp
memory/1292-103-0x0000000002400000-0x0000000002401000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 109ddd9d9274fc7a0f98d903cb9cc1fe |
| SHA1 | 8745aa9a57c1b752e83387745c2b1bc43bb3626b |
| SHA256 | 4e80b55a36c690fdc45f066cc78b73ac855f4afe9d7e7affd61b5e1fcf0969fe |
| SHA512 | 9f1b687288290e1bc5826f2a715a190d2cf0a57e605805d2b24a808d19501520f583f1314227a1cb9416a96bd94bc321ddff57b1ace31f03632ef5d101665542 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9bd3a235-800a-4d6a-ba93-a1170c58da7e
| MD5 | a70ee38af4bb2b5ed3eeb7cbd1a12fa3 |
| SHA1 | 81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9 |
| SHA256 | dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d |
| SHA512 | 8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0c700710-19bd-4cbc-bb0d-177e8138058c
| MD5 | faa37917b36371249ac9fcf93317bf97 |
| SHA1 | a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4 |
| SHA256 | b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132 |
| SHA512 | 614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_747bdf1d-1046-4eeb-9947-1d87226e5203
| MD5 | e5b3ba61c3cf07deda462c9b27eb4166 |
| SHA1 | b324dad73048be6e27467315f82b7a5c1438a1f9 |
| SHA256 | b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925 |
| SHA512 | a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6412e505-fc2c-416c-8df2-48c2384208f0
| MD5 | 6f0d509e28be1af95ba237d4f43adab4 |
| SHA1 | c665febe79e435843553bee86a6cea731ce6c5e4 |
| SHA256 | f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e |
| SHA512 | 8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fba6c941-cf5b-4667-a9d6-b38365da9280
| MD5 | d89968acfbd0cd60b51df04860d99896 |
| SHA1 | b3c29916ccb81ce98f95bbf3aa8a73de16298b29 |
| SHA256 | 1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9 |
| SHA512 | b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_36fe3446-9fd2-46b8-a05b-397c04229954
| MD5 | 2d5cd190b5db0620cd62e3cd6ba1dcd3 |
| SHA1 | ff4f229f4fbacccdf11d98c04ba756bda80aac7a |
| SHA256 | ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d |
| SHA512 | edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_de0afcc7-7a35-41e7-8005-d4eaefcb8ae4
| MD5 | 7f79b990cb5ed648f9e583fe35527aa7 |
| SHA1 | 71b177b48c8bd745ef02c2affad79ca222da7c33 |
| SHA256 | 080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683 |
| SHA512 | 20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda |
memory/920-112-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 54d6cc008e989cf18fd62e341eba0274 |
| SHA1 | cefd027fac1c5bc86bd6ea8cb1e7cb234384864f |
| SHA256 | a497743b7fc76e901e2ddb1b03fbad6311022ed6dc46676e5e2601bc6e1df8b8 |
| SHA512 | bb574760900f59e8bb35362664f284428d3d31328a1660546950cb7df7177f19d6e6de47da7c6286488c375a7779ea11c90d35eb3a2d6fa255bbc28430a433e2 |
memory/920-119-0x000000001AB30000-0x000000001AB32000-memory.dmp
memory/920-120-0x000000001AB34000-0x000000001AB36000-memory.dmp
memory/260-121-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 54d6cc008e989cf18fd62e341eba0274 |
| SHA1 | cefd027fac1c5bc86bd6ea8cb1e7cb234384864f |
| SHA256 | a497743b7fc76e901e2ddb1b03fbad6311022ed6dc46676e5e2601bc6e1df8b8 |
| SHA512 | bb574760900f59e8bb35362664f284428d3d31328a1660546950cb7df7177f19d6e6de47da7c6286488c375a7779ea11c90d35eb3a2d6fa255bbc28430a433e2 |
memory/260-127-0x000000001A920000-0x000000001A922000-memory.dmp
memory/260-128-0x000000001A924000-0x000000001A926000-memory.dmp
\Windows\Resources\Themes\icsys.icn.exe
| MD5 | f2667d617c1c5156004ea365bc759c1c |
| SHA1 | 10592eb1cd290802867f1fa13470717fa5643f59 |
| SHA256 | e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792 |
| SHA512 | 1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803 |
C:\Windows\Resources\Themes\icsys.icn.exe
| MD5 | f2667d617c1c5156004ea365bc759c1c |
| SHA1 | 10592eb1cd290802867f1fa13470717fa5643f59 |
| SHA256 | e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792 |
| SHA512 | 1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803 |
memory/1988-131-0x0000000000000000-mapping.dmp
\??\c:\windows\resources\themes\icsys.icn.exe
| MD5 | f2667d617c1c5156004ea365bc759c1c |
| SHA1 | 10592eb1cd290802867f1fa13470717fa5643f59 |
| SHA256 | e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792 |
| SHA512 | 1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803 |
memory/604-138-0x0000000000000000-mapping.dmp
\Windows\Resources\Themes\explorer.exe
| MD5 | b5ce94bc12efa5a9f28b93a525edd1d3 |
| SHA1 | d19f64fcc6e9a66e9a1d97f3fd0a14696b4ddb2d |
| SHA256 | ceb1a7ddce0530cd0b16d14e81980953a5bf7000a967ee6e5bc36be72216a64a |
| SHA512 | 5f43b874b1e31c69d41da2e510ffdaebbaa5972f31596ad9eb378fc96c4905c6d7dd1eb55fe3ffa5d12b756390c5e27c2cf10bfed062f001b77b9bb8057bb281 |
C:\Windows\Resources\Themes\explorer.exe
| MD5 | b5ce94bc12efa5a9f28b93a525edd1d3 |
| SHA1 | d19f64fcc6e9a66e9a1d97f3fd0a14696b4ddb2d |
| SHA256 | ceb1a7ddce0530cd0b16d14e81980953a5bf7000a967ee6e5bc36be72216a64a |
| SHA512 | 5f43b874b1e31c69d41da2e510ffdaebbaa5972f31596ad9eb378fc96c4905c6d7dd1eb55fe3ffa5d12b756390c5e27c2cf10bfed062f001b77b9bb8057bb281 |
\??\c:\windows\resources\themes\explorer.exe
| MD5 | b5ce94bc12efa5a9f28b93a525edd1d3 |
| SHA1 | d19f64fcc6e9a66e9a1d97f3fd0a14696b4ddb2d |
| SHA256 | ceb1a7ddce0530cd0b16d14e81980953a5bf7000a967ee6e5bc36be72216a64a |
| SHA512 | 5f43b874b1e31c69d41da2e510ffdaebbaa5972f31596ad9eb378fc96c4905c6d7dd1eb55fe3ffa5d12b756390c5e27c2cf10bfed062f001b77b9bb8057bb281 |
\Windows\Resources\spoolsv.exe
| MD5 | 161db796a25cf2bbd19f18d438400cf9 |
| SHA1 | b42436bece3a15771cb54f60d4a47e0469660c02 |
| SHA256 | 60bbd8f97d7b8bc3b2561162e8722cf41367dddb93b633da9a859708c953885a |
| SHA512 | 76919760ef88397423c36aeffc2cd0324d13efbe9031c1463bbe9233b1d1831e79cd37b9eed5e1859002899e79dddfcd64a1f7de79d077981e5e4c945db9aa32 |
memory/1552-145-0x0000000000000000-mapping.dmp
C:\Windows\Resources\spoolsv.exe
| MD5 | 161db796a25cf2bbd19f18d438400cf9 |
| SHA1 | b42436bece3a15771cb54f60d4a47e0469660c02 |
| SHA256 | 60bbd8f97d7b8bc3b2561162e8722cf41367dddb93b633da9a859708c953885a |
| SHA512 | 76919760ef88397423c36aeffc2cd0324d13efbe9031c1463bbe9233b1d1831e79cd37b9eed5e1859002899e79dddfcd64a1f7de79d077981e5e4c945db9aa32 |
\??\c:\windows\resources\spoolsv.exe
| MD5 | 161db796a25cf2bbd19f18d438400cf9 |
| SHA1 | b42436bece3a15771cb54f60d4a47e0469660c02 |
| SHA256 | 60bbd8f97d7b8bc3b2561162e8722cf41367dddb93b633da9a859708c953885a |
| SHA512 | 76919760ef88397423c36aeffc2cd0324d13efbe9031c1463bbe9233b1d1831e79cd37b9eed5e1859002899e79dddfcd64a1f7de79d077981e5e4c945db9aa32 |
memory/1864-152-0x0000000000000000-mapping.dmp
\Windows\Resources\svchost.exe
| MD5 | 96002ea74ef7086cabcd0b74b6eae617 |
| SHA1 | c251574fecf4d1453c01c0d36d02ead805d14eb7 |
| SHA256 | 7d386f44a0d69da1cba031ec573d8361dff08bb5841c205556a466b085020cab |
| SHA512 | f2b26df1b6c6be69a7c930fa271b75e73638f6e166462036dea24eb8436e5d495388c766f9154c53c81c3b685e48ee9d805769c1dc7917be87b50e47b8c593c7 |
C:\Windows\Resources\svchost.exe
| MD5 | 96002ea74ef7086cabcd0b74b6eae617 |
| SHA1 | c251574fecf4d1453c01c0d36d02ead805d14eb7 |
| SHA256 | 7d386f44a0d69da1cba031ec573d8361dff08bb5841c205556a466b085020cab |
| SHA512 | f2b26df1b6c6be69a7c930fa271b75e73638f6e166462036dea24eb8436e5d495388c766f9154c53c81c3b685e48ee9d805769c1dc7917be87b50e47b8c593c7 |
memory/1800-159-0x0000000000000000-mapping.dmp
C:\Windows\Resources\spoolsv.exe
| MD5 | 161db796a25cf2bbd19f18d438400cf9 |
| SHA1 | b42436bece3a15771cb54f60d4a47e0469660c02 |
| SHA256 | 60bbd8f97d7b8bc3b2561162e8722cf41367dddb93b633da9a859708c953885a |
| SHA512 | 76919760ef88397423c36aeffc2cd0324d13efbe9031c1463bbe9233b1d1831e79cd37b9eed5e1859002899e79dddfcd64a1f7de79d077981e5e4c945db9aa32 |
\??\c:\windows\resources\svchost.exe
| MD5 | 96002ea74ef7086cabcd0b74b6eae617 |
| SHA1 | c251574fecf4d1453c01c0d36d02ead805d14eb7 |
| SHA256 | 7d386f44a0d69da1cba031ec573d8361dff08bb5841c205556a466b085020cab |
| SHA512 | f2b26df1b6c6be69a7c930fa271b75e73638f6e166462036dea24eb8436e5d495388c766f9154c53c81c3b685e48ee9d805769c1dc7917be87b50e47b8c593c7 |
\Windows\Resources\spoolsv.exe
| MD5 | 161db796a25cf2bbd19f18d438400cf9 |
| SHA1 | b42436bece3a15771cb54f60d4a47e0469660c02 |
| SHA256 | 60bbd8f97d7b8bc3b2561162e8722cf41367dddb93b633da9a859708c953885a |
| SHA512 | 76919760ef88397423c36aeffc2cd0324d13efbe9031c1463bbe9233b1d1831e79cd37b9eed5e1859002899e79dddfcd64a1f7de79d077981e5e4c945db9aa32 |
memory/1624-164-0x0000000000000000-mapping.dmp
memory/1020-166-0x0000000000000000-mapping.dmp
memory/1448-167-0x0000000000560000-0x0000000000568000-memory.dmp
memory/1448-168-0x000000001B810000-0x000000001B812000-memory.dmp
memory/1564-169-0x0000000000000000-mapping.dmp
memory/944-170-0x0000000000000000-mapping.dmp
memory/900-172-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
| MD5 | d1f4a92a1672d7d22a90e2567523d03e |
| SHA1 | a1683621e2103e1df1ce22def923e4ef62ddcd11 |
| SHA256 | 48fd7864ad054ee98f30a32006af85dce9f47cc5fccf065e7da41624cf14f94b |
| SHA512 | 2e6e4dd8ed996ca9c95e7bf225f5b7b567f2a99ae13f637f23b2c959857f9e5ba5833e279b901c0a215cf5692dc6f3e28c47106cd386756e51f5f6f1298f247a |
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
| MD5 | d1f4a92a1672d7d22a90e2567523d03e |
| SHA1 | a1683621e2103e1df1ce22def923e4ef62ddcd11 |
| SHA256 | 48fd7864ad054ee98f30a32006af85dce9f47cc5fccf065e7da41624cf14f94b |
| SHA512 | 2e6e4dd8ed996ca9c95e7bf225f5b7b567f2a99ae13f637f23b2c959857f9e5ba5833e279b901c0a215cf5692dc6f3e28c47106cd386756e51f5f6f1298f247a |
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
| MD5 | d1f4a92a1672d7d22a90e2567523d03e |
| SHA1 | a1683621e2103e1df1ce22def923e4ef62ddcd11 |
| SHA256 | 48fd7864ad054ee98f30a32006af85dce9f47cc5fccf065e7da41624cf14f94b |
| SHA512 | 2e6e4dd8ed996ca9c95e7bf225f5b7b567f2a99ae13f637f23b2c959857f9e5ba5833e279b901c0a215cf5692dc6f3e28c47106cd386756e51f5f6f1298f247a |
memory/1380-175-0x0000000000000000-mapping.dmp
memory/900-176-0x000000013F560000-0x000000013F561000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Services32.exe
| MD5 | 70c771952bc897446d3ddad90541a1e6 |
| SHA1 | b00b50a893e4552651c4a5c38cf4bb9aed7a101e |
| SHA256 | aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337 |
| SHA512 | 33d402397289c1a828079dfdaaf3966c4b9720ffb070eeba0d5c23f4a3c6c448e4a3fd3cba2f82c712252ce03d726daabd2c66e97f950a122ffb3d5799bae56d |
\??\c:\users\admin\appdata\local\temp\services32.exe
| MD5 | 70c771952bc897446d3ddad90541a1e6 |
| SHA1 | b00b50a893e4552651c4a5c38cf4bb9aed7a101e |
| SHA256 | aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337 |
| SHA512 | 33d402397289c1a828079dfdaaf3966c4b9720ffb070eeba0d5c23f4a3c6c448e4a3fd3cba2f82c712252ce03d726daabd2c66e97f950a122ffb3d5799bae56d |
memory/1580-184-0x0000000000000000-mapping.dmp
\??\c:\users\admin\appdata\local\temp\services32.exe
| MD5 | 5552f88a40afa2e2fef5acbd590ac812 |
| SHA1 | 5afef5451811830c1ec3108cd7ee66a0418a6186 |
| SHA256 | 9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f |
| SHA512 | 6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde |
C:\Users\Admin\AppData\Local\Temp\services32.exe
| MD5 | 5552f88a40afa2e2fef5acbd590ac812 |
| SHA1 | 5afef5451811830c1ec3108cd7ee66a0418a6186 |
| SHA256 | 9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f |
| SHA512 | 6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde |
memory/1568-187-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\services32.exe
| MD5 | 5552f88a40afa2e2fef5acbd590ac812 |
| SHA1 | 5afef5451811830c1ec3108cd7ee66a0418a6186 |
| SHA256 | 9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f |
| SHA512 | 6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde |
memory/584-188-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 54d6cc008e989cf18fd62e341eba0274 |
| SHA1 | cefd027fac1c5bc86bd6ea8cb1e7cb234384864f |
| SHA256 | a497743b7fc76e901e2ddb1b03fbad6311022ed6dc46676e5e2601bc6e1df8b8 |
| SHA512 | bb574760900f59e8bb35362664f284428d3d31328a1660546950cb7df7177f19d6e6de47da7c6286488c375a7779ea11c90d35eb3a2d6fa255bbc28430a433e2 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/584-191-0x000000001ACF0000-0x000000001ACF2000-memory.dmp
memory/584-192-0x000000001ACF4000-0x000000001ACF6000-memory.dmp
memory/1992-193-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 530394d7fd15e8365d1ba1789015102c |
| SHA1 | 051bef53bb017c7f70c694eab2c57f6a4654b3e6 |
| SHA256 | 6524cbff5c3088b2e8d17bedc3c041bbc63ba4f74f07101b091c0356e5b4e832 |
| SHA512 | 5821f6556d4095a2de3079286a770a85e43aaceaf7edbfa480092ad75f522a8573b1367b5754cba8e2320a45c4ac4ac8a82dcb658d64176b5ea582a3dc5e9534 |
memory/1992-196-0x000000001AC74000-0x000000001AC76000-memory.dmp
memory/1992-195-0x000000001AC70000-0x000000001AC72000-memory.dmp
memory/1140-197-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 530394d7fd15e8365d1ba1789015102c |
| SHA1 | 051bef53bb017c7f70c694eab2c57f6a4654b3e6 |
| SHA256 | 6524cbff5c3088b2e8d17bedc3c041bbc63ba4f74f07101b091c0356e5b4e832 |
| SHA512 | 5821f6556d4095a2de3079286a770a85e43aaceaf7edbfa480092ad75f522a8573b1367b5754cba8e2320a45c4ac4ac8a82dcb658d64176b5ea582a3dc5e9534 |
memory/1140-199-0x000000001AE40000-0x000000001AE42000-memory.dmp
memory/1140-200-0x000000001AE44000-0x000000001AE46000-memory.dmp
memory/1364-201-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 530394d7fd15e8365d1ba1789015102c |
| SHA1 | 051bef53bb017c7f70c694eab2c57f6a4654b3e6 |
| SHA256 | 6524cbff5c3088b2e8d17bedc3c041bbc63ba4f74f07101b091c0356e5b4e832 |
| SHA512 | 5821f6556d4095a2de3079286a770a85e43aaceaf7edbfa480092ad75f522a8573b1367b5754cba8e2320a45c4ac4ac8a82dcb658d64176b5ea582a3dc5e9534 |
memory/1364-203-0x000000001AD20000-0x000000001AD22000-memory.dmp
memory/1364-204-0x000000001AD24000-0x000000001AD26000-memory.dmp
memory/1200-206-0x0000000000000000-mapping.dmp
\Windows\Resources\Themes\icsys.icn.exe
| MD5 | f2667d617c1c5156004ea365bc759c1c |
| SHA1 | 10592eb1cd290802867f1fa13470717fa5643f59 |
| SHA256 | e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792 |
| SHA512 | 1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803 |
\??\c:\windows\resources\themes\icsys.icn.exe
| MD5 | f2667d617c1c5156004ea365bc759c1c |
| SHA1 | 10592eb1cd290802867f1fa13470717fa5643f59 |
| SHA256 | e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792 |
| SHA512 | 1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803 |
C:\Windows\Resources\Themes\icsys.icn.exe
| MD5 | f2667d617c1c5156004ea365bc759c1c |
| SHA1 | 10592eb1cd290802867f1fa13470717fa5643f59 |
| SHA256 | e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792 |
| SHA512 | 1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803 |
C:\Windows\Resources\Themes\explorer.exe
| MD5 | b5ce94bc12efa5a9f28b93a525edd1d3 |
| SHA1 | d19f64fcc6e9a66e9a1d97f3fd0a14696b4ddb2d |
| SHA256 | ceb1a7ddce0530cd0b16d14e81980953a5bf7000a967ee6e5bc36be72216a64a |
| SHA512 | 5f43b874b1e31c69d41da2e510ffdaebbaa5972f31596ad9eb378fc96c4905c6d7dd1eb55fe3ffa5d12b756390c5e27c2cf10bfed062f001b77b9bb8057bb281 |
memory/1544-209-0x0000000000000000-mapping.dmp
memory/1384-211-0x0000000000000000-mapping.dmp
memory/1452-212-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 530394d7fd15e8365d1ba1789015102c |
| SHA1 | 051bef53bb017c7f70c694eab2c57f6a4654b3e6 |
| SHA256 | 6524cbff5c3088b2e8d17bedc3c041bbc63ba4f74f07101b091c0356e5b4e832 |
| SHA512 | 5821f6556d4095a2de3079286a770a85e43aaceaf7edbfa480092ad75f522a8573b1367b5754cba8e2320a45c4ac4ac8a82dcb658d64176b5ea582a3dc5e9534 |
memory/1580-214-0x000000001ABB0000-0x000000001ABB2000-memory.dmp
memory/1452-215-0x000000001ADA0000-0x000000001ADA2000-memory.dmp
memory/1452-216-0x000000001ADA4000-0x000000001ADA6000-memory.dmp
memory/1268-217-0x0000000000000000-mapping.dmp
memory/316-218-0x0000000000000000-mapping.dmp
memory/1652-219-0x0000000000000000-mapping.dmp
memory/792-220-0x0000000000000000-mapping.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 530394d7fd15e8365d1ba1789015102c |
| SHA1 | 051bef53bb017c7f70c694eab2c57f6a4654b3e6 |
| SHA256 | 6524cbff5c3088b2e8d17bedc3c041bbc63ba4f74f07101b091c0356e5b4e832 |
| SHA512 | 5821f6556d4095a2de3079286a770a85e43aaceaf7edbfa480092ad75f522a8573b1367b5754cba8e2320a45c4ac4ac8a82dcb658d64176b5ea582a3dc5e9534 |
memory/792-223-0x000000001AA50000-0x000000001AA52000-memory.dmp
memory/792-224-0x000000001AA54000-0x000000001AA56000-memory.dmp
memory/1648-225-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 530394d7fd15e8365d1ba1789015102c |
| SHA1 | 051bef53bb017c7f70c694eab2c57f6a4654b3e6 |
| SHA256 | 6524cbff5c3088b2e8d17bedc3c041bbc63ba4f74f07101b091c0356e5b4e832 |
| SHA512 | 5821f6556d4095a2de3079286a770a85e43aaceaf7edbfa480092ad75f522a8573b1367b5754cba8e2320a45c4ac4ac8a82dcb658d64176b5ea582a3dc5e9534 |
memory/1648-227-0x000000001ABF0000-0x000000001ABF2000-memory.dmp
memory/1648-228-0x000000001ABF4000-0x000000001ABF6000-memory.dmp
memory/1976-229-0x0000000000000000-mapping.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 530394d7fd15e8365d1ba1789015102c |
| SHA1 | 051bef53bb017c7f70c694eab2c57f6a4654b3e6 |
| SHA256 | 6524cbff5c3088b2e8d17bedc3c041bbc63ba4f74f07101b091c0356e5b4e832 |
| SHA512 | 5821f6556d4095a2de3079286a770a85e43aaceaf7edbfa480092ad75f522a8573b1367b5754cba8e2320a45c4ac4ac8a82dcb658d64176b5ea582a3dc5e9534 |
memory/1976-232-0x000000001AC70000-0x000000001AC72000-memory.dmp
memory/1976-233-0x000000001AC74000-0x000000001AC76000-memory.dmp
memory/1316-234-0x0000000000000000-mapping.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2021-07-08 07:06
Reported
2021-07-08 07:09
Platform
win7v20210408
Max time kernel
134s
Max time network
146s
Command Line
Signatures
AsyncRat
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe
"C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 95.169.210.148:6666 | tcp | |
| N/A | 95.169.210.148:6666 | tcp | |
| N/A | 95.169.210.148:6666 | tcp | |
| N/A | 95.169.210.148:6666 | tcp | |
| N/A | 95.169.210.148:6666 | tcp | |
| N/A | 95.169.210.148:6666 | tcp |
Files
memory/940-60-0x0000000000B70000-0x0000000000B71000-memory.dmp
memory/940-62-0x000000001B300000-0x000000001B302000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-07-08 07:06
Reported
2021-07-08 07:09
Platform
win10v20210410
Max time kernel
21s
Max time network
117s
Command Line
Signatures
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe
"C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 50.16.220.248:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | f0558828.xsph.ru | udp |
| N/A | 141.8.192.151:80 | f0558828.xsph.ru | tcp |
Files
memory/3608-114-0x0000017F3B480000-0x0000017F3B481000-memory.dmp
memory/3608-116-0x0000017F3D1F0000-0x0000017F3D261000-memory.dmp
memory/3608-117-0x0000017F55CB0000-0x0000017F55CB2000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2021-07-08 07:06
Reported
2021-07-08 07:10
Platform
win7v20210410
Max time kernel
147s
Max time network
200s
Command Line
Signatures
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1048 set thread context of 320 | N/A | C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe | C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
"C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe"
C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 185.203.243.131:27365 | tcp | |
| N/A | 185.203.243.131:27365 | tcp | |
| N/A | 185.203.243.131:27365 | tcp | |
| N/A | 185.203.243.131:27365 | tcp | |
| N/A | 185.203.243.131:27365 | tcp | |
| N/A | 185.203.243.131:27365 | tcp | |
| N/A | 185.203.243.131:27365 | tcp |
Files
memory/1048-60-0x0000000000060000-0x0000000000061000-memory.dmp
memory/1048-62-0x0000000004890000-0x0000000004891000-memory.dmp
memory/320-63-0x0000000000400000-0x000000000041E000-memory.dmp
memory/320-64-0x0000000000417E42-mapping.dmp
memory/320-65-0x0000000000400000-0x000000000041E000-memory.dmp
memory/320-67-0x0000000004360000-0x0000000004361000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2021-07-08 07:06
Reported
2021-07-08 07:09
Platform
win10v20210410
Max time kernel
17s
Max time network
152s
Command Line
Signatures
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\output.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ODJgvsYTGNTHzlbflfNSWqCs.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.amazonaws.com | N/A | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ODJgvsYTGNTHzlbflfNSWqCs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe
"C:\Users\Admin\AppData\Local\Temp\236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe"
C:\Users\Admin\AppData\Roaming\output.exe
"C:\Users\Admin\AppData\Roaming\output.exe"
C:\Users\Admin\AppData\Local\Temp\ODJgvsYTGNTHzlbflfNSWqCs.exe
"C:\Users\Admin\AppData\Local\Temp\ODJgvsYTGNTHzlbflfNSWqCs.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 45.81.227.32:22625 | 45.81.227.32 | tcp |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 8.8.8.8:53 | checkip.amazonaws.com | udp |
| N/A | 34.202.33.33:80 | checkip.amazonaws.com | tcp |
| N/A | 8.8.8.8:53 | whois.iana.org | udp |
| N/A | 192.0.47.59:43 | whois.iana.org | tcp |
| N/A | 8.8.8.8:53 | WHOIS.AFRINIC.NET | udp |
| N/A | 196.216.2.21:43 | WHOIS.AFRINIC.NET | tcp |
Files
memory/1240-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\output.exe
| MD5 | 2f376ad2903620fd9f52c4d8af903777 |
| SHA1 | 726ecc2dff7d3af1b4d03591761183f70c9a1242 |
| SHA256 | e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215 |
| SHA512 | 75fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb |
C:\Users\Admin\AppData\Roaming\output.exe
| MD5 | 2f376ad2903620fd9f52c4d8af903777 |
| SHA1 | 726ecc2dff7d3af1b4d03591761183f70c9a1242 |
| SHA256 | e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215 |
| SHA512 | 75fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb |
memory/1240-119-0x0000000000CF0000-0x0000000000CF1000-memory.dmp
memory/1240-121-0x0000000000CC0000-0x0000000000CC1000-memory.dmp
memory/3780-122-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ODJgvsYTGNTHzlbflfNSWqCs.exe
| MD5 | f4bbbbd0c06b5b5f46386ad1db6227b0 |
| SHA1 | 5a026b7ed8c49b1213a6393e938c91399ff33eb8 |
| SHA256 | 3783dda749b402ddb2065d6830dc3d7d2771b4b8dc02358efe64947205b2517d |
| SHA512 | 3a7554883cf3c729a1f249eff33e3ad5de69be174971209e536d7d2c829d50bc9666391e9663db782eb445f8e8f87c81ac7b0248faff2f2e594909bbd84f5d48 |
C:\Users\Admin\AppData\Local\Temp\ODJgvsYTGNTHzlbflfNSWqCs.exe
| MD5 | f4bbbbd0c06b5b5f46386ad1db6227b0 |
| SHA1 | 5a026b7ed8c49b1213a6393e938c91399ff33eb8 |
| SHA256 | 3783dda749b402ddb2065d6830dc3d7d2771b4b8dc02358efe64947205b2517d |
| SHA512 | 3a7554883cf3c729a1f249eff33e3ad5de69be174971209e536d7d2c829d50bc9666391e9663db782eb445f8e8f87c81ac7b0248faff2f2e594909bbd84f5d48 |
memory/3780-125-0x0000000000D70000-0x0000000000D71000-memory.dmp
memory/3780-127-0x0000000005B10000-0x0000000005B11000-memory.dmp
memory/3780-128-0x0000000006620000-0x0000000006621000-memory.dmp
memory/3780-129-0x0000000005770000-0x0000000005771000-memory.dmp
memory/3780-130-0x0000000005730000-0x0000000005731000-memory.dmp
memory/3780-131-0x0000000005850000-0x0000000005851000-memory.dmp
memory/3780-132-0x0000000007D70000-0x0000000007D71000-memory.dmp
memory/3780-133-0x0000000005610000-0x0000000005B0E000-memory.dmp
memory/3780-134-0x0000000007F20000-0x0000000007F21000-memory.dmp
memory/3780-135-0x0000000008750000-0x0000000008751000-memory.dmp
memory/3780-136-0x0000000008E50000-0x0000000008E51000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2021-07-08 07:06
Reported
2021-07-08 07:09
Platform
win10v20210408
Max time kernel
10s
Max time network
83s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9.exe
"C:\Users\Admin\AppData\Local\Temp\54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9.exe"
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2021-07-08 07:06
Reported
2021-07-08 07:09
Platform
win10v20210410
Max time kernel
129s
Max time network
155s
Command Line
Signatures
AsyncRat
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe
"C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 95.169.210.148:6666 | tcp | |
| N/A | 95.169.210.148:6666 | tcp | |
| N/A | 95.169.210.148:6666 | tcp | |
| N/A | 95.169.210.148:6666 | tcp | |
| N/A | 95.169.210.148:6666 | tcp | |
| N/A | 95.169.210.148:6666 | tcp |
Files
memory/500-114-0x0000000000390000-0x0000000000391000-memory.dmp
memory/500-116-0x000000001B0C0000-0x000000001B0C2000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2021-07-08 07:06
Reported
2021-07-08 07:10
Platform
win7v20210408
Max time kernel
17s
Max time network
67s
Command Line
Signatures
Echelon
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe
"C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.175.90:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | f0558828.xsph.ru | udp |
| N/A | 141.8.192.151:80 | f0558828.xsph.ru | tcp |
Files
memory/564-59-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/564-61-0x0000000000740000-0x00000000007B1000-memory.dmp
memory/564-62-0x000000001B0B0000-0x000000001B0B2000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2021-07-08 07:06
Reported
2021-07-08 07:10
Platform
win7v20210408
Max time kernel
123s
Max time network
160s
Command Line
Signatures
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\output.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dzoqJSDcPbIwOOKTjoecqmXX.exe | N/A |
Loads dropped DLL
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.amazonaws.com | N/A | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dzoqJSDcPbIwOOKTjoecqmXX.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe
"C:\Users\Admin\AppData\Local\Temp\236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe"
C:\Users\Admin\AppData\Roaming\output.exe
"C:\Users\Admin\AppData\Roaming\output.exe"
C:\Users\Admin\AppData\Local\Temp\dzoqJSDcPbIwOOKTjoecqmXX.exe
"C:\Users\Admin\AppData\Local\Temp\dzoqJSDcPbIwOOKTjoecqmXX.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 45.81.227.32:22625 | 45.81.227.32 | tcp |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 8.8.8.8:53 | checkip.amazonaws.com | udp |
| N/A | 100.24.147.96:80 | checkip.amazonaws.com | tcp |
| N/A | 8.8.8.8:53 | whois.iana.org | udp |
| N/A | 192.0.47.59:43 | whois.iana.org | tcp |
| N/A | 8.8.8.8:53 | WHOIS.AFRINIC.NET | udp |
| N/A | 196.216.2.20:43 | WHOIS.AFRINIC.NET | tcp |
Files
memory/1832-60-0x00000000762C1000-0x00000000762C3000-memory.dmp
\Users\Admin\AppData\Roaming\output.exe
| MD5 | 2f376ad2903620fd9f52c4d8af903777 |
| SHA1 | 726ecc2dff7d3af1b4d03591761183f70c9a1242 |
| SHA256 | e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215 |
| SHA512 | 75fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb |
\Users\Admin\AppData\Roaming\output.exe
| MD5 | 2f376ad2903620fd9f52c4d8af903777 |
| SHA1 | 726ecc2dff7d3af1b4d03591761183f70c9a1242 |
| SHA256 | e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215 |
| SHA512 | 75fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb |
\Users\Admin\AppData\Roaming\output.exe
| MD5 | 2f376ad2903620fd9f52c4d8af903777 |
| SHA1 | 726ecc2dff7d3af1b4d03591761183f70c9a1242 |
| SHA256 | e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215 |
| SHA512 | 75fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb |
\Users\Admin\AppData\Roaming\output.exe
| MD5 | 2f376ad2903620fd9f52c4d8af903777 |
| SHA1 | 726ecc2dff7d3af1b4d03591761183f70c9a1242 |
| SHA256 | e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215 |
| SHA512 | 75fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb |
memory/1996-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\output.exe
| MD5 | 2f376ad2903620fd9f52c4d8af903777 |
| SHA1 | 726ecc2dff7d3af1b4d03591761183f70c9a1242 |
| SHA256 | e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215 |
| SHA512 | 75fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb |
C:\Users\Admin\AppData\Roaming\output.exe
| MD5 | 2f376ad2903620fd9f52c4d8af903777 |
| SHA1 | 726ecc2dff7d3af1b4d03591761183f70c9a1242 |
| SHA256 | e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215 |
| SHA512 | 75fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb |
memory/1996-68-0x0000000000E40000-0x0000000000E41000-memory.dmp
memory/1996-70-0x00000000004D0000-0x00000000004D1000-memory.dmp
\Users\Admin\AppData\Local\Temp\dzoqJSDcPbIwOOKTjoecqmXX.exe
| MD5 | f4bbbbd0c06b5b5f46386ad1db6227b0 |
| SHA1 | 5a026b7ed8c49b1213a6393e938c91399ff33eb8 |
| SHA256 | 3783dda749b402ddb2065d6830dc3d7d2771b4b8dc02358efe64947205b2517d |
| SHA512 | 3a7554883cf3c729a1f249eff33e3ad5de69be174971209e536d7d2c829d50bc9666391e9663db782eb445f8e8f87c81ac7b0248faff2f2e594909bbd84f5d48 |
C:\Users\Admin\AppData\Local\Temp\dzoqJSDcPbIwOOKTjoecqmXX.exe
| MD5 | f4bbbbd0c06b5b5f46386ad1db6227b0 |
| SHA1 | 5a026b7ed8c49b1213a6393e938c91399ff33eb8 |
| SHA256 | 3783dda749b402ddb2065d6830dc3d7d2771b4b8dc02358efe64947205b2517d |
| SHA512 | 3a7554883cf3c729a1f249eff33e3ad5de69be174971209e536d7d2c829d50bc9666391e9663db782eb445f8e8f87c81ac7b0248faff2f2e594909bbd84f5d48 |
memory/588-72-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dzoqJSDcPbIwOOKTjoecqmXX.exe
| MD5 | f4bbbbd0c06b5b5f46386ad1db6227b0 |
| SHA1 | 5a026b7ed8c49b1213a6393e938c91399ff33eb8 |
| SHA256 | 3783dda749b402ddb2065d6830dc3d7d2771b4b8dc02358efe64947205b2517d |
| SHA512 | 3a7554883cf3c729a1f249eff33e3ad5de69be174971209e536d7d2c829d50bc9666391e9663db782eb445f8e8f87c81ac7b0248faff2f2e594909bbd84f5d48 |
memory/588-75-0x00000000003A0000-0x00000000003A1000-memory.dmp
memory/588-77-0x0000000000260000-0x0000000000261000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2021-07-08 07:06
Reported
2021-07-08 07:09
Platform
win7v20210410
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9.exe
"C:\Users\Admin\AppData\Local\Temp\54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9.exe"
Network
Files
memory/1852-60-0x0000000076A81000-0x0000000076A83000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2021-07-08 07:06
Reported
2021-07-08 07:09
Platform
win10v20210408
Max time kernel
16s
Max time network
119s
Command Line
Signatures
Glupteba
Glupteba Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MetaSploit
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3396 created 996 | N/A | \??\c:\windows\system32\svchost.exe | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c137e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Token: SeTcbPrivilege | N/A | \??\c:\windows\system32\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | \??\c:\windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3396 wrote to memory of 4056 | N/A | \??\c:\windows\system32\svchost.exe | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe |
| PID 3396 wrote to memory of 4056 | N/A | \??\c:\windows\system32\svchost.exe | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe |
| PID 3396 wrote to memory of 4056 | N/A | \??\c:\windows\system32\svchost.exe | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
"C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe"
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
"C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | iceanedy.com | udp |
| N/A | 104.21.86.39:443 | iceanedy.com | tcp |
Files
memory/996-114-0x0000000002F90000-0x00000000038B6000-memory.dmp
memory/996-115-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/4056-116-0x0000000000000000-mapping.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2021-07-08 07:06
Reported
2021-07-08 07:09
Platform
win10v20210410
Max time kernel
143s
Max time network
163s
Command Line
Signatures
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3872 set thread context of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe | C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
"C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe"
C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 185.203.243.131:27365 | tcp | |
| N/A | 185.203.243.131:27365 | tcp | |
| N/A | 185.203.243.131:27365 | tcp | |
| N/A | 185.203.243.131:27365 | tcp | |
| N/A | 185.203.243.131:27365 | tcp | |
| N/A | 185.203.243.131:27365 | tcp | |
| N/A | 185.203.243.131:27365 | tcp |
Files
memory/3872-114-0x0000000000F60000-0x0000000000F61000-memory.dmp
memory/3872-116-0x00000000057D0000-0x00000000057D1000-memory.dmp
memory/3872-117-0x0000000003130000-0x0000000003131000-memory.dmp
memory/3872-118-0x0000000005980000-0x0000000005981000-memory.dmp
memory/2856-119-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2856-120-0x0000000000417E42-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe.log
| MD5 | 7438b57da35c10c478469635b79e33e1 |
| SHA1 | 5ffcbdfbfd800f67d6d9d6ee46de2eb13fcbb9a5 |
| SHA256 | b253c066d4a6604aaa5204b09c1edde92c410b0af351f3760891f5e56c867f70 |
| SHA512 | 5887796f8ceb1c5ae790caff0020084df49ea8d613b78656a47dc9a569c5c86a9b16ec2ebe0d6f34c5e3001026385bb1282434cc3ffc7bda99427c154c04b45a |
memory/2856-124-0x0000000005890000-0x0000000005891000-memory.dmp
memory/2856-125-0x00000000052B0000-0x00000000052B1000-memory.dmp
memory/2856-126-0x0000000005310000-0x0000000005311000-memory.dmp
memory/2856-127-0x0000000005350000-0x0000000005351000-memory.dmp
memory/2856-129-0x0000000005650000-0x0000000005651000-memory.dmp
memory/2856-128-0x0000000005280000-0x0000000005886000-memory.dmp