Malware Analysis Report

2024-11-15 06:31

Sample ID 210708-bakvbc7rn2
Target 1.zip
SHA256 4a8e933462209a204f87c02e41e88e99541ccb85964a22d9762f443cf19af409
Tags
xmrig evasion miner persistence rat asyncrat redline @fanat_022 discovery infostealer spyware stealer glupteba metasploit backdoor dropper loader trojan sergey @seno_47 echelon
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a8e933462209a204f87c02e41e88e99541ccb85964a22d9762f443cf19af409

Threat Level: Known bad

The file 1.zip was found to be: Known bad.

Malicious Activity Summary

xmrig evasion miner persistence rat asyncrat redline @fanat_022 discovery infostealer spyware stealer glupteba metasploit backdoor dropper loader trojan sergey @seno_47 echelon

Async RAT payload

Asyncrat family

Suspicious use of NtCreateUserProcessOtherParentProcess

Glupteba Payload

MetaSploit

xmrig

AsyncRat

RedLine Payload

RedLine

Glupteba

Modifies visiblity of hidden/system files in Explorer

Echelon

Executes dropped EXE

Modifies Windows Firewall

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Looks up external IP address via web service

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-07-08 07:06

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Analysis: behavioral16

Detonation Overview

Submitted

2021-07-08 07:06

Reported

2021-07-08 07:09

Platform

win10v20210410

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion

xmrig

miner xmrig

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\Services32.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2752 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe 
PID 2752 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe 
PID 1404 wrote to memory of 2152 N/A \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe  C:\Windows\SYSTEM32\cmd.exe
PID 1404 wrote to memory of 2152 N/A \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe  C:\Windows\SYSTEM32\cmd.exe
PID 2152 wrote to memory of 2496 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 2496 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 3680 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 3680 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 404 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 404 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 3052 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 3052 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2752 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2752 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2752 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 3940 wrote to memory of 1776 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 3940 wrote to memory of 1776 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 3940 wrote to memory of 1776 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 1776 wrote to memory of 3016 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1776 wrote to memory of 3016 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1776 wrote to memory of 3016 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3016 wrote to memory of 3604 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3016 wrote to memory of 3604 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3016 wrote to memory of 3604 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3604 wrote to memory of 4012 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 3604 wrote to memory of 4012 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 3604 wrote to memory of 4012 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1404 wrote to memory of 740 N/A \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe  C:\Windows\System32\cmd.exe
PID 1404 wrote to memory of 740 N/A \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe  C:\Windows\System32\cmd.exe
PID 740 wrote to memory of 1724 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 740 wrote to memory of 1724 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1404 wrote to memory of 2388 N/A \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe  C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
PID 1404 wrote to memory of 2388 N/A \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe  C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
PID 1404 wrote to memory of 2232 N/A \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe  C:\Users\Admin\AppData\Local\Temp\Services32.exe
PID 1404 wrote to memory of 2232 N/A \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe  C:\Users\Admin\AppData\Local\Temp\Services32.exe
PID 1404 wrote to memory of 2232 N/A \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe  C:\Users\Admin\AppData\Local\Temp\Services32.exe
PID 2388 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe C:\Windows\SYSTEM32\cmd.exe
PID 2388 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe C:\Windows\SYSTEM32\cmd.exe
PID 3968 wrote to memory of 576 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3968 wrote to memory of 576 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\Services32.exe \??\c:\users\admin\appdata\local\temp\services32.exe 
PID 2232 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\Services32.exe \??\c:\users\admin\appdata\local\temp\services32.exe 
PID 2164 wrote to memory of 2424 N/A \??\c:\users\admin\appdata\local\temp\services32.exe  C:\Windows\SYSTEM32\cmd.exe
PID 2164 wrote to memory of 2424 N/A \??\c:\users\admin\appdata\local\temp\services32.exe  C:\Windows\SYSTEM32\cmd.exe
PID 2424 wrote to memory of 648 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 648 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3968 wrote to memory of 348 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3968 wrote to memory of 348 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2152 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2152 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3968 wrote to memory of 4012 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3968 wrote to memory of 4012 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 3728 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 3728 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3968 wrote to memory of 956 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3968 wrote to memory of 956 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2636 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2636 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Services32.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2232 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Services32.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2232 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Services32.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2632 wrote to memory of 2056 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2632 wrote to memory of 2056 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2632 wrote to memory of 2056 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe

"C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe"

\??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe 

c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe 

C:\Windows\SYSTEM32\cmd.exe

"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM" & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM"

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"

C:\Users\Admin\AppData\Local\Temp\Services32.exe

"C:\Users\Admin\AppData\Local\Temp\Services32.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry'

\??\c:\users\admin\appdata\local\temp\services32.exe 

c:\users\admin\appdata\local\temp\services32.exe 

C:\Windows\SYSTEM32\cmd.exe

"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM" & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM"

Network

N/A

Files

memory/1404-117-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe 

MD5 5552f88a40afa2e2fef5acbd590ac812
SHA1 5afef5451811830c1ec3108cd7ee66a0418a6186
SHA256 9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f
SHA512 6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde

\??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe 

MD5 5552f88a40afa2e2fef5acbd590ac812
SHA1 5afef5451811830c1ec3108cd7ee66a0418a6186
SHA256 9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f
SHA512 6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde

memory/1404-120-0x0000000000570000-0x0000000000571000-memory.dmp

memory/2152-122-0x0000000000000000-mapping.dmp

memory/2496-123-0x0000000000000000-mapping.dmp

memory/2496-128-0x000001E6AF260000-0x000001E6AF261000-memory.dmp

memory/2496-132-0x000001E6C7AB0000-0x000001E6C7AB1000-memory.dmp

memory/2496-152-0x000001E6AD800000-0x000001E6AD802000-memory.dmp

memory/2496-153-0x000001E6AD803000-0x000001E6AD805000-memory.dmp

memory/2496-154-0x000001E6AD806000-0x000001E6AD808000-memory.dmp

memory/3680-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1e1c8f4ed558ffc8b479cce11ed3c8e2
SHA1 37cf5d103fa8465467517e345cc8fbbcc4835933
SHA256 5f0c871466028fd9f52eeed68748be6a0d17f24e78fbd2642f66619564726732
SHA512 0e8e629d5074568021d87da89776bbcd929385771f4b9aa1c0dcf12c9482996855c7eff465ca34810b11991b664cda7e59eccca14191a266fa6fddbea59f9ad1

memory/3680-172-0x000002E39AB10000-0x000002E39AB12000-memory.dmp

memory/3680-174-0x000002E39AB13000-0x000002E39AB15000-memory.dmp

memory/2496-170-0x000001E6AD808000-0x000001E6AD809000-memory.dmp

memory/404-192-0x0000000000000000-mapping.dmp

memory/3680-194-0x000002E39AB16000-0x000002E39AB18000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7c1532f9ede6c767ac7199fd70b42eaf
SHA1 c56b395f50026b752112a384e5a4a18059208f59
SHA256 084e30202b9584447cf3a1bfb62327c09e6de0767d3382e81e91ee27a2ba0ca6
SHA512 2eb24c33b7ba04c700c33913a435d4a444a96bb01560ab11ad5530190cdbc93c34a3776ebbbf847d5dff78872bab6200ea0de9cc9cda6cef4c7fe2eb2c7b0737

memory/404-196-0x0000016EB8F20000-0x0000016EB8F22000-memory.dmp

memory/3680-195-0x000002E39AB18000-0x000002E39AB19000-memory.dmp

memory/404-197-0x0000016EB8F23000-0x0000016EB8F25000-memory.dmp

memory/3052-198-0x0000000000000000-mapping.dmp

memory/404-199-0x0000016EB8F26000-0x0000016EB8F28000-memory.dmp

memory/3052-201-0x0000025EA8F00000-0x0000025EA8F02000-memory.dmp

memory/404-200-0x0000016EB8F28000-0x0000016EB8F29000-memory.dmp

memory/3052-202-0x0000025EA8F03000-0x0000025EA8F05000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 26d9025cd2f398aa93206c09c5c57349
SHA1 4b6bb3337f49c87075bf6b5f4387cb07d0f83108
SHA256 1804b8978794439e91a2641edc987af0c99bcae704878ce10d76b32926f6afb4
SHA512 079f1ea53e053cec86ed06e70e1b92b0c0347da77269dc0eb7f81cab10f41c0f9fdbb4c02220eb2f1b0e1ad49760b04fd95551ca4df37a14224abb711141795d

memory/3052-205-0x0000025EA8F08000-0x0000025EA8F09000-memory.dmp

memory/3052-204-0x0000025EA8F06000-0x0000025EA8F08000-memory.dmp

memory/3940-206-0x0000000000000000-mapping.dmp

C:\Windows\Resources\Themes\icsys.icn.exe

MD5 f2667d617c1c5156004ea365bc759c1c
SHA1 10592eb1cd290802867f1fa13470717fa5643f59
SHA256 e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792
SHA512 1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803

C:\Windows\Resources\Themes\icsys.icn.exe

MD5 f2667d617c1c5156004ea365bc759c1c
SHA1 10592eb1cd290802867f1fa13470717fa5643f59
SHA256 e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792
SHA512 1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803

memory/1776-209-0x0000000000000000-mapping.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 8c8438cf2ec0e6ea7435c2618b656a62
SHA1 268c7d79daa1b2442f660e18d444075684c498bd
SHA256 bf49d5c2e0a1a32d4227cb7c2b1f0a35c0fe88c4db79d68ac30c0434f74b4c3d
SHA512 26344174d508cab5be5315133ca721eb0b57ccaa9ff894744d8c3af3b9821822b03d0f7c2ee9bd3f4246b1bc98fbf4a7ecf2f64c2ecbd827ef565e91d474dab4

\??\c:\windows\resources\themes\explorer.exe

MD5 8c8438cf2ec0e6ea7435c2618b656a62
SHA1 268c7d79daa1b2442f660e18d444075684c498bd
SHA256 bf49d5c2e0a1a32d4227cb7c2b1f0a35c0fe88c4db79d68ac30c0434f74b4c3d
SHA512 26344174d508cab5be5315133ca721eb0b57ccaa9ff894744d8c3af3b9821822b03d0f7c2ee9bd3f4246b1bc98fbf4a7ecf2f64c2ecbd827ef565e91d474dab4

memory/3016-212-0x0000000000000000-mapping.dmp

\??\c:\windows\resources\spoolsv.exe

MD5 028df5bfcc82c179f9b1688a19e4d317
SHA1 64a183b9387a553e882da758157ed30bd60bd780
SHA256 5cae94b5e3c460a80022de232d0c2dfc5fbb22975c28e119dd0f46735126be3b
SHA512 11d3e360bd99af00029ab5d8655a5bfad28565ba12723e0aea72861fcc6f570e8e2648c99bd44bdd020daf91dea81c6e0def5da8c167b4a9cff81829affa2bb1

C:\Windows\Resources\spoolsv.exe

MD5 028df5bfcc82c179f9b1688a19e4d317
SHA1 64a183b9387a553e882da758157ed30bd60bd780
SHA256 5cae94b5e3c460a80022de232d0c2dfc5fbb22975c28e119dd0f46735126be3b
SHA512 11d3e360bd99af00029ab5d8655a5bfad28565ba12723e0aea72861fcc6f570e8e2648c99bd44bdd020daf91dea81c6e0def5da8c167b4a9cff81829affa2bb1

memory/3604-215-0x0000000000000000-mapping.dmp

C:\Windows\Resources\svchost.exe

MD5 099b18a50e7a607d5d5e54cc6c5b4b1d
SHA1 36f44282c93d1ef39ae1bab0021c7f668852e5d3
SHA256 d5f3e5dce09fb66311d6edfef19dc6053b2fa79a9256dfdde1b914b39f2e88f2
SHA512 a8e9bec3d4d8bfb6f8a2592283ce20e10684784ac9101dd54ff92dc78ab5c20068984343416cf62df381701468a01fc894825bda8a74329c60e9591bdc403e24

\??\c:\windows\resources\svchost.exe

MD5 099b18a50e7a607d5d5e54cc6c5b4b1d
SHA1 36f44282c93d1ef39ae1bab0021c7f668852e5d3
SHA256 d5f3e5dce09fb66311d6edfef19dc6053b2fa79a9256dfdde1b914b39f2e88f2
SHA512 a8e9bec3d4d8bfb6f8a2592283ce20e10684784ac9101dd54ff92dc78ab5c20068984343416cf62df381701468a01fc894825bda8a74329c60e9591bdc403e24

memory/4012-218-0x0000000000000000-mapping.dmp

C:\Windows\Resources\spoolsv.exe

MD5 028df5bfcc82c179f9b1688a19e4d317
SHA1 64a183b9387a553e882da758157ed30bd60bd780
SHA256 5cae94b5e3c460a80022de232d0c2dfc5fbb22975c28e119dd0f46735126be3b
SHA512 11d3e360bd99af00029ab5d8655a5bfad28565ba12723e0aea72861fcc6f570e8e2648c99bd44bdd020daf91dea81c6e0def5da8c167b4a9cff81829affa2bb1

memory/1404-220-0x000000001C9C0000-0x000000001C9C2000-memory.dmp

memory/740-221-0x0000000000000000-mapping.dmp

memory/1724-222-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

MD5 d1f4a92a1672d7d22a90e2567523d03e
SHA1 a1683621e2103e1df1ce22def923e4ef62ddcd11
SHA256 48fd7864ad054ee98f30a32006af85dce9f47cc5fccf065e7da41624cf14f94b
SHA512 2e6e4dd8ed996ca9c95e7bf225f5b7b567f2a99ae13f637f23b2c959857f9e5ba5833e279b901c0a215cf5692dc6f3e28c47106cd386756e51f5f6f1298f247a

memory/2388-223-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

MD5 d1f4a92a1672d7d22a90e2567523d03e
SHA1 a1683621e2103e1df1ce22def923e4ef62ddcd11
SHA256 48fd7864ad054ee98f30a32006af85dce9f47cc5fccf065e7da41624cf14f94b
SHA512 2e6e4dd8ed996ca9c95e7bf225f5b7b567f2a99ae13f637f23b2c959857f9e5ba5833e279b901c0a215cf5692dc6f3e28c47106cd386756e51f5f6f1298f247a

memory/3968-227-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Services32.exe

MD5 70c771952bc897446d3ddad90541a1e6
SHA1 b00b50a893e4552651c4a5c38cf4bb9aed7a101e
SHA256 aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337
SHA512 33d402397289c1a828079dfdaaf3966c4b9720ffb070eeba0d5c23f4a3c6c448e4a3fd3cba2f82c712252ce03d726daabd2c66e97f950a122ffb3d5799bae56d

C:\Users\Admin\AppData\Local\Temp\Services32.exe

MD5 70c771952bc897446d3ddad90541a1e6
SHA1 b00b50a893e4552651c4a5c38cf4bb9aed7a101e
SHA256 aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337
SHA512 33d402397289c1a828079dfdaaf3966c4b9720ffb070eeba0d5c23f4a3c6c448e4a3fd3cba2f82c712252ce03d726daabd2c66e97f950a122ffb3d5799bae56d

memory/2232-226-0x0000000000000000-mapping.dmp

memory/576-230-0x0000000000000000-mapping.dmp

memory/2164-231-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\services32.exe 

MD5 5552f88a40afa2e2fef5acbd590ac812
SHA1 5afef5451811830c1ec3108cd7ee66a0418a6186
SHA256 9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f
SHA512 6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde

\??\c:\users\admin\appdata\local\temp\services32.exe 

MD5 5552f88a40afa2e2fef5acbd590ac812
SHA1 5afef5451811830c1ec3108cd7ee66a0418a6186
SHA256 9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f
SHA512 6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde

memory/2424-234-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fa704b7db8cf07dbb9e0b17a53bbc4e5
SHA1 f74e668e9b89d62ffb1464271aba4a675a9d357f
SHA256 c97b89ce970dfb0761e0b690be2950cfff4c34c254c472e13556ce3863ccbdb7
SHA512 7e58504658aefcc3bb122d03f5e19c5ca860f1fbdd3ca276cfade4c523d8ac1982d5cf0fc3e1e47b088050637f580f255206486aa6162ece8f82d5cfb36cec61

memory/576-237-0x0000012878BB0000-0x0000012878BB2000-memory.dmp

memory/576-238-0x0000012878BB3000-0x0000012878BB5000-memory.dmp

memory/648-236-0x0000000000000000-mapping.dmp

memory/648-239-0x00000292F6DF0000-0x00000292F6DF2000-memory.dmp

memory/648-240-0x00000292F6DF3000-0x00000292F6DF5000-memory.dmp

memory/348-241-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 51ba6bed5b573b201974d4edc76ffe8d
SHA1 a6f6dd957338717ea9385f7aef2c1aeb250322fc
SHA256 497be848da48076dce041f961e120e79541f554f8ef0e927f0e25594170ea3b9
SHA512 640b6084944c67358984f34ff2b6504f73e54ea221ed697ef7703b6013a8192959a62d1e20516155802c18b20ac8a4812f2192ceaa4b40582d2df9efbcf00622

memory/2152-243-0x0000000000000000-mapping.dmp

memory/576-244-0x0000012878BB6000-0x0000012878BB8000-memory.dmp

memory/648-245-0x00000292F6DF6000-0x00000292F6DF8000-memory.dmp

memory/576-246-0x0000012878BB8000-0x0000012878BB9000-memory.dmp

memory/348-247-0x000002D36C110000-0x000002D36C112000-memory.dmp

memory/348-248-0x000002D36C113000-0x000002D36C115000-memory.dmp

memory/648-249-0x00000292F6DF8000-0x00000292F6DF9000-memory.dmp

memory/2152-252-0x000002B1A46B0000-0x000002B1A46B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f2b69ffd60cc6e42514f2d6380e08771
SHA1 7d45cb8247c01a1cb1c5d48f12318823a72331f9
SHA256 4194bf9e10cc331cfdb2625bd0c0a22c7e46975797ebe2c7f155e92941431f84
SHA512 fcd37ea57654c0eb1dfcc777ae9f66a0cb322da9bc7bcbb8a8e6e2ebf5bceafefbffa41eb277e430ee44712a7233709138503d51e3e8618bd0e95a8e321d370f

memory/2152-253-0x000002B1A46B3000-0x000002B1A46B5000-memory.dmp

memory/348-250-0x000002D36C116000-0x000002D36C118000-memory.dmp

memory/4012-254-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8b64e8a76227430c2295a4530f2091df
SHA1 aa60958291be00727dc3d38e869eb9eae4434482
SHA256 50edab164b713502876a21af92297c768b8a14671b2fe119a119788aec4ca20d
SHA512 addd2dce133719b8e19224f533b2f4ec48bd51d0508796e6bc681f4f63c55bdd43da7aec5aa56da305f17362c7aa9ad708a426430d5531df63b5a6c350717d16

memory/3728-256-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7ecbde2e98a22aacba0d18e3729f668a
SHA1 c4a99ac958d5f01944cb5fe90bcebdb136155f2f
SHA256 a93bd244f711d641dd2d0969460d3f53bb166f484d558fd34e30895732840cbe
SHA512 7783624627818b8c36771c03dd5fb141380e90ceade194f2e7394862895c173b1e667721b726acc8e501e7e9aaf8e53a1aca94e41f4dd45fef3733abeaa1bcfc

memory/2152-258-0x000002B1A46B6000-0x000002B1A46B8000-memory.dmp

memory/4012-260-0x0000020768090000-0x0000020768092000-memory.dmp

memory/348-259-0x000002D36C118000-0x000002D36C119000-memory.dmp

memory/4012-261-0x0000020768093000-0x0000020768095000-memory.dmp

memory/4012-263-0x0000020768096000-0x0000020768098000-memory.dmp

memory/2152-262-0x000002B1A46B8000-0x000002B1A46B9000-memory.dmp

memory/3728-264-0x000001E7B49C0000-0x000001E7B49C2000-memory.dmp

memory/3728-265-0x000001E7B49C3000-0x000001E7B49C5000-memory.dmp

memory/956-266-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 31216586aa0b3d3e0fd86175e8f8d8d2
SHA1 64710bad30ccca835a45875fdd6a669cb253a206
SHA256 ea6e656c7d3f23cae36e4b17276d96724d39b10da526af426dd1fcfd2df3d694
SHA512 544ab93598da507bceee8a31e087232a816d14c9b35d531aedc1b119a808634b2cd11d996fd78f7a8876fa4de8fe18d96ca72f378c42dbbfb3cdef641776721c

memory/2636-268-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 33d7d3d68d5d35984eea73d0aaaed7eb
SHA1 965e66f8a3e098fd291c7c02b71eb8623162674c
SHA256 76f8eb458f16482d03f7d10d340696781aa6ac42e7a366530739675dc3451baf
SHA512 7d81ededb6965fddcc81c44bf538890638517139afbbfb15a1cf86caec3eeea82499d61f23d2a9593cd7f5c9a0027b179f3178e5a48e086f764de85331f277c6

memory/3728-270-0x000001E7B49C6000-0x000001E7B49C8000-memory.dmp

memory/4012-271-0x0000020768098000-0x0000020768099000-memory.dmp

memory/956-272-0x000001FD228F0000-0x000001FD228F2000-memory.dmp

memory/956-273-0x000001FD228F8000-0x000001FD228F9000-memory.dmp

memory/956-274-0x000001FD228F3000-0x000001FD228F5000-memory.dmp

memory/3728-275-0x000001E7B49C8000-0x000001E7B49C9000-memory.dmp

memory/956-276-0x000001FD228F6000-0x000001FD228F8000-memory.dmp

memory/2636-278-0x000001A4AE7D3000-0x000001A4AE7D5000-memory.dmp

memory/2636-279-0x000001A4AE7D6000-0x000001A4AE7D8000-memory.dmp

memory/2636-277-0x000001A4AE7D0000-0x000001A4AE7D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 291ebcf65c502bf17368d64ce32bb818
SHA1 97543eb41c5a7c5e1ec626fb397c03356a9c92f8
SHA256 8a41006fc58d8e56aeabbf52af497f8e7f4f407406f4e287a7618af151e65e3d
SHA512 626408b49b9e43e0bdfc97d35bc0cdc98ef5be96250d863395e020562c0ca1d824f2be8fc6c0ae813ec605c5555995a7a5a434adf0bbc810845696f73ed4d473

memory/2636-281-0x000001A4AE7D8000-0x000001A4AE7D9000-memory.dmp

memory/2632-282-0x0000000000000000-mapping.dmp

C:\Windows\Resources\Themes\icsys.icn.exe

MD5 f2667d617c1c5156004ea365bc759c1c
SHA1 10592eb1cd290802867f1fa13470717fa5643f59
SHA256 e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792
SHA512 1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803

\??\c:\windows\resources\themes\icsys.icn.exe

MD5 f2667d617c1c5156004ea365bc759c1c
SHA1 10592eb1cd290802867f1fa13470717fa5643f59
SHA256 e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792
SHA512 1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803

memory/2056-285-0x0000000000000000-mapping.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 8c8438cf2ec0e6ea7435c2618b656a62
SHA1 268c7d79daa1b2442f660e18d444075684c498bd
SHA256 bf49d5c2e0a1a32d4227cb7c2b1f0a35c0fe88c4db79d68ac30c0434f74b4c3d
SHA512 26344174d508cab5be5315133ca721eb0b57ccaa9ff894744d8c3af3b9821822b03d0f7c2ee9bd3f4246b1bc98fbf4a7ecf2f64c2ecbd827ef565e91d474dab4

memory/2164-287-0x0000000001450000-0x0000000001452000-memory.dmp

memory/1600-288-0x0000000000000000-mapping.dmp

memory/2696-289-0x0000000000000000-mapping.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2021-07-08 07:06

Reported

2021-07-08 07:09

Platform

win7v20210410

Max time kernel

50s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe"

Signatures

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 484 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Windows\SysWOW64\schtasks.exe
PID 484 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Windows\SysWOW64\schtasks.exe
PID 484 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Windows\SysWOW64\schtasks.exe
PID 484 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Windows\SysWOW64\schtasks.exe
PID 484 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
PID 484 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
PID 484 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
PID 484 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
PID 484 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
PID 484 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
PID 484 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
PID 484 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
PID 484 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe

Processes

C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe

"C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dktqSaBDU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAF81.tmp"

C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe

"{path}"

Network

Country Destination Domain Proto
N/A 152.228.150.198:11188 152.228.150.198 tcp
N/A 8.8.8.8:53 api.ip.sb udp
N/A 104.26.12.31:443 api.ip.sb tcp

Files

memory/484-60-0x0000000000920000-0x0000000000921000-memory.dmp

memory/484-62-0x0000000002210000-0x0000000002211000-memory.dmp

memory/484-63-0x0000000000310000-0x0000000000312000-memory.dmp

memory/484-64-0x0000000007DD0000-0x0000000007E42000-memory.dmp

memory/484-65-0x0000000000700000-0x0000000000726000-memory.dmp

memory/316-66-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAF81.tmp

MD5 5e5087ddf1c00524a7acc9f9732ee255
SHA1 7756bfa000e98c0cb34d8fce74b3f8b9083be29b
SHA256 9113a1825fabda651473ca62c811cee3e9f57edac7cda30b0a7196906034ce42
SHA512 15ef15485bc88e44c41281309dbc93df96157bf561fe1b0bec1a1823939831eaec07d1a1edfceb3d10b4015354fea21603a4793b58694c7ed45c993aef98bb00

memory/1500-68-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1500-69-0x0000000000417EB6-mapping.dmp

memory/1500-70-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1500-72-0x00000000008C0000-0x00000000008C1000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2021-07-08 07:06

Reported

2021-07-08 07:09

Platform

win10v20210408

Max time kernel

56s

Max time network

73s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe"

Signatures

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 652 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Windows\SysWOW64\schtasks.exe
PID 652 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Windows\SysWOW64\schtasks.exe
PID 652 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Windows\SysWOW64\schtasks.exe
PID 652 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
PID 652 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
PID 652 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
PID 652 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
PID 652 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
PID 652 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
PID 652 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
PID 652 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe

Processes

C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe

"C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dktqSaBDU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFCF3.tmp"

C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe

"{path}"

Network

Country Destination Domain Proto
N/A 152.228.150.198:11188 152.228.150.198 tcp
N/A 8.8.8.8:53 api.ip.sb udp
N/A 172.67.75.172:443 api.ip.sb tcp

Files

memory/652-114-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/652-116-0x0000000005240000-0x0000000005241000-memory.dmp

memory/652-117-0x0000000004C80000-0x0000000004C81000-memory.dmp

memory/652-118-0x0000000004D40000-0x000000000523E000-memory.dmp

memory/652-119-0x0000000004C70000-0x0000000004C71000-memory.dmp

memory/652-120-0x0000000008400000-0x0000000008401000-memory.dmp

memory/652-121-0x0000000005220000-0x0000000005222000-memory.dmp

memory/652-122-0x0000000006880000-0x00000000068F2000-memory.dmp

memory/652-123-0x0000000006A50000-0x0000000006A76000-memory.dmp

memory/1416-124-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFCF3.tmp

MD5 64fdfac90fc4b8507a615754fc21e2b7
SHA1 568a0b2eed35375c9213d9f364d1c15e1babff90
SHA256 0060c1f70ee90fba524ebd55636308647943f46a50bbca109924505e2c642c9f
SHA512 5c9282502ff39c421ef6bd633177d7e560569146f2be0eebd6e0623dc47d8671aca861833d3ebae4f9b9d54093d1df221c4dfefb970e9edd713a5b666e254a02

memory/3488-126-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3488-127-0x0000000000417EB6-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe.log

MD5 0c2899d7c6746f42d5bbe088c777f94c
SHA1 622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA256 5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512 ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

memory/3488-131-0x0000000005B10000-0x0000000005B11000-memory.dmp

memory/3488-132-0x0000000005520000-0x0000000005521000-memory.dmp

memory/3488-133-0x0000000005580000-0x0000000005581000-memory.dmp

memory/3488-134-0x00000000055C0000-0x00000000055C1000-memory.dmp

memory/3488-135-0x0000000005500000-0x0000000005B06000-memory.dmp

memory/3488-136-0x0000000005830000-0x0000000005831000-memory.dmp

memory/3488-137-0x0000000006AB0000-0x0000000006AB1000-memory.dmp

memory/3488-138-0x00000000071B0000-0x00000000071B1000-memory.dmp

memory/3488-141-0x0000000007A70000-0x0000000007A71000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2021-07-08 07:06

Reported

2021-07-08 07:10

Platform

win7v20210410

Max time kernel

15s

Max time network

63s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

MetaSploit

trojan backdoor metasploit

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-581 = "North Asia East Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-551 = "North Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-522 = "N. Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe

"C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe"

C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe

"C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 iceanedy.com udp
N/A 172.67.214.126:443 iceanedy.com tcp

Files

memory/1632-59-0x0000000002B50000-0x0000000003476000-memory.dmp

memory/1632-60-0x0000000000400000-0x0000000000D41000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2021-07-08 07:06

Reported

2021-07-08 07:10

Platform

win7v20210408

Max time kernel

150s

Max time network

200s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A

Modifies Windows Firewall

evasion

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 520 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe C:\Users\Admin\AppData\Local\Temp\Checker.exe
PID 520 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe C:\Users\Admin\AppData\Local\Temp\Checker.exe
PID 520 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe C:\Users\Admin\AppData\Local\Temp\Checker.exe
PID 520 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe C:\Users\Admin\AppData\Local\Temp\Checker.exe
PID 520 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe
PID 520 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe
PID 520 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe
PID 520 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe
PID 580 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe C:\Windows\SysWOW64\netsh.exe
PID 580 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe C:\Windows\SysWOW64\netsh.exe
PID 580 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe C:\Windows\SysWOW64\netsh.exe
PID 580 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe

"C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe"

C:\Users\Admin\AppData\Local\Temp\Checker.exe

"C:\Users\Admin\AppData\Local\Temp\Checker.exe"

C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe

"C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe" "SA_Checker.exe" ENABLE

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 2.tcp.ngrok.io udp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 8.8.8.8:53 2.tcp.ngrok.io udp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 8.8.8.8:53 2.tcp.ngrok.io udp
N/A 13.59.15.185:17971 2.tcp.ngrok.io tcp
N/A 13.59.15.185:17971 2.tcp.ngrok.io tcp
N/A 13.59.15.185:17971 2.tcp.ngrok.io tcp
N/A 13.59.15.185:17971 2.tcp.ngrok.io tcp
N/A 13.59.15.185:17971 2.tcp.ngrok.io tcp
N/A 13.59.15.185:17971 2.tcp.ngrok.io tcp
N/A 13.59.15.185:17971 2.tcp.ngrok.io tcp

Files

memory/520-59-0x0000000075891000-0x0000000075893000-memory.dmp

\Users\Admin\AppData\Local\Temp\Checker.exe

MD5 970dbe61f878ffef5c98df482a33b93a
SHA1 2f8e4f7dd06cc67da661f7a33e6a6f79182bc957
SHA256 bda3eaba6bd0015d68a261b9f8afd2431f702524b7a333fca3b3514058aaff48
SHA512 f1c9b203e1770e3327217998b4a002a3494e61b8883b2ad4cb6439d3105b65c8cf807d77c029331b678df15dfc89bdff52bd93124b78c67d6f342fc48e2c8621

memory/1456-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Checker.exe

MD5 970dbe61f878ffef5c98df482a33b93a
SHA1 2f8e4f7dd06cc67da661f7a33e6a6f79182bc957
SHA256 bda3eaba6bd0015d68a261b9f8afd2431f702524b7a333fca3b3514058aaff48
SHA512 f1c9b203e1770e3327217998b4a002a3494e61b8883b2ad4cb6439d3105b65c8cf807d77c029331b678df15dfc89bdff52bd93124b78c67d6f342fc48e2c8621

\Users\Admin\AppData\Local\Temp\SA_Checker.exe

MD5 88949354d6430e1c6fd4ee0e0d987070
SHA1 10d1014f00cd173449f1d3ea2b698a5443688584
SHA256 d08373a237b6f58a7b1215926fac0faefcdddbf7967b4226f84cbdb275a261f0
SHA512 8a18883b2f89bc87449d9fde1ef835fba2186c494ffa3b2adcded7b86103ddd0154856dd5fa9b2e565b6bedd50b80975a8a07ac56560bc725c84c5d7d90abe29

\Users\Admin\AppData\Local\Temp\SA_Checker.exe

MD5 88949354d6430e1c6fd4ee0e0d987070
SHA1 10d1014f00cd173449f1d3ea2b698a5443688584
SHA256 d08373a237b6f58a7b1215926fac0faefcdddbf7967b4226f84cbdb275a261f0
SHA512 8a18883b2f89bc87449d9fde1ef835fba2186c494ffa3b2adcded7b86103ddd0154856dd5fa9b2e565b6bedd50b80975a8a07ac56560bc725c84c5d7d90abe29

memory/580-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe

MD5 88949354d6430e1c6fd4ee0e0d987070
SHA1 10d1014f00cd173449f1d3ea2b698a5443688584
SHA256 d08373a237b6f58a7b1215926fac0faefcdddbf7967b4226f84cbdb275a261f0
SHA512 8a18883b2f89bc87449d9fde1ef835fba2186c494ffa3b2adcded7b86103ddd0154856dd5fa9b2e565b6bedd50b80975a8a07ac56560bc725c84c5d7d90abe29

C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe

MD5 88949354d6430e1c6fd4ee0e0d987070
SHA1 10d1014f00cd173449f1d3ea2b698a5443688584
SHA256 d08373a237b6f58a7b1215926fac0faefcdddbf7967b4226f84cbdb275a261f0
SHA512 8a18883b2f89bc87449d9fde1ef835fba2186c494ffa3b2adcded7b86103ddd0154856dd5fa9b2e565b6bedd50b80975a8a07ac56560bc725c84c5d7d90abe29

memory/580-69-0x0000000000390000-0x0000000000391000-memory.dmp

memory/1488-70-0x0000000000000000-mapping.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2021-07-08 07:06

Reported

2021-07-08 07:09

Platform

win10v20210410

Max time kernel

148s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A

Modifies Windows Firewall

evasion

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Checker.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe C:\Users\Admin\AppData\Local\Temp\Checker.exe
PID 2184 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe C:\Users\Admin\AppData\Local\Temp\Checker.exe
PID 2184 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe C:\Users\Admin\AppData\Local\Temp\Checker.exe
PID 2184 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe
PID 2184 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe
PID 2184 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe
PID 1896 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Checker.exe C:\Windows\SysWOW64\cmd.exe
PID 1896 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Checker.exe C:\Windows\SysWOW64\cmd.exe
PID 1896 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Checker.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe C:\Windows\SysWOW64\netsh.exe
PID 2356 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe C:\Windows\SysWOW64\netsh.exe
PID 2356 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe

"C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe"

C:\Users\Admin\AppData\Local\Temp\Checker.exe

"C:\Users\Admin\AppData\Local\Temp\Checker.exe"

C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe

"C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe" "SA_Checker.exe" ENABLE

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 2.tcp.ngrok.io udp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 8.8.8.8:53 2.tcp.ngrok.io udp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 3.131.207.170:17971 2.tcp.ngrok.io tcp
N/A 8.8.8.8:53 2.tcp.ngrok.io udp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp
N/A 3.138.45.170:17971 2.tcp.ngrok.io tcp

Files

memory/1896-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Checker.exe

MD5 970dbe61f878ffef5c98df482a33b93a
SHA1 2f8e4f7dd06cc67da661f7a33e6a6f79182bc957
SHA256 bda3eaba6bd0015d68a261b9f8afd2431f702524b7a333fca3b3514058aaff48
SHA512 f1c9b203e1770e3327217998b4a002a3494e61b8883b2ad4cb6439d3105b65c8cf807d77c029331b678df15dfc89bdff52bd93124b78c67d6f342fc48e2c8621

memory/2356-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe

MD5 88949354d6430e1c6fd4ee0e0d987070
SHA1 10d1014f00cd173449f1d3ea2b698a5443688584
SHA256 d08373a237b6f58a7b1215926fac0faefcdddbf7967b4226f84cbdb275a261f0
SHA512 8a18883b2f89bc87449d9fde1ef835fba2186c494ffa3b2adcded7b86103ddd0154856dd5fa9b2e565b6bedd50b80975a8a07ac56560bc725c84c5d7d90abe29

C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe

MD5 88949354d6430e1c6fd4ee0e0d987070
SHA1 10d1014f00cd173449f1d3ea2b698a5443688584
SHA256 d08373a237b6f58a7b1215926fac0faefcdddbf7967b4226f84cbdb275a261f0
SHA512 8a18883b2f89bc87449d9fde1ef835fba2186c494ffa3b2adcded7b86103ddd0154856dd5fa9b2e565b6bedd50b80975a8a07ac56560bc725c84c5d7d90abe29

memory/2356-119-0x0000000002B50000-0x0000000002B51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Checker.exe

MD5 970dbe61f878ffef5c98df482a33b93a
SHA1 2f8e4f7dd06cc67da661f7a33e6a6f79182bc957
SHA256 bda3eaba6bd0015d68a261b9f8afd2431f702524b7a333fca3b3514058aaff48
SHA512 f1c9b203e1770e3327217998b4a002a3494e61b8883b2ad4cb6439d3105b65c8cf807d77c029331b678df15dfc89bdff52bd93124b78c67d6f342fc48e2c8621

memory/2920-121-0x0000000000000000-mapping.dmp

memory/2208-122-0x0000000000000000-mapping.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2021-07-08 07:06

Reported

2021-07-08 07:10

Platform

win7v20210408

Max time kernel

151s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\Services32.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1832 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe 
PID 1832 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe 
PID 1832 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe 
PID 1832 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe 
PID 1448 wrote to memory of 1672 N/A \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe  C:\Windows\system32\cmd.exe
PID 1448 wrote to memory of 1672 N/A \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe  C:\Windows\system32\cmd.exe
PID 1448 wrote to memory of 1672 N/A \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe  C:\Windows\system32\cmd.exe
PID 1672 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1672 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1672 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1672 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1672 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1672 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1672 wrote to memory of 920 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1672 wrote to memory of 920 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1672 wrote to memory of 920 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1672 wrote to memory of 260 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1672 wrote to memory of 260 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1672 wrote to memory of 260 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1832 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1832 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1832 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1832 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1988 wrote to memory of 604 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 1988 wrote to memory of 604 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 1988 wrote to memory of 604 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 1988 wrote to memory of 604 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 604 wrote to memory of 1552 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 604 wrote to memory of 1552 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 604 wrote to memory of 1552 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 604 wrote to memory of 1552 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1552 wrote to memory of 1864 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1552 wrote to memory of 1864 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1552 wrote to memory of 1864 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1552 wrote to memory of 1864 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1864 wrote to memory of 1800 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1864 wrote to memory of 1800 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1864 wrote to memory of 1800 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1864 wrote to memory of 1800 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 604 wrote to memory of 1624 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 604 wrote to memory of 1624 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 604 wrote to memory of 1624 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 604 wrote to memory of 1624 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1864 wrote to memory of 1020 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1864 wrote to memory of 1020 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1864 wrote to memory of 1020 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1864 wrote to memory of 1020 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1448 wrote to memory of 1564 N/A \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe  C:\Windows\System32\cmd.exe
PID 1448 wrote to memory of 1564 N/A \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe  C:\Windows\System32\cmd.exe
PID 1448 wrote to memory of 1564 N/A \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe  C:\Windows\System32\cmd.exe
PID 1564 wrote to memory of 944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1564 wrote to memory of 944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1564 wrote to memory of 944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1448 wrote to memory of 900 N/A \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe  C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
PID 1448 wrote to memory of 900 N/A \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe  C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
PID 1448 wrote to memory of 900 N/A \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe  C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
PID 1448 wrote to memory of 1380 N/A \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe  C:\Users\Admin\AppData\Local\Temp\Services32.exe
PID 1448 wrote to memory of 1380 N/A \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe  C:\Users\Admin\AppData\Local\Temp\Services32.exe
PID 1448 wrote to memory of 1380 N/A \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe  C:\Users\Admin\AppData\Local\Temp\Services32.exe
PID 1448 wrote to memory of 1380 N/A \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe  C:\Users\Admin\AppData\Local\Temp\Services32.exe
PID 1380 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\Services32.exe \??\c:\users\admin\appdata\local\temp\services32.exe 
PID 1380 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\Services32.exe \??\c:\users\admin\appdata\local\temp\services32.exe 
PID 1380 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\Services32.exe \??\c:\users\admin\appdata\local\temp\services32.exe 
PID 1380 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\Services32.exe \??\c:\users\admin\appdata\local\temp\services32.exe 

Processes

C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe

"C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe"

\??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe 

c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe 

C:\Windows\system32\cmd.exe

"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:06 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM" & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM"

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"

C:\Users\Admin\AppData\Local\Temp\Services32.exe

"C:\Users\Admin\AppData\Local\Temp\Services32.exe"

C:\Windows\system32\cmd.exe

"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit

\??\c:\users\admin\appdata\local\temp\services32.exe 

c:\users\admin\appdata\local\temp\services32.exe 

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

C:\Windows\system32\cmd.exe

"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM" & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:07 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:08 /f

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe 

MD5 5552f88a40afa2e2fef5acbd590ac812
SHA1 5afef5451811830c1ec3108cd7ee66a0418a6186
SHA256 9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f
SHA512 6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde

memory/1448-64-0x0000000000000000-mapping.dmp

\??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe 

MD5 5552f88a40afa2e2fef5acbd590ac812
SHA1 5afef5451811830c1ec3108cd7ee66a0418a6186
SHA256 9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f
SHA512 6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde

C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe 

MD5 5552f88a40afa2e2fef5acbd590ac812
SHA1 5afef5451811830c1ec3108cd7ee66a0418a6186
SHA256 9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f
SHA512 6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde

memory/1448-67-0x000000013FBC0000-0x000000013FBC1000-memory.dmp

memory/1672-69-0x0000000000000000-mapping.dmp

memory/1608-70-0x0000000000000000-mapping.dmp

memory/1608-71-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmp

memory/1608-72-0x0000000002080000-0x0000000002081000-memory.dmp

memory/1608-73-0x000000001AA30000-0x000000001AA31000-memory.dmp

memory/1608-74-0x000000001A760000-0x000000001A761000-memory.dmp

memory/1608-75-0x000000001A990000-0x000000001A991000-memory.dmp

memory/1608-76-0x000000001A9B0000-0x000000001A9B2000-memory.dmp

memory/1608-77-0x000000001A9B4000-0x000000001A9B6000-memory.dmp

memory/1608-78-0x000000001B3C0000-0x000000001B3C1000-memory.dmp

memory/1608-81-0x000000001B3F0000-0x000000001B3F1000-memory.dmp

memory/1608-93-0x000000001B450000-0x000000001B451000-memory.dmp

memory/1608-94-0x000000001B460000-0x000000001B461000-memory.dmp

memory/1292-95-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 54d6cc008e989cf18fd62e341eba0274
SHA1 cefd027fac1c5bc86bd6ea8cb1e7cb234384864f
SHA256 a497743b7fc76e901e2ddb1b03fbad6311022ed6dc46676e5e2601bc6e1df8b8
SHA512 bb574760900f59e8bb35362664f284428d3d31328a1660546950cb7df7177f19d6e6de47da7c6286488c375a7779ea11c90d35eb3a2d6fa255bbc28430a433e2

memory/1292-98-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/1292-99-0x000000001AC00000-0x000000001AC01000-memory.dmp

memory/1292-100-0x0000000002550000-0x0000000002551000-memory.dmp

memory/1292-102-0x000000001AB84000-0x000000001AB86000-memory.dmp

memory/1292-101-0x000000001AB80000-0x000000001AB82000-memory.dmp

memory/1292-103-0x0000000002400000-0x0000000002401000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 109ddd9d9274fc7a0f98d903cb9cc1fe
SHA1 8745aa9a57c1b752e83387745c2b1bc43bb3626b
SHA256 4e80b55a36c690fdc45f066cc78b73ac855f4afe9d7e7affd61b5e1fcf0969fe
SHA512 9f1b687288290e1bc5826f2a715a190d2cf0a57e605805d2b24a808d19501520f583f1314227a1cb9416a96bd94bc321ddff57b1ace31f03632ef5d101665542

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9bd3a235-800a-4d6a-ba93-a1170c58da7e

MD5 a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA1 81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256 dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA512 8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0c700710-19bd-4cbc-bb0d-177e8138058c

MD5 faa37917b36371249ac9fcf93317bf97
SHA1 a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256 b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512 614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_747bdf1d-1046-4eeb-9947-1d87226e5203

MD5 e5b3ba61c3cf07deda462c9b27eb4166
SHA1 b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256 b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512 a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6412e505-fc2c-416c-8df2-48c2384208f0

MD5 6f0d509e28be1af95ba237d4f43adab4
SHA1 c665febe79e435843553bee86a6cea731ce6c5e4
SHA256 f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA512 8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fba6c941-cf5b-4667-a9d6-b38365da9280

MD5 d89968acfbd0cd60b51df04860d99896
SHA1 b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA256 1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512 b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_36fe3446-9fd2-46b8-a05b-397c04229954

MD5 2d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1 ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256 ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512 edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_de0afcc7-7a35-41e7-8005-d4eaefcb8ae4

MD5 7f79b990cb5ed648f9e583fe35527aa7
SHA1 71b177b48c8bd745ef02c2affad79ca222da7c33
SHA256 080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA512 20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

memory/920-112-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 54d6cc008e989cf18fd62e341eba0274
SHA1 cefd027fac1c5bc86bd6ea8cb1e7cb234384864f
SHA256 a497743b7fc76e901e2ddb1b03fbad6311022ed6dc46676e5e2601bc6e1df8b8
SHA512 bb574760900f59e8bb35362664f284428d3d31328a1660546950cb7df7177f19d6e6de47da7c6286488c375a7779ea11c90d35eb3a2d6fa255bbc28430a433e2

memory/920-119-0x000000001AB30000-0x000000001AB32000-memory.dmp

memory/920-120-0x000000001AB34000-0x000000001AB36000-memory.dmp

memory/260-121-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 54d6cc008e989cf18fd62e341eba0274
SHA1 cefd027fac1c5bc86bd6ea8cb1e7cb234384864f
SHA256 a497743b7fc76e901e2ddb1b03fbad6311022ed6dc46676e5e2601bc6e1df8b8
SHA512 bb574760900f59e8bb35362664f284428d3d31328a1660546950cb7df7177f19d6e6de47da7c6286488c375a7779ea11c90d35eb3a2d6fa255bbc28430a433e2

memory/260-127-0x000000001A920000-0x000000001A922000-memory.dmp

memory/260-128-0x000000001A924000-0x000000001A926000-memory.dmp

\Windows\Resources\Themes\icsys.icn.exe

MD5 f2667d617c1c5156004ea365bc759c1c
SHA1 10592eb1cd290802867f1fa13470717fa5643f59
SHA256 e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792
SHA512 1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803

C:\Windows\Resources\Themes\icsys.icn.exe

MD5 f2667d617c1c5156004ea365bc759c1c
SHA1 10592eb1cd290802867f1fa13470717fa5643f59
SHA256 e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792
SHA512 1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803

memory/1988-131-0x0000000000000000-mapping.dmp

\??\c:\windows\resources\themes\icsys.icn.exe

MD5 f2667d617c1c5156004ea365bc759c1c
SHA1 10592eb1cd290802867f1fa13470717fa5643f59
SHA256 e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792
SHA512 1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803

memory/604-138-0x0000000000000000-mapping.dmp

\Windows\Resources\Themes\explorer.exe

MD5 b5ce94bc12efa5a9f28b93a525edd1d3
SHA1 d19f64fcc6e9a66e9a1d97f3fd0a14696b4ddb2d
SHA256 ceb1a7ddce0530cd0b16d14e81980953a5bf7000a967ee6e5bc36be72216a64a
SHA512 5f43b874b1e31c69d41da2e510ffdaebbaa5972f31596ad9eb378fc96c4905c6d7dd1eb55fe3ffa5d12b756390c5e27c2cf10bfed062f001b77b9bb8057bb281

C:\Windows\Resources\Themes\explorer.exe

MD5 b5ce94bc12efa5a9f28b93a525edd1d3
SHA1 d19f64fcc6e9a66e9a1d97f3fd0a14696b4ddb2d
SHA256 ceb1a7ddce0530cd0b16d14e81980953a5bf7000a967ee6e5bc36be72216a64a
SHA512 5f43b874b1e31c69d41da2e510ffdaebbaa5972f31596ad9eb378fc96c4905c6d7dd1eb55fe3ffa5d12b756390c5e27c2cf10bfed062f001b77b9bb8057bb281

\??\c:\windows\resources\themes\explorer.exe

MD5 b5ce94bc12efa5a9f28b93a525edd1d3
SHA1 d19f64fcc6e9a66e9a1d97f3fd0a14696b4ddb2d
SHA256 ceb1a7ddce0530cd0b16d14e81980953a5bf7000a967ee6e5bc36be72216a64a
SHA512 5f43b874b1e31c69d41da2e510ffdaebbaa5972f31596ad9eb378fc96c4905c6d7dd1eb55fe3ffa5d12b756390c5e27c2cf10bfed062f001b77b9bb8057bb281

\Windows\Resources\spoolsv.exe

MD5 161db796a25cf2bbd19f18d438400cf9
SHA1 b42436bece3a15771cb54f60d4a47e0469660c02
SHA256 60bbd8f97d7b8bc3b2561162e8722cf41367dddb93b633da9a859708c953885a
SHA512 76919760ef88397423c36aeffc2cd0324d13efbe9031c1463bbe9233b1d1831e79cd37b9eed5e1859002899e79dddfcd64a1f7de79d077981e5e4c945db9aa32

memory/1552-145-0x0000000000000000-mapping.dmp

C:\Windows\Resources\spoolsv.exe

MD5 161db796a25cf2bbd19f18d438400cf9
SHA1 b42436bece3a15771cb54f60d4a47e0469660c02
SHA256 60bbd8f97d7b8bc3b2561162e8722cf41367dddb93b633da9a859708c953885a
SHA512 76919760ef88397423c36aeffc2cd0324d13efbe9031c1463bbe9233b1d1831e79cd37b9eed5e1859002899e79dddfcd64a1f7de79d077981e5e4c945db9aa32

\??\c:\windows\resources\spoolsv.exe

MD5 161db796a25cf2bbd19f18d438400cf9
SHA1 b42436bece3a15771cb54f60d4a47e0469660c02
SHA256 60bbd8f97d7b8bc3b2561162e8722cf41367dddb93b633da9a859708c953885a
SHA512 76919760ef88397423c36aeffc2cd0324d13efbe9031c1463bbe9233b1d1831e79cd37b9eed5e1859002899e79dddfcd64a1f7de79d077981e5e4c945db9aa32

memory/1864-152-0x0000000000000000-mapping.dmp

\Windows\Resources\svchost.exe

MD5 96002ea74ef7086cabcd0b74b6eae617
SHA1 c251574fecf4d1453c01c0d36d02ead805d14eb7
SHA256 7d386f44a0d69da1cba031ec573d8361dff08bb5841c205556a466b085020cab
SHA512 f2b26df1b6c6be69a7c930fa271b75e73638f6e166462036dea24eb8436e5d495388c766f9154c53c81c3b685e48ee9d805769c1dc7917be87b50e47b8c593c7

C:\Windows\Resources\svchost.exe

MD5 96002ea74ef7086cabcd0b74b6eae617
SHA1 c251574fecf4d1453c01c0d36d02ead805d14eb7
SHA256 7d386f44a0d69da1cba031ec573d8361dff08bb5841c205556a466b085020cab
SHA512 f2b26df1b6c6be69a7c930fa271b75e73638f6e166462036dea24eb8436e5d495388c766f9154c53c81c3b685e48ee9d805769c1dc7917be87b50e47b8c593c7

memory/1800-159-0x0000000000000000-mapping.dmp

C:\Windows\Resources\spoolsv.exe

MD5 161db796a25cf2bbd19f18d438400cf9
SHA1 b42436bece3a15771cb54f60d4a47e0469660c02
SHA256 60bbd8f97d7b8bc3b2561162e8722cf41367dddb93b633da9a859708c953885a
SHA512 76919760ef88397423c36aeffc2cd0324d13efbe9031c1463bbe9233b1d1831e79cd37b9eed5e1859002899e79dddfcd64a1f7de79d077981e5e4c945db9aa32

\??\c:\windows\resources\svchost.exe

MD5 96002ea74ef7086cabcd0b74b6eae617
SHA1 c251574fecf4d1453c01c0d36d02ead805d14eb7
SHA256 7d386f44a0d69da1cba031ec573d8361dff08bb5841c205556a466b085020cab
SHA512 f2b26df1b6c6be69a7c930fa271b75e73638f6e166462036dea24eb8436e5d495388c766f9154c53c81c3b685e48ee9d805769c1dc7917be87b50e47b8c593c7

\Windows\Resources\spoolsv.exe

MD5 161db796a25cf2bbd19f18d438400cf9
SHA1 b42436bece3a15771cb54f60d4a47e0469660c02
SHA256 60bbd8f97d7b8bc3b2561162e8722cf41367dddb93b633da9a859708c953885a
SHA512 76919760ef88397423c36aeffc2cd0324d13efbe9031c1463bbe9233b1d1831e79cd37b9eed5e1859002899e79dddfcd64a1f7de79d077981e5e4c945db9aa32

memory/1624-164-0x0000000000000000-mapping.dmp

memory/1020-166-0x0000000000000000-mapping.dmp

memory/1448-167-0x0000000000560000-0x0000000000568000-memory.dmp

memory/1448-168-0x000000001B810000-0x000000001B812000-memory.dmp

memory/1564-169-0x0000000000000000-mapping.dmp

memory/944-170-0x0000000000000000-mapping.dmp

memory/900-172-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

MD5 d1f4a92a1672d7d22a90e2567523d03e
SHA1 a1683621e2103e1df1ce22def923e4ef62ddcd11
SHA256 48fd7864ad054ee98f30a32006af85dce9f47cc5fccf065e7da41624cf14f94b
SHA512 2e6e4dd8ed996ca9c95e7bf225f5b7b567f2a99ae13f637f23b2c959857f9e5ba5833e279b901c0a215cf5692dc6f3e28c47106cd386756e51f5f6f1298f247a

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

MD5 d1f4a92a1672d7d22a90e2567523d03e
SHA1 a1683621e2103e1df1ce22def923e4ef62ddcd11
SHA256 48fd7864ad054ee98f30a32006af85dce9f47cc5fccf065e7da41624cf14f94b
SHA512 2e6e4dd8ed996ca9c95e7bf225f5b7b567f2a99ae13f637f23b2c959857f9e5ba5833e279b901c0a215cf5692dc6f3e28c47106cd386756e51f5f6f1298f247a

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

MD5 d1f4a92a1672d7d22a90e2567523d03e
SHA1 a1683621e2103e1df1ce22def923e4ef62ddcd11
SHA256 48fd7864ad054ee98f30a32006af85dce9f47cc5fccf065e7da41624cf14f94b
SHA512 2e6e4dd8ed996ca9c95e7bf225f5b7b567f2a99ae13f637f23b2c959857f9e5ba5833e279b901c0a215cf5692dc6f3e28c47106cd386756e51f5f6f1298f247a

memory/1380-175-0x0000000000000000-mapping.dmp

memory/900-176-0x000000013F560000-0x000000013F561000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Services32.exe

MD5 70c771952bc897446d3ddad90541a1e6
SHA1 b00b50a893e4552651c4a5c38cf4bb9aed7a101e
SHA256 aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337
SHA512 33d402397289c1a828079dfdaaf3966c4b9720ffb070eeba0d5c23f4a3c6c448e4a3fd3cba2f82c712252ce03d726daabd2c66e97f950a122ffb3d5799bae56d

\??\c:\users\admin\appdata\local\temp\services32.exe

MD5 70c771952bc897446d3ddad90541a1e6
SHA1 b00b50a893e4552651c4a5c38cf4bb9aed7a101e
SHA256 aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337
SHA512 33d402397289c1a828079dfdaaf3966c4b9720ffb070eeba0d5c23f4a3c6c448e4a3fd3cba2f82c712252ce03d726daabd2c66e97f950a122ffb3d5799bae56d

memory/1580-184-0x0000000000000000-mapping.dmp

\??\c:\users\admin\appdata\local\temp\services32.exe 

MD5 5552f88a40afa2e2fef5acbd590ac812
SHA1 5afef5451811830c1ec3108cd7ee66a0418a6186
SHA256 9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f
SHA512 6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde

C:\Users\Admin\AppData\Local\Temp\services32.exe 

MD5 5552f88a40afa2e2fef5acbd590ac812
SHA1 5afef5451811830c1ec3108cd7ee66a0418a6186
SHA256 9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f
SHA512 6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde

memory/1568-187-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\services32.exe 

MD5 5552f88a40afa2e2fef5acbd590ac812
SHA1 5afef5451811830c1ec3108cd7ee66a0418a6186
SHA256 9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f
SHA512 6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde

memory/584-188-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 54d6cc008e989cf18fd62e341eba0274
SHA1 cefd027fac1c5bc86bd6ea8cb1e7cb234384864f
SHA256 a497743b7fc76e901e2ddb1b03fbad6311022ed6dc46676e5e2601bc6e1df8b8
SHA512 bb574760900f59e8bb35362664f284428d3d31328a1660546950cb7df7177f19d6e6de47da7c6286488c375a7779ea11c90d35eb3a2d6fa255bbc28430a433e2

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/584-191-0x000000001ACF0000-0x000000001ACF2000-memory.dmp

memory/584-192-0x000000001ACF4000-0x000000001ACF6000-memory.dmp

memory/1992-193-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 530394d7fd15e8365d1ba1789015102c
SHA1 051bef53bb017c7f70c694eab2c57f6a4654b3e6
SHA256 6524cbff5c3088b2e8d17bedc3c041bbc63ba4f74f07101b091c0356e5b4e832
SHA512 5821f6556d4095a2de3079286a770a85e43aaceaf7edbfa480092ad75f522a8573b1367b5754cba8e2320a45c4ac4ac8a82dcb658d64176b5ea582a3dc5e9534

memory/1992-196-0x000000001AC74000-0x000000001AC76000-memory.dmp

memory/1992-195-0x000000001AC70000-0x000000001AC72000-memory.dmp

memory/1140-197-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 530394d7fd15e8365d1ba1789015102c
SHA1 051bef53bb017c7f70c694eab2c57f6a4654b3e6
SHA256 6524cbff5c3088b2e8d17bedc3c041bbc63ba4f74f07101b091c0356e5b4e832
SHA512 5821f6556d4095a2de3079286a770a85e43aaceaf7edbfa480092ad75f522a8573b1367b5754cba8e2320a45c4ac4ac8a82dcb658d64176b5ea582a3dc5e9534

memory/1140-199-0x000000001AE40000-0x000000001AE42000-memory.dmp

memory/1140-200-0x000000001AE44000-0x000000001AE46000-memory.dmp

memory/1364-201-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 530394d7fd15e8365d1ba1789015102c
SHA1 051bef53bb017c7f70c694eab2c57f6a4654b3e6
SHA256 6524cbff5c3088b2e8d17bedc3c041bbc63ba4f74f07101b091c0356e5b4e832
SHA512 5821f6556d4095a2de3079286a770a85e43aaceaf7edbfa480092ad75f522a8573b1367b5754cba8e2320a45c4ac4ac8a82dcb658d64176b5ea582a3dc5e9534

memory/1364-203-0x000000001AD20000-0x000000001AD22000-memory.dmp

memory/1364-204-0x000000001AD24000-0x000000001AD26000-memory.dmp

memory/1200-206-0x0000000000000000-mapping.dmp

\Windows\Resources\Themes\icsys.icn.exe

MD5 f2667d617c1c5156004ea365bc759c1c
SHA1 10592eb1cd290802867f1fa13470717fa5643f59
SHA256 e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792
SHA512 1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803

\??\c:\windows\resources\themes\icsys.icn.exe

MD5 f2667d617c1c5156004ea365bc759c1c
SHA1 10592eb1cd290802867f1fa13470717fa5643f59
SHA256 e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792
SHA512 1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803

C:\Windows\Resources\Themes\icsys.icn.exe

MD5 f2667d617c1c5156004ea365bc759c1c
SHA1 10592eb1cd290802867f1fa13470717fa5643f59
SHA256 e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792
SHA512 1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803

C:\Windows\Resources\Themes\explorer.exe

MD5 b5ce94bc12efa5a9f28b93a525edd1d3
SHA1 d19f64fcc6e9a66e9a1d97f3fd0a14696b4ddb2d
SHA256 ceb1a7ddce0530cd0b16d14e81980953a5bf7000a967ee6e5bc36be72216a64a
SHA512 5f43b874b1e31c69d41da2e510ffdaebbaa5972f31596ad9eb378fc96c4905c6d7dd1eb55fe3ffa5d12b756390c5e27c2cf10bfed062f001b77b9bb8057bb281

memory/1544-209-0x0000000000000000-mapping.dmp

memory/1384-211-0x0000000000000000-mapping.dmp

memory/1452-212-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 530394d7fd15e8365d1ba1789015102c
SHA1 051bef53bb017c7f70c694eab2c57f6a4654b3e6
SHA256 6524cbff5c3088b2e8d17bedc3c041bbc63ba4f74f07101b091c0356e5b4e832
SHA512 5821f6556d4095a2de3079286a770a85e43aaceaf7edbfa480092ad75f522a8573b1367b5754cba8e2320a45c4ac4ac8a82dcb658d64176b5ea582a3dc5e9534

memory/1580-214-0x000000001ABB0000-0x000000001ABB2000-memory.dmp

memory/1452-215-0x000000001ADA0000-0x000000001ADA2000-memory.dmp

memory/1452-216-0x000000001ADA4000-0x000000001ADA6000-memory.dmp

memory/1268-217-0x0000000000000000-mapping.dmp

memory/316-218-0x0000000000000000-mapping.dmp

memory/1652-219-0x0000000000000000-mapping.dmp

memory/792-220-0x0000000000000000-mapping.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 530394d7fd15e8365d1ba1789015102c
SHA1 051bef53bb017c7f70c694eab2c57f6a4654b3e6
SHA256 6524cbff5c3088b2e8d17bedc3c041bbc63ba4f74f07101b091c0356e5b4e832
SHA512 5821f6556d4095a2de3079286a770a85e43aaceaf7edbfa480092ad75f522a8573b1367b5754cba8e2320a45c4ac4ac8a82dcb658d64176b5ea582a3dc5e9534

memory/792-223-0x000000001AA50000-0x000000001AA52000-memory.dmp

memory/792-224-0x000000001AA54000-0x000000001AA56000-memory.dmp

memory/1648-225-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 530394d7fd15e8365d1ba1789015102c
SHA1 051bef53bb017c7f70c694eab2c57f6a4654b3e6
SHA256 6524cbff5c3088b2e8d17bedc3c041bbc63ba4f74f07101b091c0356e5b4e832
SHA512 5821f6556d4095a2de3079286a770a85e43aaceaf7edbfa480092ad75f522a8573b1367b5754cba8e2320a45c4ac4ac8a82dcb658d64176b5ea582a3dc5e9534

memory/1648-227-0x000000001ABF0000-0x000000001ABF2000-memory.dmp

memory/1648-228-0x000000001ABF4000-0x000000001ABF6000-memory.dmp

memory/1976-229-0x0000000000000000-mapping.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 530394d7fd15e8365d1ba1789015102c
SHA1 051bef53bb017c7f70c694eab2c57f6a4654b3e6
SHA256 6524cbff5c3088b2e8d17bedc3c041bbc63ba4f74f07101b091c0356e5b4e832
SHA512 5821f6556d4095a2de3079286a770a85e43aaceaf7edbfa480092ad75f522a8573b1367b5754cba8e2320a45c4ac4ac8a82dcb658d64176b5ea582a3dc5e9534

memory/1976-232-0x000000001AC70000-0x000000001AC72000-memory.dmp

memory/1976-233-0x000000001AC74000-0x000000001AC76000-memory.dmp

memory/1316-234-0x0000000000000000-mapping.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2021-07-08 07:06

Reported

2021-07-08 07:09

Platform

win7v20210408

Max time kernel

134s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe"

Signatures

AsyncRat

rat asyncrat

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe

"C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe"

Network

Country Destination Domain Proto
N/A 95.169.210.148:6666 tcp
N/A 95.169.210.148:6666 tcp
N/A 95.169.210.148:6666 tcp
N/A 95.169.210.148:6666 tcp
N/A 95.169.210.148:6666 tcp
N/A 95.169.210.148:6666 tcp

Files

memory/940-60-0x0000000000B70000-0x0000000000B71000-memory.dmp

memory/940-62-0x000000001B300000-0x000000001B302000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-07-08 07:06

Reported

2021-07-08 07:09

Platform

win10v20210410

Max time kernel

21s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe

"C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 50.16.220.248:443 api.ipify.org tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 f0558828.xsph.ru udp
N/A 141.8.192.151:80 f0558828.xsph.ru tcp

Files

memory/3608-114-0x0000017F3B480000-0x0000017F3B481000-memory.dmp

memory/3608-116-0x0000017F3D1F0000-0x0000017F3D261000-memory.dmp

memory/3608-117-0x0000017F55CB0000-0x0000017F55CB2000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2021-07-08 07:06

Reported

2021-07-08 07:10

Platform

win7v20210410

Max time kernel

147s

Max time network

200s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe"

Signatures

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1048 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
PID 1048 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
PID 1048 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
PID 1048 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
PID 1048 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
PID 1048 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
PID 1048 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
PID 1048 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
PID 1048 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
PID 1048 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
PID 1048 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
PID 1048 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
PID 1048 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe

"C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe"

C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe

C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe

C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe

C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe

Network

Country Destination Domain Proto
N/A 185.203.243.131:27365 tcp
N/A 185.203.243.131:27365 tcp
N/A 185.203.243.131:27365 tcp
N/A 185.203.243.131:27365 tcp
N/A 185.203.243.131:27365 tcp
N/A 185.203.243.131:27365 tcp
N/A 185.203.243.131:27365 tcp

Files

memory/1048-60-0x0000000000060000-0x0000000000061000-memory.dmp

memory/1048-62-0x0000000004890000-0x0000000004891000-memory.dmp

memory/320-63-0x0000000000400000-0x000000000041E000-memory.dmp

memory/320-64-0x0000000000417E42-mapping.dmp

memory/320-65-0x0000000000400000-0x000000000041E000-memory.dmp

memory/320-67-0x0000000004360000-0x0000000004361000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2021-07-08 07:06

Reported

2021-07-08 07:09

Platform

win10v20210410

Max time kernel

17s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe"

Signatures

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\output.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ODJgvsYTGNTHzlbflfNSWqCs.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.amazonaws.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ODJgvsYTGNTHzlbflfNSWqCs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe

"C:\Users\Admin\AppData\Local\Temp\236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe"

C:\Users\Admin\AppData\Roaming\output.exe

"C:\Users\Admin\AppData\Roaming\output.exe"

C:\Users\Admin\AppData\Local\Temp\ODJgvsYTGNTHzlbflfNSWqCs.exe

"C:\Users\Admin\AppData\Local\Temp\ODJgvsYTGNTHzlbflfNSWqCs.exe"

Network

Country Destination Domain Proto
N/A 45.81.227.32:22625 45.81.227.32 tcp
N/A 8.8.8.8:53 api.ip.sb udp
N/A 104.26.13.31:443 api.ip.sb tcp
N/A 8.8.8.8:53 checkip.amazonaws.com udp
N/A 34.202.33.33:80 checkip.amazonaws.com tcp
N/A 8.8.8.8:53 whois.iana.org udp
N/A 192.0.47.59:43 whois.iana.org tcp
N/A 8.8.8.8:53 WHOIS.AFRINIC.NET udp
N/A 196.216.2.21:43 WHOIS.AFRINIC.NET tcp

Files

memory/1240-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\output.exe

MD5 2f376ad2903620fd9f52c4d8af903777
SHA1 726ecc2dff7d3af1b4d03591761183f70c9a1242
SHA256 e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215
SHA512 75fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb

C:\Users\Admin\AppData\Roaming\output.exe

MD5 2f376ad2903620fd9f52c4d8af903777
SHA1 726ecc2dff7d3af1b4d03591761183f70c9a1242
SHA256 e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215
SHA512 75fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb

memory/1240-119-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

memory/1240-121-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

memory/3780-122-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ODJgvsYTGNTHzlbflfNSWqCs.exe

MD5 f4bbbbd0c06b5b5f46386ad1db6227b0
SHA1 5a026b7ed8c49b1213a6393e938c91399ff33eb8
SHA256 3783dda749b402ddb2065d6830dc3d7d2771b4b8dc02358efe64947205b2517d
SHA512 3a7554883cf3c729a1f249eff33e3ad5de69be174971209e536d7d2c829d50bc9666391e9663db782eb445f8e8f87c81ac7b0248faff2f2e594909bbd84f5d48

C:\Users\Admin\AppData\Local\Temp\ODJgvsYTGNTHzlbflfNSWqCs.exe

MD5 f4bbbbd0c06b5b5f46386ad1db6227b0
SHA1 5a026b7ed8c49b1213a6393e938c91399ff33eb8
SHA256 3783dda749b402ddb2065d6830dc3d7d2771b4b8dc02358efe64947205b2517d
SHA512 3a7554883cf3c729a1f249eff33e3ad5de69be174971209e536d7d2c829d50bc9666391e9663db782eb445f8e8f87c81ac7b0248faff2f2e594909bbd84f5d48

memory/3780-125-0x0000000000D70000-0x0000000000D71000-memory.dmp

memory/3780-127-0x0000000005B10000-0x0000000005B11000-memory.dmp

memory/3780-128-0x0000000006620000-0x0000000006621000-memory.dmp

memory/3780-129-0x0000000005770000-0x0000000005771000-memory.dmp

memory/3780-130-0x0000000005730000-0x0000000005731000-memory.dmp

memory/3780-131-0x0000000005850000-0x0000000005851000-memory.dmp

memory/3780-132-0x0000000007D70000-0x0000000007D71000-memory.dmp

memory/3780-133-0x0000000005610000-0x0000000005B0E000-memory.dmp

memory/3780-134-0x0000000007F20000-0x0000000007F21000-memory.dmp

memory/3780-135-0x0000000008750000-0x0000000008751000-memory.dmp

memory/3780-136-0x0000000008E50000-0x0000000008E51000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2021-07-08 07:06

Reported

2021-07-08 07:09

Platform

win10v20210408

Max time kernel

10s

Max time network

83s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9.exe

"C:\Users\Admin\AppData\Local\Temp\54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9.exe"

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2021-07-08 07:06

Reported

2021-07-08 07:09

Platform

win10v20210410

Max time kernel

129s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe"

Signatures

AsyncRat

rat asyncrat

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe

"C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe"

Network

Country Destination Domain Proto
N/A 95.169.210.148:6666 tcp
N/A 95.169.210.148:6666 tcp
N/A 95.169.210.148:6666 tcp
N/A 95.169.210.148:6666 tcp
N/A 95.169.210.148:6666 tcp
N/A 95.169.210.148:6666 tcp

Files

memory/500-114-0x0000000000390000-0x0000000000391000-memory.dmp

memory/500-116-0x000000001B0C0000-0x000000001B0C2000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2021-07-08 07:06

Reported

2021-07-08 07:10

Platform

win7v20210408

Max time kernel

17s

Max time network

67s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe"

Signatures

Echelon

stealer spyware echelon

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe

"C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.235.175.90:443 api.ipify.org tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 f0558828.xsph.ru udp
N/A 141.8.192.151:80 f0558828.xsph.ru tcp

Files

memory/564-59-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/564-61-0x0000000000740000-0x00000000007B1000-memory.dmp

memory/564-62-0x000000001B0B0000-0x000000001B0B2000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2021-07-08 07:06

Reported

2021-07-08 07:10

Platform

win7v20210408

Max time kernel

123s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe"

Signatures

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\output.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dzoqJSDcPbIwOOKTjoecqmXX.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.amazonaws.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dzoqJSDcPbIwOOKTjoecqmXX.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe

"C:\Users\Admin\AppData\Local\Temp\236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe"

C:\Users\Admin\AppData\Roaming\output.exe

"C:\Users\Admin\AppData\Roaming\output.exe"

C:\Users\Admin\AppData\Local\Temp\dzoqJSDcPbIwOOKTjoecqmXX.exe

"C:\Users\Admin\AppData\Local\Temp\dzoqJSDcPbIwOOKTjoecqmXX.exe"

Network

Country Destination Domain Proto
N/A 45.81.227.32:22625 45.81.227.32 tcp
N/A 8.8.8.8:53 api.ip.sb udp
N/A 172.67.75.172:443 api.ip.sb tcp
N/A 8.8.8.8:53 checkip.amazonaws.com udp
N/A 100.24.147.96:80 checkip.amazonaws.com tcp
N/A 8.8.8.8:53 whois.iana.org udp
N/A 192.0.47.59:43 whois.iana.org tcp
N/A 8.8.8.8:53 WHOIS.AFRINIC.NET udp
N/A 196.216.2.20:43 WHOIS.AFRINIC.NET tcp

Files

memory/1832-60-0x00000000762C1000-0x00000000762C3000-memory.dmp

\Users\Admin\AppData\Roaming\output.exe

MD5 2f376ad2903620fd9f52c4d8af903777
SHA1 726ecc2dff7d3af1b4d03591761183f70c9a1242
SHA256 e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215
SHA512 75fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb

\Users\Admin\AppData\Roaming\output.exe

MD5 2f376ad2903620fd9f52c4d8af903777
SHA1 726ecc2dff7d3af1b4d03591761183f70c9a1242
SHA256 e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215
SHA512 75fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb

\Users\Admin\AppData\Roaming\output.exe

MD5 2f376ad2903620fd9f52c4d8af903777
SHA1 726ecc2dff7d3af1b4d03591761183f70c9a1242
SHA256 e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215
SHA512 75fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb

\Users\Admin\AppData\Roaming\output.exe

MD5 2f376ad2903620fd9f52c4d8af903777
SHA1 726ecc2dff7d3af1b4d03591761183f70c9a1242
SHA256 e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215
SHA512 75fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb

memory/1996-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\output.exe

MD5 2f376ad2903620fd9f52c4d8af903777
SHA1 726ecc2dff7d3af1b4d03591761183f70c9a1242
SHA256 e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215
SHA512 75fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb

C:\Users\Admin\AppData\Roaming\output.exe

MD5 2f376ad2903620fd9f52c4d8af903777
SHA1 726ecc2dff7d3af1b4d03591761183f70c9a1242
SHA256 e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215
SHA512 75fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb

memory/1996-68-0x0000000000E40000-0x0000000000E41000-memory.dmp

memory/1996-70-0x00000000004D0000-0x00000000004D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\dzoqJSDcPbIwOOKTjoecqmXX.exe

MD5 f4bbbbd0c06b5b5f46386ad1db6227b0
SHA1 5a026b7ed8c49b1213a6393e938c91399ff33eb8
SHA256 3783dda749b402ddb2065d6830dc3d7d2771b4b8dc02358efe64947205b2517d
SHA512 3a7554883cf3c729a1f249eff33e3ad5de69be174971209e536d7d2c829d50bc9666391e9663db782eb445f8e8f87c81ac7b0248faff2f2e594909bbd84f5d48

C:\Users\Admin\AppData\Local\Temp\dzoqJSDcPbIwOOKTjoecqmXX.exe

MD5 f4bbbbd0c06b5b5f46386ad1db6227b0
SHA1 5a026b7ed8c49b1213a6393e938c91399ff33eb8
SHA256 3783dda749b402ddb2065d6830dc3d7d2771b4b8dc02358efe64947205b2517d
SHA512 3a7554883cf3c729a1f249eff33e3ad5de69be174971209e536d7d2c829d50bc9666391e9663db782eb445f8e8f87c81ac7b0248faff2f2e594909bbd84f5d48

memory/588-72-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dzoqJSDcPbIwOOKTjoecqmXX.exe

MD5 f4bbbbd0c06b5b5f46386ad1db6227b0
SHA1 5a026b7ed8c49b1213a6393e938c91399ff33eb8
SHA256 3783dda749b402ddb2065d6830dc3d7d2771b4b8dc02358efe64947205b2517d
SHA512 3a7554883cf3c729a1f249eff33e3ad5de69be174971209e536d7d2c829d50bc9666391e9663db782eb445f8e8f87c81ac7b0248faff2f2e594909bbd84f5d48

memory/588-75-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/588-77-0x0000000000260000-0x0000000000261000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2021-07-08 07:06

Reported

2021-07-08 07:09

Platform

win7v20210410

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9.exe

"C:\Users\Admin\AppData\Local\Temp\54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9.exe"

Network

N/A

Files

memory/1852-60-0x0000000076A81000-0x0000000076A83000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2021-07-08 07:06

Reported

2021-07-08 07:09

Platform

win10v20210408

Max time kernel

16s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

MetaSploit

trojan backdoor metasploit

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3396 created 996 N/A \??\c:\windows\system32\svchost.exe C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c137e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe N/A
Token: SeTcbPrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A \??\c:\windows\system32\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe

"C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe"

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s seclogon

C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe

"C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 iceanedy.com udp
N/A 104.21.86.39:443 iceanedy.com tcp

Files

memory/996-114-0x0000000002F90000-0x00000000038B6000-memory.dmp

memory/996-115-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/4056-116-0x0000000000000000-mapping.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2021-07-08 07:06

Reported

2021-07-08 07:09

Platform

win10v20210410

Max time kernel

143s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe"

Signatures

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3872 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
PID 3872 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
PID 3872 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
PID 3872 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
PID 3872 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
PID 3872 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
PID 3872 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
PID 3872 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe

"C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe"

C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe

C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe

Network

Country Destination Domain Proto
N/A 185.203.243.131:27365 tcp
N/A 185.203.243.131:27365 tcp
N/A 185.203.243.131:27365 tcp
N/A 185.203.243.131:27365 tcp
N/A 185.203.243.131:27365 tcp
N/A 185.203.243.131:27365 tcp
N/A 185.203.243.131:27365 tcp

Files

memory/3872-114-0x0000000000F60000-0x0000000000F61000-memory.dmp

memory/3872-116-0x00000000057D0000-0x00000000057D1000-memory.dmp

memory/3872-117-0x0000000003130000-0x0000000003131000-memory.dmp

memory/3872-118-0x0000000005980000-0x0000000005981000-memory.dmp

memory/2856-119-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2856-120-0x0000000000417E42-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe.log

MD5 7438b57da35c10c478469635b79e33e1
SHA1 5ffcbdfbfd800f67d6d9d6ee46de2eb13fcbb9a5
SHA256 b253c066d4a6604aaa5204b09c1edde92c410b0af351f3760891f5e56c867f70
SHA512 5887796f8ceb1c5ae790caff0020084df49ea8d613b78656a47dc9a569c5c86a9b16ec2ebe0d6f34c5e3001026385bb1282434cc3ffc7bda99427c154c04b45a

memory/2856-124-0x0000000005890000-0x0000000005891000-memory.dmp

memory/2856-125-0x00000000052B0000-0x00000000052B1000-memory.dmp

memory/2856-126-0x0000000005310000-0x0000000005311000-memory.dmp

memory/2856-127-0x0000000005350000-0x0000000005351000-memory.dmp

memory/2856-129-0x0000000005650000-0x0000000005651000-memory.dmp

memory/2856-128-0x0000000005280000-0x0000000005886000-memory.dmp