Analysis Overview
SHA256
aeaec6ca7cfc629df46779db6f5b92da8a532bd3baf21570ea76e9f9f5becd40
Threat Level: Known bad
The file $RTKOW1B.zip was found to be: Known bad.
Malicious Activity Summary
IcedID, BokBot
Blocklisted process makes network request
Loads dropped DLL
Drops file in System32 directory
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-12-20 19:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-12-20 19:34
Reported
2022-12-20 20:04
Platform
win7-20221111-en
Max time kernel
1640s
Max time network
1598s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\$RTKOW1B.zip
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x47c
Network
Files
memory/868-54-0x000007FEFC131000-0x000007FEFC133000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-12-20 19:34
Reported
2022-12-20 20:04
Platform
win10v2004-20221111-en
Max time kernel
1791s
Max time network
1766s
Command Line
Signatures
IcedID, BokBot
Blocklisted process makes network request
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\User\Registry.pol | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "3116" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "3116" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "3746" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1034" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "9808" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "11629" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1067" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "9130" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1067" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1067" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "11629" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8248" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "9940" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "9130" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "9808" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "9808" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "8248" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1034" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "9940" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "9940" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "11629" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "9130" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "3746" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1034" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "3116" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "3746" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "8248" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| N/A | N/A | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\$RTKOW1B.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\" -ad -an -ai#7zMap7296:114:7zEvent11495
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c hidmargoto\weebanpeaS.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*
C:\Windows\system32\rundll32.exe
rundll32 C:\Users\Admin\AppData\Local\Temp\overcontrolling.tmp,init
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c hidmargoto\weebanpeaS.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c hidmargoto\weebanpeaS.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c hidmargoto\weebanpeaS.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd" "
C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd" "
C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd" "
C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c hidmargoto\weebanpeaS.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c hidmargoto\weebanpeaS.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd
C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 3512 -ip 3512
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3512 -s 5760
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOnDeveloperFeatures DeveloperUnlock
C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetRunAsUserRegKeyFlow
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.248.99.254:80 | tcp | |
| N/A | 104.208.16.90:443 | tcp | |
| N/A | 8.248.99.254:80 | tcp | |
| N/A | 8.248.99.254:80 | tcp | |
| N/A | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.247.211.254:80 | tcp | |
| N/A | 8.8.8.8:53 | estrabornhot.com | udp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 8.8.8.8:53 | estrabornhot.com | udp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 8.8.8.8:53 | estrabornhot.com | udp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 8.8.8.8:53 | estrabornhot.com | udp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 8.8.8.8:53 | estrabornhot.com | udp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| N/A | 23.0.87.20:443 | cxcs.microsoft.net | tcp |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 8.8.8.8:53 | spo-ring.msedge.net | udp |
| N/A | 13.107.136.254:443 | spo-ring.msedge.net | tcp |
| N/A | 8.8.8.8:53 | 91c5860af7ca38fddd0837cf71f3a66d.clo.footprintdns.com | udp |
| N/A | 8.8.8.8:53 | estrabornhot.com | udp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
Files
C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd
| MD5 | 9f19dd31900efd76299b3664eda0cd3a |
| SHA1 | 028b44165c9995cae1035e06bb2d15027add44f8 |
| SHA256 | 43de56afb31f13399acd2e7e36d93e06349bdc364b83f3f76497b28bfcc9f21f |
| SHA512 | 9e954a644a77dc08c81c9651fa37b32e24009dd961eefc02f224527dc4174feae67cac02532160b946547f9053b167e581946f336966f201ad263f10accbb29f |
memory/2976-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\overcontrolling.tmp
| MD5 | 1795382b21fad93fe3fe3d75ef40a67d |
| SHA1 | 7a6fa8a71a68e3226b6cad24cd3eff4767111e58 |
| SHA256 | 97593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b |
| SHA512 | 189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f |
memory/4772-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\overcontrolling.tmp
| MD5 | 1795382b21fad93fe3fe3d75ef40a67d |
| SHA1 | 7a6fa8a71a68e3226b6cad24cd3eff4767111e58 |
| SHA256 | 97593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b |
| SHA512 | 189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f |
C:\Users\Admin\AppData\Local\Temp\overcontrolling.tmp
| MD5 | 1795382b21fad93fe3fe3d75ef40a67d |
| SHA1 | 7a6fa8a71a68e3226b6cad24cd3eff4767111e58 |
| SHA256 | 97593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b |
| SHA512 | 189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f |
memory/4772-138-0x000002AE96BD0000-0x000002AE96BD9000-memory.dmp
memory/3368-144-0x0000000000000000-mapping.dmp
memory/4680-145-0x0000000000000000-mapping.dmp
memory/4424-146-0x0000000000000000-mapping.dmp
memory/3404-147-0x0000000000000000-mapping.dmp
memory/3876-148-0x0000000000000000-mapping.dmp
memory/3528-149-0x0000000000000000-mapping.dmp
memory/3364-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd
| MD5 | cc31d1d48706f236026b5b7f8ca0d87b |
| SHA1 | 5b6a8356ca69d4db720d2753ab4b999a0151297d |
| SHA256 | da0ba8858c67f270b2c660fc882253fff8962261aff9cfee46425740ba48e554 |
| SHA512 | 133228a495440dc66ca885e4f75e9f07b5d5f61c400af9f9d344c9779fbd3b0c9857819307d6531f60e1aae0a18084c6bfe0e158ad1379d4fac7906cd2ed7c4c |
memory/4472-152-0x0000000000000000-mapping.dmp
memory/1836-161-0x00000230815C0000-0x00000230815E0000-memory.dmp
memory/1836-162-0x0000023080AB0000-0x0000023080AD0000-memory.dmp
memory/1836-167-0x000002308300A000-0x000002308300D000-memory.dmp
memory/1836-168-0x000002308300A000-0x000002308300D000-memory.dmp
memory/1836-169-0x000002308300A000-0x000002308300D000-memory.dmp
memory/1836-170-0x000002308300A000-0x000002308300D000-memory.dmp
memory/1836-173-0x000002308300F000-0x0000023083013000-memory.dmp
memory/1836-172-0x000002308300F000-0x0000023083013000-memory.dmp
memory/1836-175-0x000002308300F000-0x0000023083013000-memory.dmp
memory/1836-174-0x000002308300F000-0x0000023083013000-memory.dmp
memory/1836-176-0x000002308300F000-0x0000023083013000-memory.dmp
memory/1836-178-0x0000023081370000-0x0000023081470000-memory.dmp
memory/1836-179-0x00000230936E0000-0x00000230936E8000-memory.dmp
memory/1836-181-0x000002308302F000-0x0000023083032000-memory.dmp
memory/1836-183-0x000002308302F000-0x0000023083032000-memory.dmp
memory/1836-182-0x000002308302F000-0x0000023083032000-memory.dmp