Analysis Overview
SHA256
612d46d700db7c8fba70499dac9c8ea85f5a783083f5debcc1d8268bedd28df8
Threat Level: Known bad
The file 612d46d700db7c8fba70499dac9c8ea85f5a783083f5debcc1d8268bedd28df8 was found to be: Known bad.
Malicious Activity Summary
RisePro
Suspicious use of NtCreateUserProcessOtherParentProcess
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Enumerates processes with tasklist
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-15 17:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-15 17:07
Reported
2024-04-15 17:10
Platform
win7-20240220-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Engineering.ps1
Network
Files
memory/1620-4-0x000000001B5F0000-0x000000001B8D2000-memory.dmp
memory/1620-5-0x00000000027E0000-0x00000000027E8000-memory.dmp
memory/1620-6-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/1620-7-0x00000000029E0000-0x0000000002A60000-memory.dmp
memory/1620-9-0x00000000029E0000-0x0000000002A60000-memory.dmp
memory/1620-8-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/1620-10-0x00000000029E0000-0x0000000002A60000-memory.dmp
memory/1620-11-0x00000000029E0000-0x0000000002A60000-memory.dmp
memory/1620-12-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-15 17:07
Reported
2024-04-15 17:10
Platform
win10v2004-20240412-en
Max time kernel
123s
Max time network
131s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Engineering.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.104.123.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vekngalu.zt5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2508-5-0x00000241FDCC0000-0x00000241FDCE2000-memory.dmp
memory/2508-10-0x00007FFBD4550000-0x00007FFBD5011000-memory.dmp
memory/2508-11-0x00000241FB260000-0x00000241FB270000-memory.dmp
memory/2508-12-0x00000241FB260000-0x00000241FB270000-memory.dmp
memory/2508-13-0x00000241FB260000-0x00000241FB270000-memory.dmp
memory/2508-16-0x00007FFBD4550000-0x00007FFBD5011000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-15 17:07
Reported
2024-04-15 17:10
Platform
win7-20231129-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
RisePro
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2584 created 1356 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22712\Are.pif | C:\Windows\Explorer.EXE |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22712\Are.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22712\Are.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2584 set thread context of 2304 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22712\Are.pif | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22712\Are.pif |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22712\Are.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22712\Are.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22712\Are.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22712\Are.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22712\Are.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22712\Are.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22712\Are.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22712\Are.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22712\Are.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22712\Are.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\612d46d700db7c8fba70499dac9c8ea85f5a783083f5debcc1d8268bedd28df8.exe
"C:\Users\Admin\AppData\Local\Temp\612d46d700db7c8fba70499dac9c8ea85f5a783083f5debcc1d8268bedd28df8.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c move Watson Watson.bat && Watson.bat
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 22712
C:\Windows\SysWOW64\findstr.exe
findstr /V "UpsMerryPavilionElected" Geometry
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Engineering + Higher + Do + Whole + Manager + Vids + Cave + Andrews + Richards 22712\k
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22712\Are.pif
22712\Are.pif 22712\k
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22712\Are.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22712\Are.pif"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ISDUDbAKJxbbbLCaLVhMwcxH.ISDUDbAKJxbbbLCaLVhMwcxH | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Watson
| MD5 | 15cfefdcc97b72ec322261b1a2a0967c |
| SHA1 | 0fbc98d6228af405a1fd99eac72fa1b33dc0ccd8 |
| SHA256 | b862b742cb351910daebb8538b82d4e477bbd9f72e295f5bba892b4fbd7ea356 |
| SHA512 | 1b02391503ae106cd88a5e99d26bf372b441a2bffa72b98f6ad5403ddde649702a2834db01e80d1a6725fb5ee797d4aecc2290536b4742e17e1c3a6f43d1d7cb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Geometry
| MD5 | 49769aeba86d06178b4a55963cf73d10 |
| SHA1 | bc741a05dc78836c5004ac0eb7ec49d393d2ef5e |
| SHA256 | 3078b5699f3e1d4a01950050d81a5be4895cd3253411227ffe8642831cd57f4b |
| SHA512 | 15610513128457f3f25b06dea475bce9720d2e59457a3605d5602b6183dc6d0f3d32e32e21eae50c44ffce3da18f1f0af2fcc52dd954a463fa474b754cbc17f2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Rays
| MD5 | 2f046067dda5d0afae42af46649cca7d |
| SHA1 | 527b4e78a8725215b613db4583db5639bf42098d |
| SHA256 | 144751aa216f372d6131735f3b5c4e661d056a5ced6b058edc488c2d9d403218 |
| SHA512 | 1fd2000c47b32432a7af263e875d568f928331777c6c33c10da4aa70206e536993b94c07fce8353ff598df638873069d655d26645196d898e52a8c2f89a0c5dc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Warm
| MD5 | 4eb0b8b5e2eb55522366e571357b935a |
| SHA1 | dee7d930b3fecf4bdcbba43e1b896f8f183fe58c |
| SHA256 | ae1171c721da3f34b3872cb2a41cb1bdb22990954e0c5b66363a39c46893dc3f |
| SHA512 | 60710c4b93fcb3e1eddc7d833ab596db44d38d11ad35cd6bf96150336b47195e394c807ffa4aa466e4d5ce57134c3bb58c75168073a5d96a33cc9c223ae7471a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Scanned
| MD5 | 4a678da4ac2509fefd9253212b32b5ca |
| SHA1 | 2f500a45c82e338639c8f3a01e76a94c06c694b9 |
| SHA256 | 51494455f22b6d3a81591b1f6f629bc2bf7558a743bde42913f15c1c767e834f |
| SHA512 | 0ba928c4efe3d104f4b62734f79d8b942478a19648b9d858c2d66e78c6178b90c93fe2c8c06e87ab857fa5fb5773c18936640a5073e266dea8e925109c1de469 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Additional
| MD5 | a8ac7622745def45ef221b8bb2d2216f |
| SHA1 | 827f37204bfcd81d94e51a718729e17b3da56d79 |
| SHA256 | 6df83a63fbf68d11f7ed7f5a5ba71c3e90afa1768d32e210842057d50bcffcb8 |
| SHA512 | a534e8b056d41de9b5f4095a0876078cf7cbcd348cc4968da55f7c5681e41442020daa8aea5c0674fc770870586dfaa3f7598fecd9c29713b9a989f1a91253cb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Engineering
| MD5 | f802e07cff596069adb7aa7b480cfe1a |
| SHA1 | 4ef8653ed9236f1462a07418b3c6bda288f8040e |
| SHA256 | 84481313e393fff2d1523bd10af35fe074f29d05095a82cc42b162a1166b0fb6 |
| SHA512 | 08426b2914a3543d27ad269e357bf3a75e815dbf2654ca94333d0cca24e03a5462d0b49836254aaa4bd257e3792c95408490440f1e8b2c56bd29958d121f58fa |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Higher
| MD5 | 3f454ed94b01c7edbd6bb020d89a9c99 |
| SHA1 | 8e0e71ecad2ec8917dd922b4442cf53083db6292 |
| SHA256 | abbfbf7a3430591ab663450f96bd6c318c108519264df7e828d52aebd33c87da |
| SHA512 | 886a5b70a0ca7290645b430fd424fd03eb492a0b0e2acd8062369e8500ee18a0552886bb90f376b6ab2a8bea97b303f801c662ac44ce31a984dc3942dcd1e740 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Do
| MD5 | 9d29cb7d7d1e7bbed6fdc1a2555c2115 |
| SHA1 | 3c89a6ac7fd3f7f57a92ce155045dc3791553588 |
| SHA256 | 41a7a8b80ef25cd12ce9241a8b03d919f966adc14cbef163ca0747dc01c7a9bf |
| SHA512 | b218c24f5e23e02de9d79e74d3c1f0d4cae797a25f544a5d792c0505de74011e7d8b5e15d6abbcfb55316c86a4116a82989d490959fd8fcb037e6fc9ca7e38bf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Richards
| MD5 | 8ca6db36e13131806dc7313787919a1d |
| SHA1 | 21a6ec85e8f425a81ff3c6639f16da275a4ce0ee |
| SHA256 | a8b67101e121755dd4510412c450430d79f54f4f8c67974b4b79b72819010e73 |
| SHA512 | 889c4f4729f65605edaca4c5f110f026b18c5848645920b9b1490646a349d35123a60426dd899b97cab933ca6a751e5d6c3ee1ec3bf57e788fcb5a07fedf746f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Andrews
| MD5 | 1230bde8dde6c5e68125f6e2288454a3 |
| SHA1 | ba9e6ed3346c56eddd63a094c6c23a4201e689aa |
| SHA256 | 418588155f1eb77a144994d287f624dd2d3438f3d5b802c2248a8e076bea832a |
| SHA512 | fe7a4c11f1a2146a471e80ccea4a4a29894a6918639ef5e23bef5f1f5a0a550cc847cb11ccb1c698a1033602d4f729963de9cc2390c4db0415abdf5b7b7e3209 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cave
| MD5 | 103c3651412ed3a6860a5e047c339b1d |
| SHA1 | 4ed01c03f2c44dc741a5a9ae570858111f5e6f46 |
| SHA256 | 28b3d124a0a07f85b50a904fec992b189c55bae695feb0cf2754a67cda880858 |
| SHA512 | 4d02530e92539f855802b09fa1a17dc421ea3d36294559fe50fa251208aced0cabc76ccc447a5f871b91461ab79aef49acd182a05594e6bd8dfbb9d0dd7763b2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Vids
| MD5 | 70ea9b81a0bb39c0d1c5a0ac6f01db31 |
| SHA1 | e4ece851673f68aa004642192e0f493c9b81d8df |
| SHA256 | 4616371a40c96b2de845d9eabc66631e29f2b4027ab50d009dc9fcb154a616c9 |
| SHA512 | 8a07c9fec0bf8f0086fc98c98ab1de59736a91450106c96ed2572038e0879cf614ffb7c9c6e532b5ca74faaf4fe6669da1c6ee397f761482e69c7b697b13fc36 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Manager
| MD5 | 585145743429f81563517260cca04bf4 |
| SHA1 | 461294d65df7f6c989b9c4e15728a1f7e3d6f3a6 |
| SHA256 | b25ac01ec1d48a1723af6caa4cc932fb9065e18dcb183b3ddb6fab154cf6e27c |
| SHA512 | 587d3df8f47727b591b61f8ade781490ce231bcf0260ae672a5703ce356b829bc850742fba66e6334ed33e6f0fea1e1f4171fdd0694d588115354735a94dd848 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Whole
| MD5 | 14f4fc52032cb1b7000be168937d2dfe |
| SHA1 | f494731bc3774f5d208125cb7ad3d199d18aa831 |
| SHA256 | 3bf06f37c5295e41f3d16524fb4c1ea4bd596bea35d1cdf281852b4db8c323a3 |
| SHA512 | 701e90ae497f92a42bc0b17709ae93dbd2b23fd65750a44f5fa918ae29b6af6e100e8a78221d51fc25517ac765bcb86a78eb0bcc2a4829af3fdf707eccd009a7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22712\Are.pif
| MD5 | 6ee7ddebff0a2b78c7ac30f6e00d1d11 |
| SHA1 | f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2 |
| SHA256 | 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4 |
| SHA512 | 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22712\k
| MD5 | 7aff03968f04c63aa0a5e4b3fd47b5b6 |
| SHA1 | ba625615d5be477662f626b103ee34c40eba3bf7 |
| SHA256 | 3d4f2b05b900dce5d893d9df515de8de6bb47628cbe38b76cba9c1f7c4982a75 |
| SHA512 | 376694c5c53dd42a5c386ecb3a314bb61c866f04b356f2f9e6be9e66261db004e2d06752bfeee65abb34dd8e9d1db09984445912a5c2ebb8098abeef012c4a28 |
memory/2584-39-0x00000000779E0000-0x0000000077AB6000-memory.dmp
memory/2584-40-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2304-42-0x0000000000080000-0x00000000001D2000-memory.dmp
memory/2304-43-0x0000000000080000-0x00000000001D2000-memory.dmp
memory/2304-46-0x0000000000080000-0x00000000001D2000-memory.dmp
memory/2304-47-0x0000000000080000-0x00000000001D2000-memory.dmp
memory/2304-48-0x0000000000080000-0x00000000001D2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-15 17:07
Reported
2024-04-15 17:10
Platform
win10v2004-20240412-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
RisePro
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4304 created 3432 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif | C:\Windows\Explorer.EXE |
| PID 4304 created 3432 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif | C:\Windows\Explorer.EXE |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\612d46d700db7c8fba70499dac9c8ea85f5a783083f5debcc1d8268bedd28df8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4304 set thread context of 1776 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\612d46d700db7c8fba70499dac9c8ea85f5a783083f5debcc1d8268bedd28df8.exe
"C:\Users\Admin\AppData\Local\Temp\612d46d700db7c8fba70499dac9c8ea85f5a783083f5debcc1d8268bedd28df8.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c move Watson Watson.bat && Watson.bat
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 22712
C:\Windows\SysWOW64\findstr.exe
findstr /V "UpsMerryPavilionElected" Geometry
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Engineering + Higher + Do + Whole + Manager + Vids + Cave + Andrews + Richards 22712\k
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif
22712\Are.pif 22712\k
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | ISDUDbAKJxbbbLCaLVhMwcxH.ISDUDbAKJxbbbLCaLVhMwcxH | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Watson
| MD5 | 15cfefdcc97b72ec322261b1a2a0967c |
| SHA1 | 0fbc98d6228af405a1fd99eac72fa1b33dc0ccd8 |
| SHA256 | b862b742cb351910daebb8538b82d4e477bbd9f72e295f5bba892b4fbd7ea356 |
| SHA512 | 1b02391503ae106cd88a5e99d26bf372b441a2bffa72b98f6ad5403ddde649702a2834db01e80d1a6725fb5ee797d4aecc2290536b4742e17e1c3a6f43d1d7cb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Geometry
| MD5 | 49769aeba86d06178b4a55963cf73d10 |
| SHA1 | bc741a05dc78836c5004ac0eb7ec49d393d2ef5e |
| SHA256 | 3078b5699f3e1d4a01950050d81a5be4895cd3253411227ffe8642831cd57f4b |
| SHA512 | 15610513128457f3f25b06dea475bce9720d2e59457a3605d5602b6183dc6d0f3d32e32e21eae50c44ffce3da18f1f0af2fcc52dd954a463fa474b754cbc17f2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rays
| MD5 | 2f046067dda5d0afae42af46649cca7d |
| SHA1 | 527b4e78a8725215b613db4583db5639bf42098d |
| SHA256 | 144751aa216f372d6131735f3b5c4e661d056a5ced6b058edc488c2d9d403218 |
| SHA512 | 1fd2000c47b32432a7af263e875d568f928331777c6c33c10da4aa70206e536993b94c07fce8353ff598df638873069d655d26645196d898e52a8c2f89a0c5dc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Scanned
| MD5 | 4a678da4ac2509fefd9253212b32b5ca |
| SHA1 | 2f500a45c82e338639c8f3a01e76a94c06c694b9 |
| SHA256 | 51494455f22b6d3a81591b1f6f629bc2bf7558a743bde42913f15c1c767e834f |
| SHA512 | 0ba928c4efe3d104f4b62734f79d8b942478a19648b9d858c2d66e78c6178b90c93fe2c8c06e87ab857fa5fb5773c18936640a5073e266dea8e925109c1de469 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Additional
| MD5 | a8ac7622745def45ef221b8bb2d2216f |
| SHA1 | 827f37204bfcd81d94e51a718729e17b3da56d79 |
| SHA256 | 6df83a63fbf68d11f7ed7f5a5ba71c3e90afa1768d32e210842057d50bcffcb8 |
| SHA512 | a534e8b056d41de9b5f4095a0876078cf7cbcd348cc4968da55f7c5681e41442020daa8aea5c0674fc770870586dfaa3f7598fecd9c29713b9a989f1a91253cb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Warm
| MD5 | 4eb0b8b5e2eb55522366e571357b935a |
| SHA1 | dee7d930b3fecf4bdcbba43e1b896f8f183fe58c |
| SHA256 | ae1171c721da3f34b3872cb2a41cb1bdb22990954e0c5b66363a39c46893dc3f |
| SHA512 | 60710c4b93fcb3e1eddc7d833ab596db44d38d11ad35cd6bf96150336b47195e394c807ffa4aa466e4d5ce57134c3bb58c75168073a5d96a33cc9c223ae7471a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Engineering
| MD5 | f802e07cff596069adb7aa7b480cfe1a |
| SHA1 | 4ef8653ed9236f1462a07418b3c6bda288f8040e |
| SHA256 | 84481313e393fff2d1523bd10af35fe074f29d05095a82cc42b162a1166b0fb6 |
| SHA512 | 08426b2914a3543d27ad269e357bf3a75e815dbf2654ca94333d0cca24e03a5462d0b49836254aaa4bd257e3792c95408490440f1e8b2c56bd29958d121f58fa |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Higher
| MD5 | 3f454ed94b01c7edbd6bb020d89a9c99 |
| SHA1 | 8e0e71ecad2ec8917dd922b4442cf53083db6292 |
| SHA256 | abbfbf7a3430591ab663450f96bd6c318c108519264df7e828d52aebd33c87da |
| SHA512 | 886a5b70a0ca7290645b430fd424fd03eb492a0b0e2acd8062369e8500ee18a0552886bb90f376b6ab2a8bea97b303f801c662ac44ce31a984dc3942dcd1e740 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Do
| MD5 | 9d29cb7d7d1e7bbed6fdc1a2555c2115 |
| SHA1 | 3c89a6ac7fd3f7f57a92ce155045dc3791553588 |
| SHA256 | 41a7a8b80ef25cd12ce9241a8b03d919f966adc14cbef163ca0747dc01c7a9bf |
| SHA512 | b218c24f5e23e02de9d79e74d3c1f0d4cae797a25f544a5d792c0505de74011e7d8b5e15d6abbcfb55316c86a4116a82989d490959fd8fcb037e6fc9ca7e38bf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Manager
| MD5 | 585145743429f81563517260cca04bf4 |
| SHA1 | 461294d65df7f6c989b9c4e15728a1f7e3d6f3a6 |
| SHA256 | b25ac01ec1d48a1723af6caa4cc932fb9065e18dcb183b3ddb6fab154cf6e27c |
| SHA512 | 587d3df8f47727b591b61f8ade781490ce231bcf0260ae672a5703ce356b829bc850742fba66e6334ed33e6f0fea1e1f4171fdd0694d588115354735a94dd848 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Whole
| MD5 | 14f4fc52032cb1b7000be168937d2dfe |
| SHA1 | f494731bc3774f5d208125cb7ad3d199d18aa831 |
| SHA256 | 3bf06f37c5295e41f3d16524fb4c1ea4bd596bea35d1cdf281852b4db8c323a3 |
| SHA512 | 701e90ae497f92a42bc0b17709ae93dbd2b23fd65750a44f5fa918ae29b6af6e100e8a78221d51fc25517ac765bcb86a78eb0bcc2a4829af3fdf707eccd009a7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Vids
| MD5 | 70ea9b81a0bb39c0d1c5a0ac6f01db31 |
| SHA1 | e4ece851673f68aa004642192e0f493c9b81d8df |
| SHA256 | 4616371a40c96b2de845d9eabc66631e29f2b4027ab50d009dc9fcb154a616c9 |
| SHA512 | 8a07c9fec0bf8f0086fc98c98ab1de59736a91450106c96ed2572038e0879cf614ffb7c9c6e532b5ca74faaf4fe6669da1c6ee397f761482e69c7b697b13fc36 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cave
| MD5 | 103c3651412ed3a6860a5e047c339b1d |
| SHA1 | 4ed01c03f2c44dc741a5a9ae570858111f5e6f46 |
| SHA256 | 28b3d124a0a07f85b50a904fec992b189c55bae695feb0cf2754a67cda880858 |
| SHA512 | 4d02530e92539f855802b09fa1a17dc421ea3d36294559fe50fa251208aced0cabc76ccc447a5f871b91461ab79aef49acd182a05594e6bd8dfbb9d0dd7763b2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Andrews
| MD5 | 1230bde8dde6c5e68125f6e2288454a3 |
| SHA1 | ba9e6ed3346c56eddd63a094c6c23a4201e689aa |
| SHA256 | 418588155f1eb77a144994d287f624dd2d3438f3d5b802c2248a8e076bea832a |
| SHA512 | fe7a4c11f1a2146a471e80ccea4a4a29894a6918639ef5e23bef5f1f5a0a550cc847cb11ccb1c698a1033602d4f729963de9cc2390c4db0415abdf5b7b7e3209 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Richards
| MD5 | 8ca6db36e13131806dc7313787919a1d |
| SHA1 | 21a6ec85e8f425a81ff3c6639f16da275a4ce0ee |
| SHA256 | a8b67101e121755dd4510412c450430d79f54f4f8c67974b4b79b72819010e73 |
| SHA512 | 889c4f4729f65605edaca4c5f110f026b18c5848645920b9b1490646a349d35123a60426dd899b97cab933ca6a751e5d6c3ee1ec3bf57e788fcb5a07fedf746f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif
| MD5 | 6ee7ddebff0a2b78c7ac30f6e00d1d11 |
| SHA1 | f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2 |
| SHA256 | 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4 |
| SHA512 | 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\k
| MD5 | 7aff03968f04c63aa0a5e4b3fd47b5b6 |
| SHA1 | ba625615d5be477662f626b103ee34c40eba3bf7 |
| SHA256 | 3d4f2b05b900dce5d893d9df515de8de6bb47628cbe38b76cba9c1f7c4982a75 |
| SHA512 | 376694c5c53dd42a5c386ecb3a314bb61c866f04b356f2f9e6be9e66261db004e2d06752bfeee65abb34dd8e9d1db09984445912a5c2ebb8098abeef012c4a28 |
memory/4304-37-0x00000000772F1000-0x0000000077411000-memory.dmp
memory/4304-38-0x00000000037B0000-0x00000000037B1000-memory.dmp
memory/1776-42-0x0000000000A00000-0x0000000000B52000-memory.dmp
memory/1776-43-0x0000000000A00000-0x0000000000B52000-memory.dmp
memory/1776-45-0x0000000000A00000-0x0000000000B52000-memory.dmp