10d115db8fdb69852e7c096c92d9c3413d15dcc0359cfac8764f434be5c4d248

Analysis

max time kernel
123s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
30-04-2024 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Seven.exe
Size

139KB
MD5

350273e0d2e8a9ba5e37b791016112a0
SHA1

5bfb616dd46f67d1dcbbff55ca5917ffc1ec8b71
SHA256

27297bf8139bea755e9297e7e1489d827d1ee09a8e1d94a3ef96a2edb2de61ba
SHA512

b1e768524b4e840bd5f4163205122dd1725583245d8bfd5cbd89eb21a5fb9d33aff1b7b0ca42132b7dae469e025068ae663b3b02ad59927a558dc340141ec91b
SSDEEP

3072:miS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJd8ltw:miS4ompB9S3BZi0a1G78IVhcTct

Score

10^/10

evasion ransomware spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Seven.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe

Renames multiple (233) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocks application from running via registry modification 1 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Seven.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Seven.exe

Deletes itself 1 IoCs

pid	Process
4916	Winhost.exe

Executes dropped EXE 64 IoCs

pid	Process
4916	Winhost.exe
4476	Winhost.exe
2932	Winhost.exe
3868	Winhost.exe
4196	Winhost.exe
1616	Winhost.exe
4696	Winhost.exe
648	Winhost.exe
4812	Winhost.exe
4832	Winhost.exe
1508	Winhost.exe
1800	Winhost.exe
3824	Winhost.exe
2788	Winhost.exe
1668	Winhost.exe
2416	Winhost.exe
3016	Winhost.exe
1672	Winhost.exe
4480	Winhost.exe
5088	Winhost.exe
4360	Winhost.exe
2784	Winhost.exe
4636	Winhost.exe
4720	Winhost.exe
1740	Winhost.exe
1032	Winhost.exe
2368	Winhost.exe
712	Winhost.exe
4876	Winhost.exe
1672	Winhost.exe
2560	Winhost.exe
324	Winhost.exe
2584	Winhost.exe
2320	Winhost.exe
3076	Winhost.exe
1684	Winhost.exe
2724	Winhost.exe
4828	Winhost.exe
2052	Winhost.exe
2632	Winhost.exe
3320	Winhost.exe
2672	Winhost.exe
4404	Winhost.exe
1196	Winhost.exe
872	Winhost.exe
4484	Winhost.exe
4636	Winhost.exe
2968	Winhost.exe
1688	Winhost.exe
740	Winhost.exe
2600	Winhost.exe
992	Winhost.exe
4692	Winhost.exe
2412	Winhost.exe
4788	Winhost.exe
2388	Winhost.exe
796	Winhost.exe
1488	Winhost.exe
3972	Winhost.exe
2148	Winhost.exe
3448	Winhost.exe
3444	Winhost.exe
4968	Winhost.exe
4520	Winhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Seven.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Winhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
5	raw.githubusercontent.com
7	raw.githubusercontent.com
1	raw.githubusercontent.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\Seven.runtimeconfig.json	cmd.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\System32\Winhost.exe	cmd.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Winhost.exe	attrib.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Seven.runtimeconfig.json	attrib.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\System32\Seven.dll	cmd.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Winhost.exe	cmd.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Seven.dll	cmd.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Seven.runtimeconfig.json	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3104	powershell.exe
3104	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3104	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 3104	3076	Seven.exe	81
PID 3076 wrote to memory of 3104	3076	Seven.exe	81
PID 3076 wrote to memory of 3896	3076	Seven.exe	83
PID 3076 wrote to memory of 3896	3076	Seven.exe	83
PID 3076 wrote to memory of 3692	3076	Seven.exe	84
PID 3076 wrote to memory of 3692	3076	Seven.exe	84
PID 3076 wrote to memory of 2188	3076	Seven.exe	85
PID 3076 wrote to memory of 2188	3076	Seven.exe	85
PID 3076 wrote to memory of 1312	3076	Seven.exe	86
PID 3076 wrote to memory of 1312	3076	Seven.exe	86
PID 3076 wrote to memory of 2532	3076	Seven.exe	87
PID 3076 wrote to memory of 2532	3076	Seven.exe	87
PID 3076 wrote to memory of 1332	3076	Seven.exe	88
PID 3076 wrote to memory of 1332	3076	Seven.exe	88
PID 3076 wrote to memory of 4928	3076	Seven.exe	89
PID 3076 wrote to memory of 4928	3076	Seven.exe	89
PID 3076 wrote to memory of 840	3076	Seven.exe	90
PID 3076 wrote to memory of 840	3076	Seven.exe	90
PID 3076 wrote to memory of 1192	3076	Seven.exe	91
PID 3076 wrote to memory of 1192	3076	Seven.exe	91
PID 3076 wrote to memory of 4204	3076	Seven.exe	92
PID 3076 wrote to memory of 4204	3076	Seven.exe	92
PID 3076 wrote to memory of 4484	3076	Seven.exe	93
PID 3076 wrote to memory of 4484	3076	Seven.exe	93
PID 3076 wrote to memory of 2944	3076	Seven.exe	94
PID 3076 wrote to memory of 2944	3076	Seven.exe	94
PID 3076 wrote to memory of 1336	3076	Seven.exe	95
PID 3076 wrote to memory of 1336	3076	Seven.exe	95
PID 3076 wrote to memory of 2420	3076	Seven.exe	96
PID 3076 wrote to memory of 2420	3076	Seven.exe	96
PID 2532 wrote to memory of 3888	2532	cmd.exe	97
PID 2532 wrote to memory of 3888	2532	cmd.exe	97
PID 2944 wrote to memory of 3568	2944	cmd.exe	98
PID 2944 wrote to memory of 3568	2944	cmd.exe	98
PID 1312 wrote to memory of 1464	1312	cmd.exe	99
PID 1312 wrote to memory of 1464	1312	cmd.exe	99
PID 4204 wrote to memory of 872	4204	cmd.exe	100
PID 4204 wrote to memory of 872	4204	cmd.exe	100
PID 2420 wrote to memory of 4916	2420	cmd.exe	101
PID 2420 wrote to memory of 4916	2420	cmd.exe	101
PID 1336 wrote to memory of 4368	1336	cmd.exe	102
PID 1336 wrote to memory of 4368	1336	cmd.exe	102
PID 4484 wrote to memory of 3416	4484	cmd.exe	104
PID 4484 wrote to memory of 3416	4484	cmd.exe	104
PID 4916 wrote to memory of 4476	4916	Winhost.exe	105
PID 4916 wrote to memory of 4476	4916	Winhost.exe	105
PID 4476 wrote to memory of 2932	4476	Winhost.exe	108
PID 4476 wrote to memory of 2932	4476	Winhost.exe	108
PID 2932 wrote to memory of 3868	2932	Winhost.exe	110
PID 2932 wrote to memory of 3868	2932	Winhost.exe	110
PID 3868 wrote to memory of 4196	3868	Winhost.exe	112
PID 3868 wrote to memory of 4196	3868	Winhost.exe	112
PID 4196 wrote to memory of 1616	4196	Winhost.exe	114
PID 4196 wrote to memory of 1616	4196	Winhost.exe	114
PID 1616 wrote to memory of 4696	1616	Winhost.exe	116
PID 1616 wrote to memory of 4696	1616	Winhost.exe	116
PID 4696 wrote to memory of 648	4696	Winhost.exe	118
PID 4696 wrote to memory of 648	4696	Winhost.exe	118
PID 648 wrote to memory of 4812	648	Winhost.exe	120
PID 648 wrote to memory of 4812	648	Winhost.exe	120
PID 4812 wrote to memory of 4832	4812	Winhost.exe	122
PID 4812 wrote to memory of 4832	4812	Winhost.exe	122
PID 4832 wrote to memory of 1508	4832	Winhost.exe	124
PID 4832 wrote to memory of 1508	4832	Winhost.exe	124

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3568	attrib.exe
3888	attrib.exe
3416	attrib.exe
4368	attrib.exe
872	attrib.exe
1464	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Seven.exe
"C:\Users\Admin\AppData\Local\Temp\Seven.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3104
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Admin\AppData\Local\Temp\Winhost.exe
  2⤵
  PID:3896
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Windows\System32\Winhost.exe
  2⤵
  - Drops file in System32 directory
  PID:3692
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Public\Documents\Winhost.exe
  2⤵
  PID:2188
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Winhost.exe
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1464
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Winhost.exe
    3⤵
    - Views/modifies file attributes
    PID:3888
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Windows\System32\Seven.dll
  2⤵
  - Drops file in System32 directory
  PID:1332
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Users\Public\Documents\Seven.dll
  2⤵
  PID:4928
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Windows\System32\Seven.runtimeconfig.json
  2⤵
  - Drops file in System32 directory
  PID:840
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Users\Public\Documents\Seven.runtimeconfig.json
  2⤵
  PID:1192
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Seven.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Seven.dll
    3⤵
    - Views/modifies file attributes
    PID:872
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Seven.runtimeconfig.json
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Seven.runtimeconfig.json
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:3416
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Seven.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Seven.dll
    3⤵
    - Views/modifies file attributes
    PID:3568
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Seven.runtimeconfig.json
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Seven.runtimeconfig.json
    3⤵
    - Views/modifies file attributes
    PID:4368
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C start C:\Users\Admin\AppData\Local\Temp\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
    C:\Users\Admin\AppData\Local\Temp\Winhost.exe
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
      "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        13⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        14⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        15⤵
        Executes dropped EXE
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        16⤵
        Executes dropped EXE
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        17⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        18⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        19⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        20⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        21⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        22⤵
        Executes dropped EXE
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        23⤵
        Executes dropped EXE
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        24⤵
        Executes dropped EXE
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        25⤵
        Executes dropped EXE
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        26⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        27⤵
        Executes dropped EXE
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        28⤵
        Executes dropped EXE
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        29⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        30⤵
        Executes dropped EXE
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        31⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        32⤵
        Executes dropped EXE
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        33⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        34⤵
        Executes dropped EXE
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        35⤵
        Executes dropped EXE
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        36⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        37⤵
        Executes dropped EXE
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        38⤵
        Executes dropped EXE
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        39⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        40⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        41⤵
        Executes dropped EXE
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        42⤵
        Executes dropped EXE
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        43⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        44⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        45⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        46⤵
        Executes dropped EXE
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        47⤵
        Executes dropped EXE
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        48⤵
        Executes dropped EXE
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        49⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        50⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        51⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        52⤵
        
        PID:480
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        53⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        54⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        55⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        56⤵
        
        PID:572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        57⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        58⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        59⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        60⤵
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        61⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        62⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        63⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        64⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        65⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        66⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        67⤵
        
        PID:4208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        68⤵
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        68⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        69⤵
        
        PID:1536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        70⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        70⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        71⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        72⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        73⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        74⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        75⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        76⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        77⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        78⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        79⤵
        
        PID:1192

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1196

C:\Windows\System32\Winhost.exe
C:\Windows\System32\Winhost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4876
- C:\Windows\System32\Winhost.exe
  "C:\Windows\System32\Winhost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2560
- - C:\Windows\System32\Winhost.exe
    "C:\Windows\System32\Winhost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2584
  - - C:\Windows\System32\Winhost.exe
      "C:\Windows\System32\Winhost.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:3076
    - - C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2724
      - C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2052
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3320
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4636
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4788
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:796
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3448
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        19⤵
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        20⤵
        Drops file in System32 directory
        
        PID:3276
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        21⤵
        Drops file in System32 directory
        
        PID:3768
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        22⤵
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        23⤵
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        24⤵
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        25⤵
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        26⤵
        Drops file in System32 directory
        
        PID:4808
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        27⤵
        Drops file in System32 directory
        
        PID:4140
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        28⤵
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        29⤵
        Drops file in System32 directory
        
        PID:4196
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        30⤵
        Drops file in System32 directory
        
        PID:1164
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        31⤵
        Drops file in System32 directory
        
        PID:3060
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        32⤵
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        33⤵
        
        PID:744
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        34⤵
        
        PID:5012
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        35⤵
        
        PID:3944
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        36⤵
        
        PID:2692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:4196
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        37⤵
        
        PID:1568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:1164
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        38⤵
        
        PID:632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:3060
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        39⤵
        
        PID:4880
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        40⤵
        
        PID:5084
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        41⤵
        
        PID:4488
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        42⤵
        
        PID:1964
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        43⤵
        
        PID:1512
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        44⤵
        
        PID:1384
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        45⤵
        
        PID:2880
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        46⤵
        
        PID:324
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        47⤵
        
        PID:5072
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        48⤵
        
        PID:2336
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        49⤵
        
        PID:2720
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        50⤵
        
        PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
163B

MD5
c15e3dbb2024008885475920e97345d0

SHA1
2c01a26a23c44c91e1033d2e31db53f042a22f73

SHA256
20384a56d7849036a97892dee596afd7d91fec6d8f5545206aedabe0940272f5

SHA512
ac9e529221a250a00b0ad96fa5ecebd104527006801bd972caba51d658d5b93be49facdb8270e4006a142f8feb2b33be0bdef869e6a16f584684edb1471f8e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
c502cc9d89223687d5c482e795c84b79

SHA1
2440a6c5cd69789bcde59365275acb9fa183208f

SHA256
baac80b3495d3fdf0bf66885235366b7019f55fa84eae08d2d4bfbbbf67ab69d

SHA512
541f85335a1ee1e73ea6a69210c66f12aa4776a4693bb3efbe11c0d484df21b9e07f894756888da3823117370de250fc9d83b45a3d8629e2629795e4825ddc82

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
3dbaa0e58ac3fbb2c0360e393e60f6ba

SHA1
868b0bd70de157addcffdcdb5e9bf08783630dac

SHA256
daee76184fbf304a185a24f35a731d0027f2a6eea54aa8e0addb6d2a22cd8203

SHA512
e65145f154c4d384e1868d137405b643ecf72784e7f973d08b99c1629b37eee528000de0c4f4ba10bb5ff4b32696428e861df366e9db3d8f2bfc30789a3c80ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
ace5d585a30ca665757a8c7af04d5748

SHA1
3663f873f4b90df523ded87a1f22f0366c6754e2

SHA256
ed49eeca461842305eff099f2faea98354e33616965463d7d6dce2a6de147e85

SHA512
65676c59557bfa42b01b05067d422897fc5aaa79d7ae3e0da1fdbe96b37b62f13caa14fc640756422c542b52667773f3c9ef2b3a2eb14837c7986475c869c813

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
40aeb8cb19fefb443b88bcfe0fe2b9b9

SHA1
02b31515ffe06c68763e934b06fdd7e3facaa127

SHA256
6faf548acf3d2bf47380804ce3c305f24822d8c44899f1ad633ea3c57e77579d

SHA512
5dd010a28ee0fc2c08c73963b720261c958d7663de93bd811a07f9de5df566eeafcf25d8a6354348a5e9a87c1f1fb04ef4fb692877e2b35ef8876977084c88b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tcq3oel0.2wu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.420

Filesize
51KB

MD5
f14ebdbbc002c8ca15a7b7e139b01b25

SHA1
361c8e0f9e1480937b44cb208b65da4cd85d3d52

SHA256
c4ac4b34f8ac38a53e2eb6f1b35fefc01cd61c9c325e6ddf5f2d54de518515b8

SHA512
a9b2de5fd410db8e58b10fd8b0d854c8c9b191cc4157d38adb07600ee89110665169849d84692a749798db7063de233d837d31f1b0a85b248bad7f32ee4fb269

Download Submit
C:\Users\Public\Documents\Seven.dll

Filesize
1.3MB

MD5
45468689f5b2c655251b9f44342dc067

SHA1
00b6e0b89cb406f720c397e17c0bb729a2b21e7f

SHA256
75fbeb58b96447dcdad43ec8b81f4e96b97d3f74cfea61d3a91fda158b75b307

SHA512
632c26b7f705b1e282652e2ada7f4aa7f550a24c9e3406ab28edb6cef7eb52a0529a5a494b7a62360e289f5ddf26e67a16e25892f190c92c563f3b0f7cfae2df

Download Submit
C:\Users\Public\Documents\Winhost.exe

Filesize
139KB

MD5
350273e0d2e8a9ba5e37b791016112a0

SHA1
5bfb616dd46f67d1dcbbff55ca5917ffc1ec8b71

SHA256
27297bf8139bea755e9297e7e1489d827d1ee09a8e1d94a3ef96a2edb2de61ba

SHA512
b1e768524b4e840bd5f4163205122dd1725583245d8bfd5cbd89eb21a5fb9d33aff1b7b0ca42132b7dae469e025068ae663b3b02ad59927a558dc340141ec91b

Download Submit
C:\Windows\System32\Seven.runtimeconfig.json

Filesize
340B

MD5
253333997e82f7d44ea8072dfae6db39

SHA1
03b9744e89327431a619505a7c72fd497783d884

SHA256
28329cf08f6505e73806b17558b187c02f0c1c516fe47ebfb7a013d082aaa306

SHA512
56d99039e0fb6305588e9f87361e7e0d5051507bf321ba36619c4d29741f35c27c62f025a52523c9e1c7287aabf1533444330a8cdf840fa5af0fa2241fcb4fc2

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.420

Filesize
379KB

MD5
ae31795f3b4fc538e1c21597e42b2c4e

SHA1
ea4a7f2ab5c13eec2fe134733638a53b73c8953b

SHA256
aaaa60806e9ae5a47b9f2b1cfc2189380665ec63c4515b36a4848ad55b06175f

SHA512
bec91bd68c7dbcdf6347181abb566e084f6fae4bde0ebcc1d30584c39927f2d30795b1a4cbe318491eab9385ea7042254246a8974bdb3b351457fdde07baddad

Download Submit
C:\vcredist2010_x64.log.html.420

Filesize
86KB

MD5
6bd5c06d30e85815337ce316637fdb78

SHA1
24c5a9bf14d7e7a177ea1cc1f953205b46f70a21

SHA256
eb9b388f17d2cc7aad3937cafeecd3f337315aebccdf4d8874ff9f8cd0628f16

SHA512
8876e6eeb0d03a74644227c56bcd0838d8972ec5a04d7b3bb92eba4e5389c93658dead4cb14b32c1774b395227b32d4119b9f780c8046e5d2533f54cd0bee82c

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.420

Filesize
394KB

MD5
388d11d810aa340948cc9a1b3cb827c5

SHA1
adb689366088d51cbc4dc3021a0c32c05f4a7c5b

SHA256
47ecad2d15a0d2541e483fa69cd8f9785caac56c86ff339776889883649c176a

SHA512
e8b16b141dbb201c08e0633dc49e1a022bb9d2da9d5a7f9c80e146b37ab6ebf8fffb6efe2365975c3826d6fc75bffcb233aad46fe9cdf59b184491a4ef747b1f

Download Submit
C:\vcredist2010_x86.log.html.420

Filesize
80KB

MD5
ab2fd0d1daaa79da0fc2282c687405a0

SHA1
58ff34660cd7a73cb60d2dbbb53bcc435804676a

SHA256
507eb162f63213861134f232cc9986292cfa316f83bfdfda1a3a6151f9fae73d

SHA512
bde549c0210f9b58e1198ab9f8b1ead2311cd5ff80019d349111069971c9d5f09bfa57cdfd6ce2d6f702658265d53d1c078e4db33890a72ae06b94da0ad7b3ee

Download Submit
C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.420

Filesize
167KB

MD5
c743ed577c5bde87dfb860ba76665344

SHA1
bcde29285e72715be6f93661337e03c3bd5cde6f

SHA256
8404c6baa71d7c9f181cd54c8d1a960ee823c7d81ed7833326f5c8bb5178e2ef

SHA512
4562e74605e9892329b826cea0ee96b7a1c739d967cd46b1985de44065c9ccc29d3a56d59d03aa06fbdc804a9226840ad3832ef65952896d2bf75a2426f05ae8

Download Submit
C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.420

Filesize
195KB

MD5
43a422f15316f58a1c08a322ae9534de

SHA1
b1ffa992731f0f2ebc5c1cb65808d316c1f32e5d

SHA256
40f0794cd05d2ef53aeea243bc1a998495115c825c8e97b3766e1d8c81567d2d

SHA512
251232ba0ed892fa811a67d8391ad34c96e6df366a13e65824be7cc8fe85ae3d0b414f34c16a3602d39582fc504dad92f9254c340adee9adedfc4eb759338304

Download Submit
C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.420

Filesize
170KB

MD5
0a261338819c3594a0de7c1303fe5dc7

SHA1
ff88a4df63ed0debc1426b1f34dd2d1bdc877e9a

SHA256
3554fa7dfc68b950264f2781f8e150c61f3e7f4bc401d0fedbb33e00aaa9735d

SHA512
7b4473cb96940086fffe67d9f61008d0a2ad8934beb0a84035b6138166697ebf9fa3063583c14cadf50bfcb6defcb87a364250510e5c603576f336ac77911ed7

Download Submit
C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.420

Filesize
208KB

MD5
140f61dac89eddf2770f55a1b003332c

SHA1
dde0449e81b554bbc372a7ad1bde7790af2ea90b

SHA256
ea3ccc848f9a700536ebc4b61752e94609b9829c025b6672303bf66dc3beece8

SHA512
4991d28c4d6a49de53daa0a0d8719b07b0006efe5c5bbfcc50553d24e7b33a1b4e60946a7c55fc936cc9c5e5435a90526d9cd31a9a36122c518f6e6f4b208512

Download Submit
C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.420

Filesize
170KB

MD5
6d9844b6cacfd435c76a8a41f1916510

SHA1
0f6f9a9a762031a0f3b57c21c12d0c4dc12c49f2

SHA256
591ae4a66e4cef42c12fb385d4d625b38e78bd31168db359598a544d57dfe3fa

SHA512
5ee9132baacd82e534843fd9bc7a1be0ab3dadfb8b77d3a4ff53696ac4a6d58bcee56dcae4585f34fd09ac7721c38531f660965ff612c82045e0baf0cef77449

Download Submit
C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.420

Filesize
190KB

MD5
521d1fbd2a1bd722ab80d546536082c2

SHA1
15c9aec0ae15403571f3eaa54cc0b5f861d75222

SHA256
cfb268015777bb3df32ae5d9ed48b6c4db4dfceb07666a17d1e264d9f8954d40

SHA512
8970d747595cafcd0955f9446de19dfe7ea961d5446004c8b53c7fc71d44eb9dfd5f894473939f348da7a9f0a209f78e98c60eb66ba0ed7bd524ecdd81ad2789

Download Submit
C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.420

Filesize
170KB

MD5
dccf394f23df729da57d5113d508abbc

SHA1
00f3ac82cc8913e9ae4a901301ff2e7c12f29139

SHA256
b6f56de5468c94328d7f334515b5e6e8417af87bb220d134994df8f60c1e3e8b

SHA512
e2762871b23fb5b41c37896da034a4352fa118e6385bab045ba162e9b7b5649040e5a1b888e13a52fbed765a80d766441dc8411b09b06b8305eb14f1b0edfe54

Download Submit
C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.420

Filesize
198KB

MD5
1a86eac88f2969e6578d78a077d4cfbb

SHA1
7d3b9de2c133a27b7f76da21e2d75c09a25a8868

SHA256
da1aa3233860bf91ab0b2617eb9a9b2dc7e2a5ef1f76bb74b3023257a170756b

SHA512
2fd980b24c25b86043c8d47efb28751e00d1680b5ec69f11bb669009f5afb2ce071c64158758a8b498363008225fa0fb3b191a0180bc72265eadfafa547c7847

Download Submit
C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.420

Filesize
123KB

MD5
81634415364b8d5dfc18c152020af5a2

SHA1
f8edfe3d70e547c268ef6fa5db57abf635dff124

SHA256
10927b3858777cc2ef269cb3f747022abbfc665f3c751cfce7399482cdde5d72

SHA512
599a1ecd61d869823eea1de4bb274e3bcfa4e2c45c183cecadc6fa9db2e402fe358a4c62c55c385c6c21c190c4da2a1b4992ef8de50e5e3489f05f5842fd13ea

Download Submit
C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.420

Filesize
129KB

MD5
ab5271eb2fb30672f7e77b85f36ec724

SHA1
38da613209ab71e9336fd470a9b590e1ea583eed

SHA256
9f4f4e7796775227bb3cf0bf8f9cbfdcc12aabf6060748a091ed5979d208094b

SHA512
072f55fa5c4d81192777fc84200344c7011d6ba3a66a727414936012d86bdddd3c49d72ff7751fd9923023415aa4361e375366cc8d3fca09548f81d813f8f531

Download Submit
C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.420

Filesize
123KB

MD5
ab91da329949e62ae9a97f336daa2f74

SHA1
570dbf8bf6ad4aefdab203f27b1eaf61673f046f

SHA256
bb2cfa14425705b44025cf98d2e43917b349772d8c6b81c5320b689520d8cb53

SHA512
b54fd7775b89e12f54b37d62c110ef3a7078029d25e4de7cb2b62e6df9cb3f44c2c60ed3b1ed74e3b48c9c51945675c517fb8d67353529eb21dc9f226c263197

Download Submit
C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log.420

Filesize
135KB

MD5
b2592dd8f34443bd4173189b83e93f60

SHA1
9274e7ecbad663e3f8bf2eb93cf3e8cee2efec03

SHA256
b0379752de3fdce4ee6e1b4e975dc9114cb181bc9cfb94f9f66956067bbc1efc

SHA512
c78e36b0b8a6f1861826a5c954e3ddfa9a7e51bd5dd500fb7d5b119f5977a40a74e6b3a27b33507f7ceb69372251266fbbbce343529e6b3fcb2c0ffd31b90255

Download Submit
memory/3104-13-0x00000144D05B0000-0x00000144D05C0000-memory.dmp

Filesize
64KB

Download
memory/3104-16-0x00007FFDC96D0000-0x00007FFDCA192000-memory.dmp

Filesize
10.8MB

Download
memory/3104-10-0x00000144D05B0000-0x00000144D05C0000-memory.dmp

Filesize
64KB

Download
memory/3104-11-0x00000144D05B0000-0x00000144D05C0000-memory.dmp

Filesize
64KB

Download
memory/3104-12-0x00000144D05B0000-0x00000144D05C0000-memory.dmp

Filesize
64KB

Download
memory/3104-8-0x00000144D04D0000-0x00000144D04F2000-memory.dmp

Filesize
136KB

Download
memory/3104-9-0x00007FFDC96D0000-0x00007FFDCA192000-memory.dmp

Filesize
10.8MB

Download